| Version | Supported |
|---|---|
| 2.x.x | ✅ |
| 1.x.x | ❌ |
This application requires sensitive OAuth scopes to function. These scopes are minimized to only what is necessary:
| Scope | Purpose | Required For |
|---|---|---|
gmail.settings.basic |
Modify user's own Gmail signature | User Tab |
gmail.settings.sharing |
Modify other users' signatures | Admin Tab |
admin.directory.user.readonly |
Read user directory information | Admin Tab |
script.external_request |
Fetch external resources (logos) | All |
script.scriptapp |
Create scheduled triggers | Admin Tab |
userinfo.email |
Get current user's email | All |
Data Accessed:
- User names, email addresses, and phone numbers from Google Workspace Directory
- Gmail signature settings
Data Stored:
- User preferences stored in Google Apps Script Properties Service (per-user)
- No data is stored externally or transmitted to third parties
Data Not Collected:
- Email content
- Passwords or authentication tokens
- Personal files or documents
Admin features require domain-wide delegation. This grants the script the ability to:
- Read user directory information for all domain users
- Modify Gmail signatures for all domain users
Important: Only grant these permissions to trusted administrators.
- Limit Admin Access: Only grant Admin tab access to IT administrators
- Review Deployments: Audit who has access to the deployed add-on
- Monitor Activity: Check Apps Script execution logs regularly
- Update Regularly: Keep the add-on updated with latest security patches
If you discover a security vulnerability, please report it responsibly:
- Email: security@nyuchi.com
- Subject:
[SECURITY] workspace-tools vulnerability
- Description of the vulnerability
- Steps to reproduce the issue
- Potential impact assessment
- Suggested fix (if any)
| Stage | Timeline |
|---|---|
| Initial Response | Within 48 hours |
| Vulnerability Assessment | Within 7 days |
| Fix Development | Within 30 days |
| Patch Release | Within 45 days |
- Please allow us time to address the issue before public disclosure
- We will credit researchers who report valid vulnerabilities (unless anonymity is requested)
- We do not pursue legal action against researchers acting in good faith
Security updates are released as patch versions (e.g., 2.0.1). To receive updates:
- Watch this repository for release notifications
- Pull the latest changes regularly
- Deploy updates via
npm run push:all
The application logs the following actions (viewable in Apps Script execution logs):
- Signature updates (success/failure)
- Bulk deployment operations
- Trigger creation/removal
- Authentication errors
| Dependency | Purpose | Security Notes |
|---|---|---|
| Google Apps Script | Runtime environment | Managed by Google |
| Gmail API | Signature management | OAuth 2.0 secured |
| Admin SDK | Directory access | OAuth 2.0 secured |
| Flaticon CDN | Social media icons | Public CDN |
| Nyuchi Assets CDN | Brand logos | Nyuchi-managed |
This application is designed to support compliance with:
- GDPR: User data is accessed only when necessary and not stored externally
- Google Workspace Terms: Follows Google's API usage policies
- Corporate Security: Supports domain-wide deployment controls
Before deploying to production:
- Review OAuth scopes are appropriate for your use case
- Configure domain-wide delegation only for necessary scopes
- Set web app access to "Anyone within [your domain]" (not public)
- Test with a single user before bulk deployment
- Document who has admin access
- Set up monitoring for Apps Script execution logs
Author: Nyuchi Web Services Developer: Bryan Fawcett Last Updated: December 2025 Version: 2.0.0