Security

We connect to your Google Workspace to provision new users on your behalf. This page is the source of truth for exactly what we ask for and what we do with it.

OAuth scopes we request

• https://www.googleapis.com/auth/admin.directory.user
• https://www.googleapis.com/auth/admin.directory.domain.readonly

admin.directory.user is the minimum scope to create a user in your Workspace. domain.readonly is used to confirm which domain we are working with on first connect.

What we do not do

• We do not read existing user data in your Workspace.
• We do not modify or delete existing users.
• We do not store your access or refresh tokens in plaintext (encrypted at rest, Laravel encrypted casts).
• We do not share, sell, or transmit Workspace data outside of MailProvision's own infrastructure.

Data we keep

• Your account: email, hashed password.
• Per Workspace: domain, encrypted OAuth tokens, configuration (email format, spend cap, accent color).
• Per provisioning: name and recovery email the end-user submitted, plus the email address we created.

Subprocessors

• Laravel Cloud (hosting + Postgres).
• Stripe (subscription billing).
• Resend (transactional email).
• Google (workspace API).

Pilot disclosure

MailProvision is currently in Google's OAuth verification process. During this period the consent screen displays an "unverified app" warning. We are working through Google's review queue and will update this page when verification is complete.