Security

FolderPal is a SaaS product that helps users create repeatable Google Drive folder and file structures from reusable templates. This page explains the practical security controls we use to protect FolderPal, user accounts, Google Drive connections, and customer data.

Our approach is simple: collect only what we need, restrict access by default, encrypt sensitive credentials, monitor for abuse and reliability issues, and keep a clear process for responding to security events.

This page is not a certification, audit report, or guarantee of absolute security. It describes the current baseline we maintain as of June 2026.

If you have a security question or believe you have found a vulnerability, contact [email protected].

1. Security standards we use

We use widely accepted security guidance as a practical checklist for a SaaS product, including:

• the OWASP Application Security Verification Standard for application security controls;
• the NIST Cybersecurity Framework 2.0 for governance, protection, detection, response, and recovery;
• secure-by-design principles promoted by CISA, including least privilege, secure defaults, and clear ownership of security outcomes.

We apply these standards proportionately to the product's risk profile and dependence on trusted cloud providers.

2. Account and access security

FolderPal uses authentication controls to help ensure that only authorised users can access their account and workspace.

Our access practices include:

• using secure authentication flows and account protections;
• applying access controls so users only access resources they are authorised to use;
• limiting administrative access to people and systems that need it to operate, secure, support, or maintain FolderPal;
• reviewing access when roles, tools, or operational needs change;
• encouraging users to protect their Google account with strong passwords and multi-factor authentication.

3. Google Drive connection

FolderPal connects to Google Drive only after a user authorises the connection through Google OAuth.

We use Google Drive access only to provide the product features users request.

Our Google Drive security practices include:

• requesting Google OAuth permissions only for product functions FolderPal needs;
• storing Google OAuth tokens in encrypted form;
• using tokens only to perform user-authorised actions in FolderPal;
• not reading, analysing, editing, or modifying the contents of files stored in Google Drive;
• not using Google Drive data for advertising or to train AI models;
• allowing users to revoke access through FolderPal or their Google Account permissions page.

Users remain responsible for managing permissions and sharing settings inside Google Drive and Google Workspace.

4. Data protection

FolderPal stores the data needed to provide, secure, support, and improve the service.

We protect data using measures such as:

• HTTPS for data transmitted between users and FolderPal;
• encrypted storage for sensitive credentials and OAuth tokens;
• access controls that limit who and what can access production systems;
• separation between public website content and private product data where appropriate;
• avoiding analytics collection of file contents, folder names, file names, Google Drive IDs, and placeholder values where possible;
• retention and deletion practices described in our Privacy Policy.

5. Application security

We treat application security as part of normal development rather than as a one-time review.

Our application security practices include:

• using established platform and framework protections to reduce common implementation errors;
• validating user input on server-side paths before processing account, support, or product actions;
• relying on parameterised database access and provider SDKs where applicable;
• reducing common web risks such as broken access control, injection, cross-site scripting, insecure secrets handling, and excessive error detail;
• checking changes with linting, builds, code review, and focused manual testing before release.

6. Infrastructure and vendors

FolderPal relies on reputable cloud and SaaS providers for hosting, authentication, database infrastructure, payments, analytics, email delivery, logging, and support operations.

Current service providers are listed in our Privacy Policy and may include providers for authentication, database infrastructure, payments, analytics, email delivery, content management, logging, and hosting.

We use vendor security controls such as:

• provider-managed infrastructure security and patching;
• restricted console and API access;
• secure configuration and secrets handling;
• payment processing through payment providers rather than direct card storage;
• provider security, monitoring, and availability controls where available.

7. Monitoring, logging, and abuse prevention

We collect technical logs and operational data to keep FolderPal reliable, investigate errors, detect misuse, and respond to security issues.

Monitoring and abuse-prevention measures may include:

• technical and operational logs;
• error tracking and diagnostics;
• rate limits and abuse-prevention controls;
• review of unusual access patterns or suspected misuse;
• account suspension or access restrictions when required to protect users, FolderPal, Google, or third-party services.

8. Backups and recovery

FolderPal is designed to rely on provider-managed durability, backups, and recovery controls for core infrastructure where available.

We also keep operational processes for restoring service, investigating failed jobs, and recovering from incidents that affect product availability or data integrity.

FolderPal does not replace Google Drive's own backup, retention, sharing, or recovery controls. Users should keep appropriate backups and retention policies for important files in their Google Workspace environment.

9. Incident response

If we identify a security incident, we will take reasonable steps to assess, contain, investigate, remediate, and communicate about the issue.

Our incident process includes assessing the issue, protecting affected systems and users, investigating the cause, applying remediation, and notifying affected parties where required.

Data breach handling is also described in our Privacy Policy.

10. Responsible disclosure

We welcome good-faith reports of vulnerabilities affecting FolderPal.

To report a potential issue, email [email protected] with enough detail for us to reproduce or assess the problem. Please do not access, modify, delete, copy, or disclose another user's data.

We aim to acknowledge legitimate reports and handle them promptly.

11. User responsibilities

Security is shared between FolderPal, our providers, and users. Users are responsible for:

• keeping Google and FolderPal account access secure;
• using multi-factor authentication where available;
• reviewing Google Drive folders, files, destinations, and sharing settings before using generated output;
• granting FolderPal access only to Google accounts and Shared Drives they are authorised to use;
• removing users from workspaces when they no longer need access;
• notifying us promptly about suspected unauthorised access or security issues.

12. No absolute security

No internet service can guarantee complete security, uninterrupted availability, or protection against every possible threat.

We will continue improving FolderPal's security as the product, customer needs, and threat environment change.