At General Audit Tool Ltd. we operate to the highest security standards, procedures and ethics. As a company we respect your privacy and more importantly our tool respects the privacy of your data. Our tool only accesses your Google metadata (file names, timestamps, ACLs, owner’s name, etc.)
Our tool does not access any file contents. Those using the tool can not access other user’s data unless using the ‘Unlock‘ feature.
Our tool does not access any email contents. Those using the tool can not access other user’s emails unless using the ‘Unlock‘ feature.
While we work in every market where G Suite is available, as a European company we work under the strictest privacy regulations in the world and we honour and respect your data privacy above all else.
How the tool works
The tool only ever accesses, analyses and stores your company’s metadata.
This metadata is accessed directly from G Suite via HTTPS, the same encryption standard that you use to access G Suite.
The service is run in Amazon Web Services US East facilities (North Virginia). This facility completed multiple SAS70 Type II audits, and now publishes a Service Organization Controls 1 (SOC 1) report, published under both the SSAE 16 and the ISAE 3402 professional standards. In addition, AWS has achieved ISO 27001 certification, and has been successfully validated as a Level 1 service provider under the Payment Card Industry (PCI) Data Security Standard (DSS). (http://aws.amazon.com/security/)
The Tool itself runs using a 2048-bit modulus RSA key, SHA-1 used for hashing, AES (256-bit) used for encryption. It is Verified by GoDaddy. This ensures the site you connect to is who it says it is (generalaudittool.com), thus eliminating man in the middle attacks. It also ensures that any data transferred is moved inside a HTTPS tunnel, from Google to the audit tool and from the audit tool to your browser.
For the metadata retrieved General Audit Tool Ltd. creates a 64 bit Secret Key using DES algorithm in ECB mode to encrypt all the metadata scan files. A single copy of this key is then placed inside the customer’s G Suite Admin account. You will see this key in your Google docs. No local copy of the key is kept on the General Audit Tool. We keep an encrypted copy of your metadata between sessions, with you holding the only key. When you run the tool the key unlocks the metadata, which we load directly to memory. It is never at rest in plain text form. If the key is lost or the Admin deletes or corrupts it, the metadata file is lost forever. If the domain uses the tool again, everything is again built from scratch. The purpose of this last step is to ensure that if the Audit Tool server is ever compromised, there will be no local clear text metadata and no local keys to access the encrypted files.
General Audit Tool Ltd. believes all of the above is best practice.
Can we scan every document? – yes.
Can we scan every email? – yes.
Does the tool access document contents? – no.
Does the tool access email contents? – no.
Do we allow Admins to see document contents? – no, unless authorization is obtained (via Unlock).
Do we allow Admins to see email contents? – no, unless authorization is obtained (via Unlock).
Why don’t we allow unsupervised access to the contents? When Google sold you G Suite the management team bought it on the principle that the data was secure and that users, including Admin staff could not see other user’s or manager’s data or emails.
We are not about to violate or undermine that understanding by introducing access to private data via an open back door.
We believe companies already have business procedures in place to properly conduct internal investigations. It is up to us to honour those procedures and to only allow access via proper workflow mechanisms (GAT Unlock).
We are Truste certified.
We are GoDaddy certified for our keys.
We are ISAE 3402 certified.
In addition we have a Geo Trust Extended Validation Cert, only granted after independent verification of the principles passports, personal bank accounts and home addresses. This chip is that same as you see on many banks and Paypal.
One more layer of assurance
While all of the above is a comfort to large organisations we offer one more level of assurance that their data will be protected. Large organisations can run their own instance of the audit tool on their own cloud server. Here they have full control over the run time environment and complete control over who has access to the tool.