How DocMaster ensures security and handles your business data
**DocMaster never stores your business data externally.**
All your data—customer information, invoices, orders, item catalogs—remains in your Google Drive under your Google account.
Codeinate.com servers have zero access to your business data. DocMaster operates entirely within Google's infrastructure.
1. **You create orders** in Google Sheets
2. **You click "Generate Invoice"** in DocMaster sidebar
3. **DocMaster reads** order data from your Sheet (within Google's servers)
4. **DocMaster processes** the data using Google Apps Script (within Google Cloud)
5. **Invoice is created** in Google Docs and saved to your Drive
At no point does your data leave Google's infrastructure or reach Codeinate.com servers.
- **In Transit:** All communication between your browser and Google uses HTTPS/TLS encryption
- **At Rest:** Your data is encrypted by Google Drive's storage encryption
- **Processing:** DocMaster code runs in Google's secure Apps Script environment
DocMaster does not add additional encryption layers because Google's infrastructure already provides enterprise-grade security.
**Google OAuth Authentication:** Access to your files is controlled by Google's OAuth system.
**Minimum Permissions:** DocMaster only requests the minimum scopes needed:
- Read/write access to Sheets where DocMaster is installed
- Create/edit access to Docs for invoice generation
- File access to save generated invoices
**You control access:** You can revoke DocMaster's permissions anytime through Google account settings.
DocMaster can ONLY access:
- Google Sheets files where you explicitly installed DocMaster
- Google Docs templates you select for invoice generation
- Files DocMaster creates (generated invoices)
DocMaster CANNOT access:
- Other Sheets or Docs in your Drive
- Your Gmail
- Your Google Calendar
- Files in other users' Drives (unless explicitly shared with edit permissions)
**Apps Script Sandbox:** DocMaster runs in Google's Apps Script sandbox, which isolates code and prevents unauthorized system access.
**No External API Calls:** DocMaster does not make API calls to external servers. All processing happens within Google.
**Code Review:** DocMaster code is reviewed by Google during the Workspace Marketplace approval process.
**Regular Updates:** We patch security vulnerabilities and update dependencies promptly.
DocMaster does NOT use third-party services for:
- Data storage
- Data processing
- Analytics tracking of your business data
The only third party involved is Google, which hosts the add-on and your data.
**Google's Audit Logs:** Your Google Workspace admin can view DocMaster activity through Google's audit logs.
**DocMaster Logs:** We log minimal technical events for debugging:
- Add-on installations (not user identities)
- Error events (not your data)
- Feature usage counts (not content)
Logs are anonymized and do not contain customer names, invoice amounts, or business data.
**Your data:** You control retention. DocMaster never deletes your files—only you can.
**Our logs:** Technical logs are retained for 90 days and then automatically deleted.
**Uninstalling:** If you uninstall DocMaster, your files remain in your Drive. You can delete them manually if desired.
**GDPR (EU):** DocMaster complies with GDPR. You are the data controller; Google and DocMaster are data processors. Since data never leaves Google, GDPR requirements are met by Google's infrastructure.
**CCPA (California):** DocMaster does not sell personal information. Data remains under your control.
**SOC 2:** Google Cloud Platform (where DocMaster runs) is SOC 2 certified.
**Google Workspace Marketplace:** DocMaster complies with Google's security and privacy requirements for marketplace add-ons.
In the unlikely event of a security incident:
1. **Detection:** Automated monitoring alerts us to anomalies
2. **Assessment:** We evaluate impact and scope
3. **Containment:** Affected systems are isolated
4. **Notification:** Affected users are notified within 72 hours
5. **Remediation:** Vulnerabilities are patched
6. **Post-mortem:** Incident is documented and preventive measures implemented
**Note:** Since your data never reaches our servers, most security incidents would not affect your business data.
To maximize security when using DocMaster:
- **Use strong passwords** for your Google account
- **Enable 2-factor authentication** on Google
- **Review permissions** periodically in Google account settings
- **Limit file sharing** - don't share sensitive Sheets with untrusted users
- **Keep Google Workspace updated** to latest security patches
- **Use Google Workspace audit logs** if you're an admin
If you discover a security vulnerability in DocMaster:
**Email:** codeinated@gmail.com
**Subject line:** "Security Vulnerability Report"
**Include:**
- Description of the issue
- Steps to reproduce
- Potential impact
We will respond within 48 hours and provide a fix timeline. Responsible disclosure is appreciated—please do not publicly disclose vulnerabilities until we've had a chance to address them.
For security-related questions:
**Email:** codeinated@gmail.com
**Website:** https://codeinate.com/docmaster/contact