Secure Transmission

All data transmitted between users, Gooanaliz, and Google APIs is encrypted using TLS 1.2 or higher over HTTPS. This ensures that sensitive information such as business details, reviews, and login credentials is protected during transmission.

Encryption at Rest

All stored data, including reviews, business information, and analytics, is encrypted at rest using industry-standard AES-256 encryption. Backup data and log files are also encrypted.

Access Control

Gooanaliz enforces strict role-based access control (RBAC) to ensure that only authorized personnel can access sensitive data.

Admin accounts can manage system settings and approve publishing actions.

Operational users can only view or interact with the business profiles they are assigned to.

No user has access to profiles outside their authorized scope.

Tenant Isolation

Each business profile is logically isolated within the system:

Data from one business cannot be accessed or modified by another business.

API tokens are scoped per account to prevent cross-tenant access.

Multi-tenant isolation ensures compliance with Google’s Limited Use policy.

Activity Monitoring

All system activity, including API calls, publishing attempts, and login events, is logged and continuously monitored.

Alerts are triggered for suspicious or anomalous behavior.

Logs are used for auditing and security incident response.

Rate Limiting & Abuse Prevention

To prevent automated misuse or spam:

API requests and publishing actions are rate-limited per account.

Abnormal request patterns trigger automatic throttling and review.

Manual intervention ensures system integrity and prevents accidental abuse.

Incident Response

In case of a security incident or breach:

All affected accounts and business profiles are identified immediately.

Unauthorized access is blocked.

Notifications are sent to affected users if required by regulation.

The system follows a documented incident response protocol aligned with industry standards.

Google API Authorization and Usage Explanations

1. Authorization and Access

**Question: How and under what conditions do you access customer data?**

• Access to all business data is provided only with the explicit consent of the business owner (OAuth 2.0).
• Separate authorization is obtained for each branch; the authorization for one branch does not cover other branches.
• Access is performed only by authorized users through the central dashboard.
• All calls to the Google API are made on the server side; no user information is stored or processed on the client side.
• The business owner can revoke the authorization at any time; in this case, all access is terminated immediately.

2. Manual Process and Automation

**Question: Are operations performed automatically or manually?**

• All review responses and posts are made manually and checked by authorized personnel.
• Webhooks are triggered for notification purposes only; responses or posts are not generated automatically.
• The system does not feature automatic sharing, AI-based content generation, or bulk automatic processing.
• Each post and review response is processed through a manual approval and control mechanism.

3. Multi-Branch Management

**Question: How do you manage multiple branches from a single dashboard?**

• Multi-branch management is done via the central dashboard, and separate authorization is applied for each branch.
• The data of businesses with 100+ branches are processed securely and in an isolated manner on the server side.
• The dashboard presents all metrics such as visibility, performance, and review analysis for each branch as separate reports.
• No personnel or system other than authorized users can access this data.

4. Security and Compliance

**Question: How do you protect customer data and what legal regulations do you comply with?**

• Data processing processes comply with all data protection regulations, including KVKK and GDPR.
• No user data is shared with third parties or used for advertising/AI training.
• All data calls and analyses are performed securely on the server side.
• Dashboard and API access are restricted to authorized admin accounts.
• SSL/TLS encryption and access control mechanisms are implemented for data security.

5. API Usage and Official Source

**Question: In what way do you use the Google API, and is it official?**

All operations are performed via the Google Business Profile API.

Our agency is officially registered with a Business Profile organization account.

API usage is fully compliant with Google policies and occurs only on the server side for authorized accounts.

The operations performed via the API are as follows:

• Updating profile information (address, phone, working hours)
• Reading reviews and sending manual responses
• Adding and managing photos
• Sharing posts and retrieving analytical data

6. Authorization Termination and Auditing

**Question: What happens if a customer revokes authorization?**

• The business owner can terminate the authorization given through the Google panel at any time.
• When authorization is revoked, data access is immediately cut off, and the relevant branch data is no longer visible on the dashboard.
• All operations are logged and can be audited, so it can be verified that every activity was performed by an authorized user.

7. Data Processing Policy

**Question: Can customer data be used for other purposes?**

• No data is used for ad targeting or artificial intelligence training.
• All data is processed solely for analysis, reporting, and manual operations with customer authorization.
• Data is not shared with third-party platforms or service providers.

8. Reporting and Analysis

**Question: How do you report the data?**

• Visibility, engagement, performance, and review analysis for all branches are presented through the dashboard.
• Analyses are shared after manual review and approval by authorized users.
• Each report is processed on the server-side and is viewable only by authorized accounts.

9. Sustainable and Reliable Agency Solution

**Question: Is this solution reliable and continuously available?**

• Gooanaliz is a centralized management and analysis platform for multi-location Google Business Profiles.
• All operations are controlled by authorized users, and the system is compliant with the official API.
• User data is never shared with third parties and is limited by the authorization given by the business owner.