{"id":389,"date":"2026-01-29T13:22:56","date_gmt":"2026-01-29T12:22:56","guid":{"rendered":"https:\/\/ga4-auditor.dev\/2026\/01\/29\/data-security-in-ga4-auditor\/"},"modified":"2026-01-29T15:19:34","modified_gmt":"2026-01-29T14:19:34","slug":"data-security-in-ga4-auditor","status":"publish","type":"post","link":"https:\/\/ga4-auditor.dev\/en\/2026\/01\/29\/data-security-in-ga4-auditor\/","title":{"rendered":"Data security in the GA4 Auditor"},"content":{"rendered":"\n<p>If you grant a third-party tool access to your Google Analytics data, the question rightly arises: How secure is my data? What happens if the tool is compromised? <\/p>\n\n<p>We take these questions very seriously. This article explains the security measures we have implemented to protect your data. <\/p>\n\n<h2 class=\"wp-block-heading\" id=\"oauth-20-sichere-authentifizierung-%C3%BCber-google\">OAuth 2.0: Secure authentication via Google<\/h2>\n\n<p>GA4 Auditor uses the industry-standard OAuth 2.0 authentication via Google. This means: <\/p>\n\n<ul class=\"wp-block-list\">\n<li><strong>No password stored with us<\/strong>: You log in directly to Google. We do not see your password at any time. <\/li>\n\n\n\n<li><strong>Google manages your access data<\/strong>: Authentication runs entirely via Google servers.<\/li>\n\n\n\n<li><strong>Revocable at any time<\/strong>: You can revoke access at any time in your Google account under <a href=\"https:\/\/myaccount.google.com\/permissions\">Security &gt; Third-party apps<\/a>.<\/li>\n<\/ul>\n\n<h2 class=\"wp-block-heading\" id=\"minimale-berechtigungen-least-privilege-prinzip\">Minimum authorizations (least privilege principle)<\/h2>\n\n<p>We only request the authorizations that are actually required for the function of the app:<\/p>\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th class=\"has-text-align-left\" data-align=\"left\">Authorization<\/th><th class=\"has-text-align-left\" data-align=\"left\">Purpose<\/th><\/tr><\/thead><tbody><tr><td><code>openid<\/code><\/td><td>Authentication via Google (standard)<\/td><\/tr><tr><td><code>email<\/code><\/td><td>Identification of your Google account<\/td><\/tr><tr><td><code>analytics.readonly<\/code><\/td><td>Read access to GA4 data and configuration<\/td><\/tr><tr><td><code>bigquery.readonly<\/code><\/td><td>Read access for BigQuery queries<\/td><\/tr><\/tbody><\/table><\/figure>\n\n<h3 class=\"wp-block-heading\" id=\"was-diese-berechtigungen-bedeuten\">What these authorizations mean:<\/h3>\n\n<ul class=\"wp-block-list\">\n<li><strong>Read-only access to GA4<\/strong> (<code>analytics.readonly<\/code>): We can read your GA4 configuration and reports, but cannot change or delete anything.<\/li>\n\n\n\n<li><strong>Read-only access to BigQuery<\/strong> (<code>bigquery.readonly<\/code>): For the extended checks (duplicates, session analyses, e-commerce checks), we only perform read-only queries on your BigQuery export.<\/li>\n\n\n\n<li><strong>No admin rights<\/strong>: We have no authorization to configure your GA4 properties, manage users or change settings.<\/li>\n<\/ul>\n\n<p>Even if an attacker were to gain access to our systems, he could still use the existing authorizations:<\/p>\n\n<ul class=\"wp-block-list\">\n<li>Do not make any changes to your GA4 properties<\/li>\n\n\n\n<li>Do not write, delete or modify data in BigQuery<\/li>\n\n\n\n<li>Do not misuse credentials (as we do not store tokens persistently)<\/li>\n<\/ul>\n\n<h2 class=\"wp-block-heading\" id=\"tempor%C3%A4re-zugriffstokens-ohne-persistente-speicherung\">Temporary access tokens without persistent storage<\/h2>\n\n<p>This is where we differ from many other applications: <strong>We do not store any long-lived access tokens in our database.<\/strong><\/p>\n\n<h3 class=\"wp-block-heading\" id=\"so-funktioniert-es\">This is how it works:<\/h3>\n\n<ol class=\"wp-block-list\">\n<li><strong>Short-lived access tokens<\/strong>: The access tokens issued by Google are only valid for about one hour.<\/li>\n\n\n\n<li><strong>Refresh tokens only in the active session<\/strong>: Refresh tokens, which are required to renew access, only exist in the server&#8217;s working memory during your active session. They are <strong>not<\/strong> stored in the database. <\/li>\n\n\n\n<li><strong>Automatic session timeout<\/strong>: After 60 minutes of inactivity, your session is automatically terminated and all tokens are deleted.<\/li>\n\n\n\n<li><strong>Server restart = tokens gone<\/strong>: When the server is restarted, all active sessions become invalid. You simply have to log in again. <\/li>\n<\/ol>\n\n<h3 class=\"wp-block-heading\" id=\"was-bedeutet-das-f%C3%BCr-die-sicherheit\">What does this mean for security?<\/h3>\n\n<p>If an attacker gains access to our database, he will <strong>not<\/strong> find <strong>any usable access tokens<\/strong>. They will not be able to authenticate themselves with Google or access your GA4 data. <\/p>\n\n<h2 class=\"wp-block-heading\" id=\"datensparsamkeit\">Data economy<\/h2>\n\n<ul class=\"wp-block-list\">\n<li><strong>GA4 raw data is not saved permanently<\/strong>: Analyses are performed at runtime and the results are displayed. We do not store a copy of your GA4 data. <\/li>\n\n\n\n<li><strong>Property IDs are not saved<\/strong>: The IDs of your GA4 properties are not stored in our database. They are only loaded from the Google API at runtime and used for queries. <\/li>\n\n\n\n<li><strong>Settings are linked anonymously<\/strong>: If you save user-defined settings for a property (e.g. expected events), the assignment is made using a non-recalculable hash. In the case of a database break, it is not possible to determine which property the settings belong to. <\/li>\n<\/ul>\n\n<h2 class=\"wp-block-heading\" id=\"verschl%C3%BCsselung-und-infrastruktur\">Encryption and infrastructure<\/h2>\n\n<ul class=\"wp-block-list\">\n<li><strong>HTTPS encryption<\/strong>: All connections to our app are encrypted.<\/li>\n\n\n\n<li><strong>Signed session cookies<\/strong>: The session management uses cryptographically signed cookies.<\/li>\n\n\n\n<li><strong>Hosting in the EU<\/strong>: The application is operated in European data centers (GDPR-compliant)<\/li>\n<\/ul>\n\n<h2 class=\"wp-block-heading\" id=\"was-sie-selbst-tun-k%C3%B6nnen\">What you can do yourself<\/h2>\n\n<h3 class=\"wp-block-heading\" id=\"zugriff-jederzeit-widerrufen\">Revoke access at any time<\/h3>\n\n<p>You can revoke the GA4 Auditor&#8217;s access to your Google account at any time:<\/p>\n\n<ol class=\"wp-block-list\">\n<li>Open https:\/\/myaccount.google.com\/permission <a href=\"https:\/\/myaccount.google.com\/permissions\">s<\/a><\/li>\n\n\n\n<li>Search for &#8220;GA4 Auditor&#8221; in the list<\/li>\n\n\n\n<li>Click on &#8220;Remove access&#8221;<\/li>\n<\/ol>\n\n<p>After revocation, the app can no longer access your GA4 data. You will have to authenticate yourself again the next time you visit and grant the authorization again. <\/p>\n\n<h2 class=\"wp-block-heading\" id=\"zusammenfassung\">Summary<\/h2>\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th class=\"has-text-align-left\" data-align=\"left\">Security measure<\/th><th class=\"has-text-align-left\" data-align=\"left\">Description<\/th><\/tr><\/thead><tbody><tr><td>OAuth 2.0<\/td><td>Authentication via Google, no password with us<\/td><\/tr><tr><td>Read-only access<\/td><td><code>analytics.readonly<\/code>  and <code>bigquery.readonly<\/code> &#8211; technically not possible to write<\/td><\/tr><tr><td>Temporary tokens<\/td><td>No persistent storage of access tokens in the database<\/td><\/tr><tr><td>No property IDs<\/td><td>Property IDs are not saved, only loaded at runtime<\/td><\/tr><tr><td>Session timeout<\/td><td>Automatic logout after 60 minutes of inactivity<\/td><\/tr><tr><td>HTTPS<\/td><td>Encrypted connections<\/td><\/tr><tr><td>EU hosting<\/td><td>GDPR-compliant infrastructure<\/td><\/tr><\/tbody><\/table><\/figure>\n\n<p><\/p>\n\n<p>If you have any questions about safety, please contact us.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>If you grant a third-party tool access to your Google Analytics data, the question rightly arises: How secure is my data?&#8230;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_kad_blocks_custom_css":"","_kad_blocks_head_custom_js":"","_kad_blocks_body_custom_js":"","_kad_blocks_footer_custom_js":"","_kadence_starter_templates_imported_post":false,"_swpsp_post_exclude":false,"_kad_post_transparent":"","_kad_post_title":"","_kad_post_layout":"","_kad_post_sidebar_id":"","_kad_post_content_style":"","_kad_post_vertical_padding":"","_kad_post_feature":"","_kad_post_feature_position":"","_kad_post_header":false,"_kad_post_footer":false,"_kad_post_classname":"","slim_seo":{"title":"Data security in the GA4 Auditor","description":"GA4 Auditor protects your data with OAuth 2.0, temporary tokens without database storage, automatic session timeout and minimal authorizations."},"footnotes":""},"categories":[1],"tags":[],"class_list":["post-389","post","type-post","status-publish","format-standard","hentry","category-nicht-kategorisiert"],"taxonomy_info":{"category":[{"value":1,"label":"Nicht kategorisiert"}]},"featured_image_src_large":false,"author_info":{"display_name":"Bernhard Prange","author_link":"https:\/\/ga4-auditor.dev\/en\/author\/masterben\/"},"comment_info":0,"category_info":[{"term_id":1,"name":"Nicht kategorisiert","slug":"nicht-kategorisiert","term_group":0,"term_taxonomy_id":1,"taxonomy":"category","description":"","parent":0,"count":8,"filter":"raw","cat_ID":1,"category_count":8,"category_description":"","cat_name":"Nicht kategorisiert","category_nicename":"nicht-kategorisiert","category_parent":0}],"tag_info":false,"_links":{"self":[{"href":"https:\/\/ga4-auditor.dev\/en\/wp-json\/wp\/v2\/posts\/389","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ga4-auditor.dev\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ga4-auditor.dev\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ga4-auditor.dev\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/ga4-auditor.dev\/en\/wp-json\/wp\/v2\/comments?post=389"}],"version-history":[{"count":4,"href":"https:\/\/ga4-auditor.dev\/en\/wp-json\/wp\/v2\/posts\/389\/revisions"}],"predecessor-version":[{"id":435,"href":"https:\/\/ga4-auditor.dev\/en\/wp-json\/wp\/v2\/posts\/389\/revisions\/435"}],"wp:attachment":[{"href":"https:\/\/ga4-auditor.dev\/en\/wp-json\/wp\/v2\/media?parent=389"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ga4-auditor.dev\/en\/wp-json\/wp\/v2\/categories?post=389"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ga4-auditor.dev\/en\/wp-json\/wp\/v2\/tags?post=389"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}