Security
A short overview of how FormSlug is built to be safe to install on your Google Workspace domain and safe to share with your visitors. For data-handling specifics, see Privacy.
OAuth scopes
Section titled “OAuth scopes”FormSlug requests the minimum set of OAuth scopes needed to operate. Each one is narrow.
| Scope | What it allows | What it does not allow |
|---|---|---|
forms.currentonly | Read and update the Google Form currently open in the editor where the FormSlug sidebar runs. | Any other form, even one owned by the same user. |
script.external_request | Apps Script calls FormSlug’s backend (api.formslug.com) to create and manage slugs. | Calls to any other host. |
script.container.ui | Render the sidebar UI inside Google Forms. | Access to form data or other parts of Workspace. |
userinfo.email · userinfo.profile · openid | Identify you when you sign in. | Read messages, files, or any other personal data. |
FormSlug never requests Drive, Gmail, Calendar, or any “restricted” scope.
What FormSlug can and cannot see
Section titled “What FormSlug can and cannot see”- ✅ The single Google Form you have open when you launch the sidebar — to read its URL so a slug can point to it.
- ❌ Other Google Forms you own.
- ❌ The responses submitted to any form.
- ❌ Anything in Google Drive, Gmail, Calendar, Sheets, or Docs.
- ❌ The identity of visitors who click your slug URLs.
Authentication
Section titled “Authentication”- Sign-in uses Google Workspace accounts. Personal
@gmail.comaccounts are blocked. - Each member of a workspace must individually grant FormSlug access — a workspace admin cannot install on a teammate’s behalf without their consent.
- Workspace admins can also push the add-on to all users via the Google Workspace Admin console; each user still goes through OAuth consent on first use.
TLS and custom domains
Section titled “TLS and custom domains”- All FormSlug endpoints are HTTPS-only.
- Custom domains (
go.yourcompany.com) are served via Caddy with automatic TLS certificate issuance and renewal through Let’s Encrypt. There is no path to a non-HTTPS redirect.
Link safety
Section titled “Link safety”Every destination URL is validated when a slug is created or edited:
- It must match a strict pattern for a published Google Forms URL (
docs.google.com/forms/d/e/<form-id>/viewform). - URLs to closed forms, edit URLs, response views, or any non-Forms destination are rejected.
In addition, FormSlug periodically checks destination URLs against Google Web Risk (malware, phishing, social-engineering lists). If a destination is flagged, the corresponding slug is automatically paused and the workspace admin is notified.
Audit log
Section titled “Audit log”FormSlug keeps an internal audit log of sensitive workspace events:
- Plan changes (upgrades, downgrades).
- Role changes (member ↔ manager).
- Workspace ownership transfers.
- Web Risk auto-blocks and auto-clears.
The log is used for support investigations and security review. Access is restricted to FormSlug operators acting on a specific incident or customer request; it is not used for analytics, marketing, or any user-facing surface.
Reporting a vulnerability
Section titled “Reporting a vulnerability”If you find a security issue, please email hello@formslug.com. We aim to acknowledge reports within two business days and thank you for working with us privately while we investigate.
Compliance
Section titled “Compliance”- FormSlug’s use of Google APIs adheres to the Google API Services User Data Policy, including Limited Use requirements. See Privacy for details.
- Data is hosted in the EU (Belgium / Netherlands multi-region).