Understand data access for Marketplace apps

When you grant data access to a Marketplace app, you give it API access to specific data like your Calendar and Contacts. The app (and by extension, the vendor) is able to view and store that data. Because your data is then available outside the boundaries of your domain, it's critical that you trust the security mechanisms implemented by the app and the vendor.

Apps may also access identity-related information about your users (for example, username, name, email address) through standard programmatic access. In no case should third-party apps have access to any of your domain passwords.

Review data access requirements for an app

You can review the data access requirements for an app during installation, or afterwards on the app's Settings page.

During installation, the various types of data access you need to grant to the app are listed after you click Install App (Admin console) or (Marketplace website).

Shows deploying an app from G Suite Marketplace

After you install an app for your domain or organization, the settings page for that app lists the types of data access required by the app:

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Appsand thenMarketplace apps.
  3. Click an app to open its Settings page.
  4. Click Data access.
  5. Click the triangle next to an access type to see additional details on the type of data being accessed. (This information is provided by the developer and may not be present for all access types.)

If an app, after initial deployment, requires additional data access beyond what was originally requested, you're notified in the Data access area and can grant or deny the additional access.

Data retention policies
The data-retention policy for each app is governed by that vendor's Terms of Service.
Risks associated with an app reading your data
The biggest risk with exposing your data to read-only APIs is that the vendor can expose your data to other parties. Be sure to read the privacy policy and Terms of Service provided by the vendor: these documents should describe exactly how the vendor intends to handle your data. In some cases, applications may copy your data into the vendor’s systems, so make sure you understand and trust the security of the application in these circumstances.
Risks associated with an app having write access to your data
Applications that have write access to your domain’s data can change or delete that data. Make sure you trust that the vendor has thoroughly tested the application before you allow it to edit your data.

The more data that an application has access to, the more your risk can increase. For example, an application that writes to only your contacts could be considered less risky than an application that writes to your contacts and calendar. Weigh the benefits of an app against the scope of data access the vendor requests.

Denying an app access to your data
Without the required access to data, the app may not be able to deliver the functionality you wanted. Communicate with the vendor to understand the full ramifications of not granting data access. Learn how to change the settings for an app.
Was this helpful?
How can we improve it?