← Back to the Procurement Trust Center

Google Workspace Connector

Public connector disclosure

Custodia, LLC · BidFedCMMC platform

This page describes, in plain language and in full, what the BidFedCMMC Google Workspace connector does with your Google user data. We publish it so that your IT team, your leadership, and your assessor can verify the connector before anyone consents to it.

1. What the connector does

The connector pulls read-only configuration evidence from your Google Workspace tenant to document CMMC safeguarding requirements: your user roster (who has an account, who is an administrator, whether 2-Step Verification is enrolled and enforced) and recent Admin console audit events (proof that administrative activity is being logged). Each pull is saved as a timestamped evidence snapshot in your workspace. The connector never changes anything in your tenant; every call it makes is a read.

2. The exact OAuth scopes we request

We request exactly two read-only scopes, and nothing more:

  • https://www.googleapis.com/auth/admin.directory.user.readonly: read your user roster, including administrator flags and each user's 2-Step Verification status.
  • https://www.googleapis.com/auth/admin.reports.audit.readonly: read Admin console audit events (who did what in the admin console, and when).

3. The exact endpoints we call

The connector calls two Google Admin SDK endpoints, both reads:

  • GET admin/directory/v1/users: the user roster for your own tenant only.
  • GET admin/reports/v1/activity/users/all/applications/admin: the most recent Admin console audit events (a single bounded page).

4. What the connector can never see

The two scopes above do not grant access to content. The connector cannot read mail contents, Drive files, calendars, chat messages, or any personal communications. It sees directory and audit metadata only.

5. Who can authorize it

Connecting requires consent from a Google Workspace Super Admin in your own organization. The connector is scoped to that admin's tenant, so each organization can only ever see its own data.

6. How the data is protected

  • Evidence snapshots are encrypted with AES-256-GCM under a per-tenant key wrapped by a platform key backed by AWS Key Management Service (KMS), and stored in private (non-public) storage.
  • OAuth tokens are encrypted with AES-256-GCM at rest and are never exposed to the browser.
  • Every snapshot records a SHA-256 hash of the raw bytes at pull time, so an assessor can recompute the hash and prove the evidence has not been altered since the connector wrote it.

7. Google user data and AI

Google user data obtained through the connector is not transferred to any third-party AI service and is not used to train AI or machine-learning models. Connector-pulled evidence is verified by checksum and endpoint provenance; it is never sent to the AI reviewer that screens manually uploaded files.

8. What happens when you disconnect

When you disconnect, we attempt revocation of the token at Google's OAuth revocation endpoint and delete the stored token ciphertext immediately. Disconnecting stops all future pulls. Evidence snapshots already pulled remain in your workspace as part of your compliance record until you delete them; you can delete any snapshot at any time. You can also revoke the connector's access from the Google Admin console at any time.

9. Google API Services User Data Policy

Our use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

10. Related documents