Articles on: 🔒 Security

How is security managed on DragApp services?

Drag is a Google Cloud Partner and has a series of safety measures at every level to ensure safety of our systems and services.

Compliance with Google Cloud Security Policies

Our systems fully comply with the Google Cloud Security Policies and are subject to a series of security checks throughout their lifecycles.

We are yearly assessed by a third party Security Company

We are audited yearly by a third party security company appointed by Google itself. We are happy to share our latest certificate of approval upon request, just send us a request to

This assessment covers a broad range of Application Penetration Testing, Cloud Security Review and External Penetration Testing, and makes sure that we meet high standards of data privacy and security when handling sensitive scopes from the Gmail API, including, but not limited to, tests against attacks, like SQL Injection, cross site scripting (XSS), among others.

The assessment also ensures that we are only able to request permissions to users' accounts that are strictly necessary for the operation of our product. You can read more about the permissions that Drag requires to function properly here.

Manual reviews by the Google internal audit

Every new version of our Chrome extension is manually reviewed by the Google internal audit team to verify that no security policies have been violated and, upon approval, maintained within the Chrome store.

We use Google's OAuth to access users' accounts

We use Google's OAuth to connect to users' accounts so we do not have access to their passwords and do not store email contents (only metadata). We fully disclose the users' information we collect, as well as how we use, protect and share them in our privacy policy, that can be accessed here.

Users can also revoke Drag's access to their account at any time directly from their Google Workspace or Gmail account and can request permanent deletion of your data from our servers at any point.

Data Security

We strictly implement the GDPR regulation, that aims at protecting user data and providing a right to modify and delete such data, as well as to consent to data collection.

You can find our full GDPR compliance status (which applies to all our users, regardless of their location worldwide) in this article.

Other Security Practices

Our technical team is fully trained to implement security best practices.

Secure communication with servers over HTTPS protocol, using encryption key stored locally in users' machines. Access key is acquired only by users through Google's OAuth.
Database encrypted at rest and protected by 16+ alphanumeric characters key.
AWS Key Management Services (KMS) in place to securely manage cryptographic keys with access to Gmail API.

Still have questions? Our team will love to clarify them, just contact us at

Updated on: 27/06/2023

Was this article helpful?

Share your feedback


Thank you!