One read-only grant. We read your configuration to assess it — and we literally cannot change anything, because we never request write access.
Read-only
Every scope we request ends in .readonly. No exceptions.
Encrypted
Your refresh token is encrypted with AES-256-GCM at rest.
Minimal storage
We store findings (e.g. “3 admins without 2SV”), not your directory.
We're finalising Google's security verification. During this period only approved testers can connect a live Workspace — if you hit a Google "access" screen, that's why. Meanwhile, see a full live demo report.