Data Compliance

For your Google Workspace configuration data, you are the data controllerand Posqure acts as your data processor: we process it only on your instruction, to produce your security assessment. For your account data (name, email, billing reference) we act as a controller. A Data Processing Addendum (DPA) is available on request — email posqure@gmail.com.

Our data practices are designed to align with the GDPR (EU/UK), India's Digital Personal Data Protection Act 2023, and the CCPA/CPRA (California). To be clear about what this means: Posqure helps you assess and evidence SOC 2, ISO 27001 and GDPR controls — we do not claim to be certified under those frameworks ourselves, and any such certification would be stated explicitly with its report. We will not overstate our posture.

We are built to hold as little of your data as possible. We request only .readonly Google scopes; we evaluate your configuration in memory and persist only the resulting findings and minimal sanitized evidence (counts and a few identifiers). We never store the contents of your emails, files, calendars, or chats, and we never download your user directory. See the Privacy Policy for the full detail.

Your primary data is stored in Supabase (PostgreSQL) in AWS ap-southeast-2, Sydney, Australia, and our application compute runs in the same Sydney region. Data is encrypted in transit (TLS). Sensitive secrets — including your Google refresh token — are encrypted at rest with AES-256-GCM using a key held outside our source code.

We use a small set of vendors to run the service. Each processes data only to perform its function, under its own data-protection commitments:

Read-only by design (a code guard refuses any non-read-only Google scope); tokens encrypted at rest; no secrets in logs or error trackers; least-privilege access to production; findings-only storage; and no third-party advertising or analytics trackers on the product.

Subject to your jurisdiction, you may request access to, correction of, export of, or deletion of your personal data, and you may object to or restrict certain processing. We never sell personal data and never use it to train AI models. Exercise any right by emailing posqure@gmail.com; we respond within the timeframes required by applicable law.

Because our vendors operate in Australia and the United States, your data may be processed outside your country. Where required, transfers are covered by appropriate safeguards such as Standard Contractual Clauses.

If a personal-data breach affecting your data occurs, we will notify affected customers and, where applicable, the relevant supervisory authority without undue delay and within the timeframes required by law (for example, within 72 hours under the GDPR).

We keep findings for your plan's retention window. Disconnecting a Workspace immediately deletes the stored refresh token. You may request deletion of your account and all associated data at posqure@gmail.com; we complete it within 30 days.

Our use of data received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements, as detailed in our Privacy Policy.

Data-protection questions, DPA requests, or rights requests: posqure@gmail.com.