Your data security is
our first priority

We request only the analytics.readonly OAuth scope. GA4 Audits physically cannot modify your property settings, create or delete events, change audiences, or alter any configuration. Our API calls are limited to GET requests against the GA4 Admin and Data APIs.

• analytics.readonly OAuth scope only
• No write permissions requested or possible
• Cannot modify property settings or events
• Verified through Google's scope enforcement

We use Google's OAuth 2.0 authorization code flow with PKCE. Your Google password is never shared with us. Authentication is handled entirely by Google's identity platform, and we only receive a scoped access token.

• Authorization code flow with PKCE
• Your password never touches our servers
• Tokens automatically expire after 1 hour
• Refresh tokens stored with Fernet encryption

OAuth refresh tokens are encrypted at rest using Fernet symmetric encryption (AES-128-CBC with HMAC-SHA256). Encryption keys are managed through environment variables, never committed to source control, and rotated regularly.

• Fernet symmetric encryption (AES-128-CBC)
• HMAC-SHA256 for token integrity verification
• Encryption keys stored in environment variables
• Tokens never logged or stored in plaintext

We query your GA4 API to run our 213 checks and discard the raw analytics data immediately after processing. We only persist audit results: check statuses, scores, and recommendations. Your visitor-level data never leaves Google's infrastructure.

• Raw API data discarded after processing
• Only audit results persisted (pass/fail/scores)
• No visitor-level data stored
• No PII collected or retained

All communication between your browser, our API, and Google's APIs is encrypted in transit using TLS 1.3. HTTP Strict Transport Security (HSTS) headers prevent protocol downgrade attacks. All API endpoints enforce HTTPS.

• TLS 1.3 for all data in transit
• HSTS headers on all endpoints
• Certificate pinning for Google API calls
• No plaintext HTTP endpoints

Our backend runs on Google Cloud Run, which provides container-level isolation. Each request is handled in an isolated container instance with no shared state. Containers are ephemeral and destroyed after processing.

• Container-level process isolation
• No shared state between requests
• Ephemeral containers destroyed after use
• Google Cloud's enterprise security standards

All database access is governed by Supabase Row-Level Security (RLS) policies. Users can only read and modify their own data. Even if an API vulnerability were exploited, RLS ensures data boundaries are enforced at the database level.

• RLS policies on every table
• Users can only access their own data
• Database-level enforcement (not just API)
• Policies audited and tested regularly

You can disconnect your Google account at any time from your GA4 Audits dashboard or directly from Google at myaccount.google.com/permissions. Upon revocation, we immediately delete your encrypted tokens and lose all access to your GA4 data.

• One-click disconnect from dashboard
• Revoke directly from Google account
• Tokens deleted immediately upon revocation
• All cached audit data purged within 24 hours