Posqure documentation

Posqure is a read-only security assessment for Google Workspace. Connect it (read-only — it can never change anything), and in ~2 minutes it returns a risk score, a ranked list of problems, and a plain-English fix for each. It also maps your findings to SOC 2, GDPR and ISO 27001 controls so you can prove your posture to auditors and customers.

You need a Google Workspace(a company on its own domain, managed at admin.google.com) and to be a Workspace admin. A personal @gmail.com is not a Workspace and can't be scanned.

1. Create an account at /signup and verify your email.
2. Go to Connect → "Connect read-only with Google" and approve the read-only access (as a Workspace admin).
3. Posqure runs your first scan and opens your dashboard.
4. No Workspace handy? See a full live demo report.

Who can connect. The person connecting must be a Google Workspace super-admin (or a delegated admin with security privileges). The scan reads org-wide directory and audit data that only admins can see.

What we request. A single read-only OAuth grant. Every scope ends in .readonly — directory (users, admin status, 2-Step Verification, last login), domain settings, org units, and the Reports audit log (for third-party app grants). A guard in our code refuses to start if a non-read-only scope is ever added.

What happens. After you approve, we exchange a refresh token (encrypted at rest with AES-256-GCM), run your first scan in memory, and store only the resulting findings. Disconnecting from Settings deletes the token immediately.

Re-scanning. Run a manual scan anytime; Team and Pro plans also re-scan daily and email you the moment new high/critical risk appears.

Every scope we request ends in .readonly. The current checks:

• Admins without 2-Step Verification · Critical
• Too many super-admins · High
• 2-Step Verification not enforced org-wide · High
• Stale admin accounts · High
• Unrestricted external file sharing · High
• Third-party apps with high-risk access · High
• Admins with weak account recovery · Medium
• Suspended accounts not cleaned up · Low
• Weak password policy · Medium
• Legacy authentication enabled · High

A few Google settings (password policy, Drive sharing, legacy auth) have no read-only API, so on live scans we honestly mark them "not assessed" rather than guess.

Findings are weighted by severity into a 0–100 score and a letter grade: A (90+), B (75+), C (60+), D (40+), F below. Re-scan after fixing to watch it climb.

On a paid plan, each finding has a status you can cycle through — To fix → In progress → Resolved. The dashboard shows a progress bar, and your progress is saved per organization (it survives re-scans), so your whole team can work through the fixes.

Team and Pro plans map every finding to the controls auditors ask about — SOC 2 (Common Criteria), GDPR (Art. 32, 5, 25) and ISO 27001(Annex A). You see "N controls at risk" per framework, and Pro/Team can export an audit-ready compliance evidence PDF.

Read-only by design. Every Google scope ends in .readonly, enforced in code — we cannot modify your account. We store only findings (e.g. "3 admins without 2SV"), never your emails, files, or directory. Refresh tokens are encrypted (AES-256-GCM). Read our Privacy Policy and Terms.