Product Technical FAQ's
Why does GAT+ require a domain-wide install for all OUs?
GAT+ requiresto be installed domain-wide. The main reason why GAT+ must cover every user is not just for billing, but also technical. To do a proper audit of all aspects of the Google Workspace environment, you must audit every user to see how they interact with other users. This is necessary for proper email auditing, proper collaboration measurement, and depending on the version of Google Workspace that you have, it is necessary for proper Drive audits, in particular where visitor events are recorded.
Does GAT have access to our file contents?
No, GAT+ only has access to metadata.
Do you have written information security, data protection and confidentiality policies that outline your overall policy framework?
Yes, see our security policy statement: https://gatlabs.com/security-policy-statement/
Do you have a data protection officer (DPO) in place?
Do you maintain a record of your data processing activities in line with the requirements of the General Data Protection Regulation including DPO details; Processing purpose; Data types; Sharing details; International transfers; and Retention periods?
Yes.
Will you need to/ be required to access personal data/ confidential information belonging to our organization? e.g. staff; customer data; confidential business information?
Yes. GAT only requires metadata. We build our exposure profile based purely on the metadata. GAT never retrieves file contents for auditing. We believe the risk in extracting file contents from the secure ‘shredded’ environment of Google’s servers to any third-party software is too great for companies serious about security, so we don’t do it. Some of the most security-sensitive government customers in the US and the UK use GAT precisely because we don’t extract file contents.
Do you have a policy and process for secure disposal of both IT equipment and media?
No customer data is ever stored on local equipment or media. Google is responsible for this.
Will our organization be able to manage who has access to the service (our organization's staff)?
GAT is the very first Google Workspace security tool provider to offer ‘lock and key’ access to Google Workspace files and emails. Ever aware that end-user security is paramount, this feature set goes much further than any of our competitors, not only does it allow for full file management, but it is the only tool to give silent views of all files and emails (Admins and Security Officers won’t appear as ‘Viewers’ of the files or emails), while at the same time, it executes in a secure way that deeply protects end user’s rights. We carefully designed the solution to require both a lock and key for access. Managers, C level executives, and security officers can also relax knowing you cannot download GAT and have unrestricted access to sensitive financial files or snoop on HR emails. Google Workspace Admin staff using GAT can report that they have the most functional security tool in the marketplace, yet with the highest security standards available.
Do you have an encryption policy that covers data encryption in transit and at rest?
The Tool itself runs using a 2048-bit modulus RSA key, SHA256 is used for hashing, and AES (256-bit) is used for encryption. It is Verified by Comodo. This ensures the site you connect to is who it says it is (generalaudittool.com), thus eliminating man-in-the-middle attacks. It also ensures that any data transferred is moved inside an HTTPS tunnel, from Google to the audit tool and from the audit tool to your browser.
Do you have a Security/ Breach Incident Management Policy and Procedure in place?
In the event of a customer data breach, we have a declared policy of customer notification. The response to any specific incident will depend on the nature of the incident and is not defined in specific terms.
Do you have a Business Continuity Policy in place?
For business continuity of our cloud services, we are dependent on GCP business continuity.
Do you have a Privacy policy? As an EU-based company, this would comply with GDPR requirements.
Our privacy policy is stated as complete non-disclosure of customer data and automatically implemented ‘right to be forgotten’ of customer data after 30 days since last use. This policy predates GDPR. There is no access to customer data by any staff other than development engineers. Customer data is never removed from GCP.
You are based in Ireland, and run services on the North American GCP. Could you please confirm your view as to whether this means that data transfers outside of the EU?
Yes, we are based in Ireland. We state so clearly on our website. Yes, our services are run 100% from GCP in North America. It is our view that data is transferred out of the EU and its protection is covered by Google under the EU/US data protection umbrella agreement. We as a data processor are covered directly by EU law.
What data do we work with?
We process and store metadata.
Where is my metadata stored?
Customers’ metadata is stored in GCP (Google Cloud platform).
Customers can choose between 3 Geographical Areas for their data to be stored, UK, US and EU (US by default)
1. GCP in America, Council Bluffs, Iowa
2. In Europe in the Frankfurt, Germany
3.In the UK, London, England
How is my metadata kept secured?
Data at rest is encrypted with the AES-256 algorithm.
Is my metadata secure during transit?
Data in transit is encrypted with TLS.
Who has access to my metadata?
Engineers responsible for the production environment and Support engineers can have access to their metadata.
How is metadata accessed via Google API?
This metadata is accessed directly from Google Workspace via HTTPS, the same encryption standard that you use to access Google Workspace.
Do you have an SLA and how will downtime be reported?
You can request or send the SLA to dpo@generalaudittool.com we will get back to you as soon as possible. Downtime is reported on our Status Page if it happens.
How far back does the “Drive event scan” can go back?
6 months from the point of installation, max available from the API 180 days.
Drive event scan is related to all actions taken on files and folders (view/edits/download etc).
Drive events logs are kept indefinitely, once GAT+ is installed – as long as the tool is installed we keep Drive event logs.
How far does Event activity go back on files?
Event data is only retained by Google for 180 days.
How far do email scans index? Historically
When you install the tool, it indexes back the last 28 days’ email. We do this to provide seed statistics for tables, etc., going forward it indexes all emails for all time until you remove the tool.
How long do you keep our data once our license expires?
All the collected data will be deleted in 30 days.
How long does the first scan take?
It depends on the size of your domain, we calculate 30 minutes per 1 million records. You can check the scan status under
GAT+ > Configuration > General > Tasks
How often do GAT+ scans run?
At least once per day, and every time you access the tool in any given area a new scan will be scheduled to run in the background.
How long is the GAT+ admin log retained for? Indefinitely?
It has the same lifetime than the scan data, after 30 days of inactivity when the license
As long as the tool is installed – Admin logs are kept, if the tool is removed after 30 days the data is removed automatically.
Meet the Powerful GAT Suite
The most advanced toolset for auditing, security, and automation in Google Workspace for Education.
