Google Drive & File Editor Security Overview
This article provides a security overview of the Showell integration with Google Drive and the Google Files Editor.
Who is this for?
👤 Administrators
👁️🗨️ Available as an Integration in selected plans
In this article
1. Introduction
The Showell integration with Google Drive enhances productivity by letting your workspace sync content directly from Google Drive and, with the Google Files Editor add-on, create and edit Google Docs, Sheets, Slides, and Drawings without leaving Showell.
There are two flavours of the integration:
- Google Drive sync (workspace level): an administrator authorizes a Google account and Showell continuously syncs the chosen Drive folders into the Showell workspace.
- Google Files Editor (user level): individual users connect their own Google account to create and edit Google documents in their My Files.
The integration is designed with security as a fundamental aspect, employing strong authentication, encryption, and data-handling practices. While this overview provides a comprehensive look at the security measures in place, further details can be obtained through direct contact with Showell support.
More information:
- Showell's commitment to security
- Google User Data Usage Addendum
- Google Files Editor: Information Guide
- Google Files Editor: Usage Guide
- Google Drive Integration: Setup Guide
2. Authentication and Authorization
Authentication between Showell and Google is managed through OAuth 2.0, ensuring secure and streamlined access. During the authorization process, Showell requests only the specific permissions it needs:
- For the Google Drive sync flow, Showell requests read-only access to the files the authenticated user can see in Google Drive.
- For the Google Files Editor flow, Showell requests read-only access to the user's Google Drive plus per-file access to the files Showell itself creates or opens, not the rest of the user's Drive.
The tokens obtained (both access and refresh tokens) are encrypted at rest. They allow Showell's backend to act as the authenticated user only within the scope of permissions granted; once the initial authorization is complete, the tokens cannot be used for any action outside those scopes.
3. Data Encryption
Data security is a top priority, and the integration uses robust encryption methods to protect data both in transit and at rest.
Data transmitted between Showell and Google Drive is secured using HTTPS, ensuring encrypted traffic to prevent interception. At rest, data within Showell's physical database is encrypted using AES-256 encryption, a standard that meets industry guidelines for securing confidential information. Encryption keys are managed according to Showell's Encryption Key Management policy, ensuring they are periodically reviewed and upgraded as necessary.
Our server infrastructure is hosted on AWS in Europe, ensuring compliance with European data protection standards.
4. Data Handling and Privacy
The integration between Showell and Google Drive involves specific data-handling practices to ensure privacy and compliance:
- By authorising the connection between Showell and Google, you, as the end user, allow the Showell server to access Google Drive data on your behalf, within the scopes you granted.
- For the Google Drive sync flow, Showell pulls file content and metadata from the authorised Google Drive into the Showell workspace. The files then live inside Showell's storage and are managed like any other Showell content. Drive owners or admins remain in control of the source files. Revoking the OAuth grant in Google immediately stops further syncing.
- For the Google Files Editor flow, the user's edits round-trip through their own Google account; Showell only stores the resulting file in Showell.
- Showell stores the minimum identity information required to authenticate against Google: an internal account ID, the connected account's email address, and the user's display name. No additional Google profile data is retained on Showell's platform.
- Compliance with privacy regulations such as GDPR, CCPA, and ISO 27001 is maintained, ensuring personal data is handled responsibly. Users can exercise their data subject rights (access, rectification, deletion) by contacting Showell support.
- We retain user data only as long as necessary to provide the service and comply with legal requirements.
5. Tracking and Logging
Showell does not collect personal data from Google Drive. It only gathers tracking information within the Showell App to monitor usage and improve service quality. For example, in Showell's Digital Sales Room, the following information is tracked:
- Visitor details: Who visited the Digital Sales Room, which content they viewed, the duration of their viewing, and whether they downloaded the content to their device.
Showell servers are authorised to access and sync Google Drive data (see point 4). Tracking information is stored within Showell's infrastructure and is accessible to authorised personnel only. This information is protected through encryption and access-control measures to ensure it remains secure.
Error messages are logged with Sentry.io, helping us identify and address issues promptly without collecting personal data.
For more information on Share Analytics: analyze your shared content.
6. Security Measures
Additional security measures are in place to safeguard the integration:
- Regular Security Audits and Penetration Testing: Conducted in compliance with ISO 27001 standards, including regular monitoring and logging to check the effectiveness of procedures and controls. Important logs are reviewed monthly, and violations are reviewed within one business day.
- Secure Development Practices: Adhered to throughout the development lifecycle.
- Certifications and Standards: Compliance with standards such as ISO 27001 to ensure robust security practices.
7. Incident Response
In the event of a security breach, Showell has a comprehensive incident response plan:
- Identification: The incident is detected, reported, and verified by the Security Response Team (SRT).
- Assessment: The SRT examines the incident, logs details, evaluates risks, and categorizes the incident type.
- Response: The SRT acts to control the incident, secures evidence, and reports to law enforcement if necessary. Post-incident analysis is conducted to prevent future occurrences.
The SRT, composed of the CTO, CISO, senior management, customer support, IT, and Product Development team members, is responsible for investigating and responding to incidents. The team ensures compliance with relevant laws and conducts post-incident reviews to implement remedial actions.
8. Contact Information
If you have any questions or concerns about this security overview or the handling of your information, please contact your Showell contact person or Showell support.
💡 Summary (TL;DR)
The Google Drive integration lets Showell sync content from Google Drive (admin) or let users create and edit Google files in Showell (Google Files Editor).
- Authentication and Authorization: Managed via OAuth 2.0. Read-only scope for the sync flow; read + write scope (limited to user-created files) for the Google Files Editor. Tokens are encrypted at rest.
- Data Encryption: Data in transit is secured with HTTPS. Data at rest is encrypted with AES-256. Hosted on AWS in Europe.
- Data Handling and Privacy: Showell pulls file content into Showell for the sync flow and round-trips edits via the user's own Google account for the Editor flow. Only minimal identity data (account ID, email, display name) is stored. Complies with GDPR, CCPA, and ISO 27001.
- Tracking and Logging: Showell does not collect personal data from Google Drive. Error messages are logged via Sentry.io without storing personal data.
- Security Measures: Regular security audits and penetration testing. Adherence to secure development practices and ISO 27001 standards.
- Incident Response: Comprehensive plan with identification, assessment, and response by the Security Response Team.