Security Overview

Security & Data Compliance at FigureOut

We operate FigureOut under strict data compliance policies. This document details how we handle database storage, API tokens encryption, Google OAuth 2.0 connection pipelines, tenant-level data isolation, and our security incident response protocols.

Last updated: June 2026

1. Data Storage & Infrastructure Overview

FigureOut's operational database and web application servers are hosted in secure, tier-III Indian datacenters operated by our cloud infrastructure partners (fully certified under ISO/IEC 27001, SOC 2 Type II, and PCI-DSS standards).

All local server infrastructure is isolated within virtual private networks (VPCs). Database traffic is restricted using strict firewall parameters, preventing direct access from the public internet. Database schemas are backed up daily, with encrypted backups stored off-site in local repositories to guarantee recovery in the event of an infrastructure failure.

2. Data Encryption (In Transit & At Rest)

We enforce encryption across all data pathways:

  • In Transit: All HTTP requests are routed over secure sockets using TLS 1.3 transport-layer security. Plaintext connections (HTTP) are blocked and redirected to secure HTTPS endpoints.
  • At Rest (OAuth Tokens): Your Google OAuth 2.0 refresh and access tokens are sensitive parameters. We encrypt refresh tokens at rest in the database using AES-256-GCM encryption. The secret encryption keys are stored outside the database as host server environment variables, preventing decryption if the database files are compromised.

3. Google OAuth 2.0 Connection Flow

FigureOut accesses Google Business Profile APIs using Google's secure OAuth 2.0 consent gateway. We never ask for, view, or store your Google account password.

Handshake: You → Redirect to accounts.google.com → Grant scopes consent → Redirect back to figureout.in with auth code → Server exchanges code for encrypted refresh token.

This token allows our background workers to query GMB endpoints on your behalf without prompting you to log in. You can revoke this token at any time inside the Locations dashboard or directly within your Google Account Security console.

4. Granular Permission Scopes

To provide review management and posting features, FigureOut requests access only to the following specific scopes:

Scope Why We Need It
openid Authenticate your login identity via Google.
email Map your dashboard account and send daily notification logs.
profile Display your Google name and profile picture in your workspace.
business.manage GBP Core Access. Poll reviews, publish updates, and fetch performance analytics.

We do not request access to Gmail, Google Drive, Google Ads, or any other Google product.

5. Multi-Tenant Data Isolation

FigureOut implements a multi-tenant database structure that prevents cross-tenant data leaks:

  • Every database table maps records to a unique user ID.
  • All database queries are scoped by user ID, preventing users from accessing or editing other tenants' data.
  • API tokens are isolated at the database schema level, preventing cross-profile operations.

6. Self-Serve Account Deletion & Data Retention

You have complete control over your data. You can disconnect your Google Business Profiles or delete your account at any time:

  • Disconnect Location: Clears the selected location's sync cache, historical reviews, and scheduled updates from the database.
  • Account Deletion: Initiates an immediate hard delete of your workspace data (including Google API tokens) to maintain data privacy.

Review logs and dashboard metrics are kept while your account is active. If your account remains inactive for over 90 days after subscription expiry, we perform a hard delete of your data. Billing details are kept for 7 years to comply with local tax and financial auditing rules in India.

7. Google API User Data Policy Compliance

FigureOut's use and transfer of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

We do not transfer your business data, customer reviews, or listing performance metrics to advertising brokers, third-party analytics scripts, or public AI model training pipelines. Your data is strictly used to populate your dashboard and support automation workflows.

8. Incident Response & DPDP Breach Notification SLA

In the event of a personal data breach or security incident affecting FigureOut systems, we execute a strict response protocol in compliance with the Digital Personal Data Protection (DPDP) Act 2023:

  • Containment & Isolation: Our operations team isolates affected nodes within 2 hours of detection to secure remaining customer listings and tokens.
  • User Notification: We will notify all affected individuals via registered email within 72 hours of identifying a personal data breach, providing details of compromised categories, security measures applied, and Grievance Officer details.
  • Regulatory Reporting: FigureOut files detailed breach notifications to the Indian Computer Emergency Response Team (CERT-In) and the Data Protection Board of India (DPBI) within 72 hours, adhering to rules set by the Ministry of Electronics and Information Technology (MeitY).

Report a Security Vulnerability

If you discover a security vulnerability or wish to report a data incident, please contact our privacy desk. We review all security issues immediately.

Data Protection Contact: privacy@figureout.in