Security Overview

Access Model

• Google account access is granted through OAuth 2.0 by the user.
• The app requests only the scopes required for Gmail invoice collection, Drive storage, and account identification.
• Connected accounts can be revoked by the user from Google Account permissions at any time.

Token Handling

• Access tokens and refresh tokens are stored server-side so the app can continue processing without forcing repeated sign-in prompts.
• Access tokens are refreshed automatically when they approach expiry.
• If Google rejects a refresh token, the app marks the account for re-authentication instead of continuing with invalid credentials.

Data Handling

• The app searches Gmail using user-defined invoice rules.
• Matching messages and attachments are processed to extract invoice files.
• Files are uploaded to a single app-managed Invoice Collector folder at the root of the user's Google Drive, organized into YEAR/MM subfolders.
• The app stores operational metadata (including the Google Drive ID of the app-managed folder and per-invoice identifiers) so it can avoid duplicate uploads and show saved file links back to the user.

Transport and Service Communication

• Google API communication uses HTTPS.
• The production deployment for this app uses HTTPS callback URLs hosted on pay4.us.
• OAuth callbacks are handled only on the configured production endpoints.

Operational Notes

• The app uses the non-sensitive Google Drive drive.file scope, which limits Drive access to files the app has created itself inside a single Invoice Collector root folder. The app cannot list or read any other Drive files.
• The app uses Gmail read-only access (gmail.readonly) for invoice discovery and attachment download, and never sends, modifies, or deletes email.
• Because drive.file is non-sensitive and gmail.readonly is the only restricted scope used, the Google OAuth submission is a restricted-scope review (Gmail) plus a non-sensitive Drive declaration; any verification or CASA assessment requirements are handled through the Google Cloud Console process for the production OAuth client.

OAuth Submission Reference

The exact scope set, Cloud Console field values, scope justifications, and reviewer walkthrough used for this app's Google OAuth verification submission are maintained alongside the code and kept in sync with the production deployment. Summary:

• Production domain: pay4.us
• Authorized redirect URI: https://pay4.us/auth/callback
• Publishing status: In production (required because the app asks for non-basic scopes; testing-mode refresh tokens expire after 7 days).
• Declared scopes: gmail.readonly (restricted), drive.file (non-sensitive), userinfo.email (non-sensitive).
• Reviewer pages: Privacy Policy, Terms of Service, Google Access Explanation, Data Processing Agreement.
• Verification path: restricted-scope review for Gmail, CASA Tier 2 security assessment required; drive.file does not require a security assessment.

Contact

Security, privacy, and OAuth review questions can be sent to nir.ashkenazi88@gmail.com.

Related pages:

• Privacy Policy
• Terms of Service
• Google Access Explanation