Security & Trust

Your Documents Stay
in Your Drive

MassEdit is built around a simple principle: we process your documents, we don't store them. Here's exactly how we handle your data and protect your Google account.

0
Documents stored on our servers
AES-256
Token encryption at rest
HTTPS
All connections encrypted
GDPR
Compliant for EU customers

We never store your document content

When MassEdit processes your Google Docs, content is read from Google's servers, processed in memory, and written back — all in real time. No document text, no file content, nothing is ever saved on MassEdit's servers. Your documents stay in your Google Drive, where they belong.

Account Security

Email confirmation required

Every new account must verify their email address before signing in. No unconfirmed accounts can access the service.

Strong password requirements

Passwords must be at least 8 characters with uppercase, lowercase, number, and special character required.

Account lockout protection

Accounts are automatically locked for 5 minutes after 5 consecutive failed login attempts, blocking brute-force attacks.

Multi-factor authentication (TOTP)

MFA is available for all accounts using standard authenticator apps — Google Authenticator, Authy, Microsoft Authenticator, and others. Enforced for enterprise accounts.

Secure password reset

Password resets use single-use tokenized links sent to your confirmed email address.

HTTPS everywhere

All connections are encrypted via TLS. HSTS is enforced in production to prevent downgrade attacks.

Google Account Access

MassEdit connects to your Google account only to perform document editing — it is entirely separate from your MassEdit login. We request only the minimum permissions needed, and you can disconnect at any time.

Permission What it allows What we do NOT do
userinfo.email Identify which Google account you've connected No other profile data accessed or stored
documents Read and apply find/replace edits to the Google Docs you select Document content is never stored on our servers
drive.file Access only files you explicitly select via the Google Picker widget Cannot read, list, or access any files you haven't selected

Google API Services User Data Policy

MassEdit's use of Google API data complies with the Google API Services User Data Policy, including all Limited Use requirements. We do not use Google data for advertising, do not sell or share it with third parties, and do not use it for any purpose unrelated to providing document editing services.

To disconnect MassEdit from your Google account: Go to Settings → Google Account → Disconnect, or visit myaccount.google.com/permissions. All stored tokens are deleted immediately.

Data Handling & Storage

  • Google Document content is processed in memory only — never downloaded or stored on MassEdit servers
  • Google OAuth refresh tokens are encrypted using AES-256 (ASP.NET Data Protection) before database storage
  • Tokens are decrypted on-demand only when making Google API calls — never exposed in logs or responses
  • All application secrets (API keys, credentials) are managed via environment variables — never stored in code or configuration files
  • Job history stores only metadata (document count, replacement count, timestamps) — never document content
  • Job metadata is automatically deleted after 90 days
  • No third-party analytics or tracking SDKs are embedded in the application
  • No advertising cookies — only essential functional cookies required to operate the service

Deployment Options for Enterprise

Organizations with stricter security or compliance requirements can choose self-hosted deployment, giving your IT team full control over the environment.

Cloud Hosted (massedit.app)
InfrastructureMassEdit / Microsoft Azure
Google OAuth appMassEdit's GCP project
Drive permission scopedrive.file only
Document selectionGoogle Picker (user-selected files only)
Google Shared DrivesNot available
Data residencyUS (Azure)
Self-Hosted Docker Edition
InfrastructureYour own servers or private cloud
Google OAuth appYour own GCP project
Drive permission scopeConfigurable by your org
Document selectionFull folder browser + bulk select
Google Shared DrivesFull support
Data residencyWherever you host it

GDPR & Privacy Compliance

  • MassEdit is operated by Exis LLC (New Jersey, USA) and complies with GDPR for EU and UK customers
  • EU/UK data transfers are governed by Standard Contractual Clauses (SCCs)
  • EU and UK users have full rights to access, correct, delete, and export their personal data
  • Data breach notification to affected customers within 48 hours of discovery
  • Corporate customers may request a Data Processing Agreement (DPA) — contact us at admin@massedit.app

Need More Detail?

Enterprise and corporate customers can request our full Security Overview document, a Data Processing Agreement (DPA), or discuss self-hosted deployment options.

Request Security Documentation Contact Support

Related documents: Privacy Policy Terms of Service Request a DPA