Google connection security
ReportFlow requests read-only access for Google Search Console and Google Analytics 4. It does not request permission to edit websites, Analytics settings, advertising accounts, or Search Console configuration.
- OAuth access and refresh tokens are encrypted before database storage.
- Tokens remain server-side and are never returned to the browser.
- Users can disconnect either Google service from a project.
- Selected properties are scoped to the authorized workspace and project.
Application safeguards
ReportFlow uses authenticated sessions, organization-scoped authorization, role checks for privileged actions, input validation, protected webhook signatures, and audit logging for sensitive workflows.
Production deployments should use HTTPS, strong secrets, restricted database and Redis access, provider key rotation, monitored logs, backups, and timely dependency updates.
Payments and incident reporting
Stripe handles payment collection and card details. ReportFlow stores the customer and subscription identifiers required to synchronize plan access.
If you believe an account or integration has been compromised, disconnect the affected Google connection when safe and contact support promptly with the workspace name and relevant timestamps. Never send passwords, OAuth tokens, or API keys by email.
Questions about trust or legal terms?
Contact us and include your workspace name so we can route the request.
[email protected]