Technical background & trust

While delegated OAuth scopes define the type of access (e.g., read) that the service account has across a Workspace domain, the actual limitation to specific entities is enforced by our system's architecture. We have implemented several layers of technical and organizational controls to ensure this limitation:

• Delegated Scopes
  Access is strictly limited by the specific OAuth scopes you explicitly consent to, which are necessary only for the core functionality of our service.
  
  

• Storage

  • Segregation: Service accounts are securely managed in Google Secret Manager, an isolated system meeting the highest security standards. Access is strictly limited to highly trained personnel, ensuring complete separation from our primary operational environment.

  • Hashed Identifiers: The service accounts are stored in a hashed format. This means we have no way of directly linking a service account to a specific instance or company. Even if our system were compromised, an attacker would not be able to determine which service account belongs to which customer.
    
    

• Data access

  • We do NEVER access a full list of entities (mails, chat spaces, events, …) for any of our features. We will only access specific mails/chat spaces/events that your users have already linked and shared. Additionally, our system requires critical pieces of information for each app: 

    • Gmail: the mailbox id/name and the message entity ID

    • Google Chat: the spaces id/name and a user id of a space manager

    • Google Calendar: the calendar id and event id

  • These identifiers are stored separately within your Atlassian instance, which is only accessed with another layer of security - the Atlassian OAuth token. Without knowing these specific details, which are not stored alongside the service accounts, it is impossible for anyone, including us, to access your mailboxes or individual emails. This separation of concerns creates a significant barrier to unauthorized access, ensuring that even with broad scopes, access is practically limited to the Google entities you intend to use with our service. 
    
    

• CASA Security Assessment
  All apps accessing sensitive or restricted Google scopes (e.g. Gmail read access) go through an external security assessment by Google Partners. Jigo was successfully lab tested for any vulnerabilities, and will be revalidated in regular intervals. Only apps with successful recent security assessments are valid for production usage.

  Open

  

   

• Audit logs
  Google Workspace provides comprehensive audit logs that track all API calls made by service accounts. You can review these logs within your Google Admin console to monitor activity:
  Google Cloud > IAM & Admin > Service accounts > [service account name] > Metrics/Logs
  
  

• Granular Revocation
  You have the ability to revoke access for the service account at any time through your Google Workspace Admin console, which will immediately terminate our ability to interact with your system.