Security
Protecting your users & data for Google Workspace extensions
This page gives answers to all your security questions related to the use of Google Workspace extensions. Still have security questions? Contact us, answer might be added to this page.Contact
Manage the Workspace Marketplace store
The first recommendation is to configure in the Google Workspace domain to only allow approved 3rd party applications from the Google Workspace marketplace. To do so, go in your Google Admin console (at admin.google.com) to Apps > Google Workspace Marketplace apps. Select the option: "Allow users to install and run only selected apps from the Marketplace". This will ensure user can only install applications that the Google Admin approved.
The Google Workspace marketplace also offers you the ability to create an application store for your users on the URL; https://workspace.google.com/marketplace/mydomainapps. This page will show only apps that you want to promote to your users. See also tip further below.
HOW TO EVALUATE MARKETPLACE APPS / ADD-ONS / CHATBOTS
Before you deploy a Google Workspace extension in your Google domain it is recommended to check the Google Workspace admin help page: "Evaluate a marketplace app's security" and the list below for a bit more practical guidance. The pre deployment checklist below contains best practice tips and guidance for Google Workspace extension deployment.
API Scope
Check the API scope that the 3rd party wants to access. Evaluate if that is fair for the functionality that is offered in the application. If the application should just work on a spreadsheet data, the scope to access 3rd party web service should not be necessary. Even the Gmail™ scope should not be necessary for an application that just process data of your spreadsheet. Also a common issue in Google Workspace add-ons, is that the API scope request access to ALL files (e.g. all spreadsheets) in Google Drive™, while just access to a specific file type (e.g. the used spreadsheet) should be sufficient, and actually just the file that is opened with the spreadsheet. If you have questions about the scopes of the application, reach out to support of the supplier. In the API scope review, use the Google add-on scopes and the OAuth API verification FAQs as reference.
Supplier name
Check who is delivering the application. If the application is offered by "abc.hacker@gmail.com" you should have some doubts. A trustworthy company name (e.g. Salesforce™) should give your more comfort.
Privacy statement
Every application on the Google Workspace marketplace (web application, add-on, chatbot) comes with a privacy statement of the supplier. That is a mandatory item for everyone who wants to publish an item on the Google Workspace marketplace. Check this document. Some collaboration with your legal team or GDPR team might be applicable.
Support process
Check about support. You might not need it yet. However check how you can get support, when someone run into trouble for using this 3rd party application you need to know who you can obtain support. Check also the latest release date. Is the add-on still managed by the provider. Some add-ons are not actively managed by their supplier. You might want to contact the developer, just to check the response time and the support options.
Reviews
Look at the review section especially on the negative ones and see if the supplier posted a reaction.
GOOGLE VETTING
Extensions are vetted by Google™. During the (public) publication process, Google will check the extension on any misuse or abuse. If Google discover that the add-on is against their policy, they don't publish the extension.
In general the advice is don't use add-ons which are not vetted by Google. Our add-ons have all passed the Google vetting procedure.
Workspace Marketplace for your users
For most (if not any) organization it is advised to create in the Google Workspace marketplace a section "<your organisation> apps". Doing so, users can easily find the add-ons which are recommended (and safe) to use in your organization. See your current list of approved extensions on URL: https://workspace.google.com/marketplace/mydomainapps.
See the Google Workspace Admin Help on how to implement a recommended section for your company in the Google Workspace marketplace.
DATA ACCESS APPROVAL: USER VS DOMAIN LEVEL
When add-ons are installed by the user, a consent screen will show which add-ons is installed, who the developer is, and which APIs are used to access your data. In other words, it will show which data is shared with this developer.
Every user should carefully inspect which authorization the add-on will have over your data and review the privacy policy of the developer. For add-ons which you trust in your domain you may not want to show this consent screen to every user. As a Google admin you can approve the add-on on the domain level of your Google Workspace domain. The main advantage of this is that users don't have to accept the consent screen. This will give a smoother experience and clearly shows that the usage of the add-on is accepted in your organisation.
ALLOWLIST / BLOCKLIST
In the Google admin panel the Google administrator can either allow or block certain Google Workspace marketplace extensions, add-ons or chat bots. For more information, some help full Google Workspace admin articles are:
MONITORING
In the Google admin console, the authorized Google Workspace administrator, can see (and get alerts) of users authorizing 3rd parties by going in the Google admin console to "Reports". In the Reports screen, select the item "Token" in the Audit section.
You can see who have recently authorized any add-on and you can setup easily an alert via this page.
See Google Workspace admin help:
PUBLIC (MARKETPLACE) VS PRIVATE (INTERNAL) ADD ON
You can either take an add-on from the Google Workspace marketplace or develop your own add-on and publish the add-on only in your Google Workspace domain. The big difference is that you don't have insight in the code of the add-on you acquired on the Google Workspace marketplace. When you use an add-on from the Google Workspace marketplace you have to trust the 3rd party that they are trustworthy. When you develop your own add-on (or ask a developer to do so), you own the code, you publish the code in your Google Workspace domain and you maintain the code. Meaning you are fully aware of what the add-on does with your data, and you are fully responsible to keep the add-on up-to-date and handle service requests.
Our add-ons are offered via the Google Workspace Marketplace, however if you require you can obtain a copy and deploy your copy within your Google Workspace domain. You need to pay a domain licence price for the add-on. See pricing.
3RD PARTY SECURITY TOOLS
Third party access to Google Workspace can be very well controlled via the Google Admin options (to our opinion). However if you feel more comfortable by using a 3rd party tool for security insights. See some options below:
Spinbackup G Suite Cyber Security Solution with 3rd-Party Apps Audit
GAT shield, Google Workspace Protection and Auditing
Additional security resources
As you made it to the last part of the page, you like are very interested in the Google Workspace security topic. For more reading see the list below of some Google resources: