FAQ
Common questions, specific answers
Access scope, data handling, audit coverage, reports, and troubleshooting - the questions analytics leads, agency owners, and security reviewers ask before they connect a property.
Scope & Access Control
5 questions
We request a single read-only scope: https://www.googleapis.com/auth/analytics.readonly. This grants access to the GA4 Admin and Data APIs for reading property configurations and aggregated reporting data. The scope does not permit any write, modify, or delete operations.
No. All operations are strictly read-only. The platform cannot alter property settings, create/delete events or conversions, modify audiences, update data streams, or change user permissions. Your GA4 configuration remains untouched.
Access can be revoked instantly from two locations: your 8ms account settings or directly from your Google Account permissions at myaccount.google.com/permissions. Revocation immediately deletes the associated OAuth token from our system.
Viewer access is sufficient for the majority of our 229 checks. However, to run the full suite of GA4 property configuration checks via the Admin API, the authenticating user needs Editor or Administrator permissions on the property.
Yes. As long as your Google account has the necessary permissions (at least Viewer) to the client's GA4 property, you can initiate an audit. The property owner doesn't need their own 8ms account.
Data Handling & Privacy Architecture
3 questions
OAuth tokens are encrypted at rest using Fernet (AES-128-CBC) and stored in a dedicated Supabase instance with row-level security enabled. Audit results (findings, scores, reports) are persisted. Raw GA4 data is only processed in-memory and is never stored.
No. Raw data payloads from the GA4 Data API and BigQuery are processed in-memory during the audit and are not persisted. We only store the output of the audit: the specific findings, severity scores, and generated reports for historical review and team collaboration.
We do not currently hold SOC 2 or other formal certifications. Our security architecture includes service isolation via Google Cloud Run, database-level permissions enforced by Supabase row-level security, Fernet symmetric encryption for credentials, and mandatory TLS 1.2+ for all data in transit. We believe in transparency and don't claim certifications we haven't completed.
Audit Coverage & Detection Logic
3 questions
The audit executes 229 checks across five distinct modules: GA4 property configuration (via Admin API), tag and consent validation (via headless browser), UTM and campaign integrity (via Data API/BigQuery), data quality analysis (via Data API/BigQuery), and e-commerce tracking integrity (via Data API/BigQuery).
Our headless browser (Playwright) crawls the target site, identifies the active Consent Management Platform (CMP), and programmatically interacts with it to simulate consent grants and denials. It then inspects network traffic and GCS/GCD parameters to verify that GA4 tags fire correctly and respect the user's consent state both before and after the interaction.
Most audits complete in under 10 minutes. Execution time is primarily a function of three variables: the number of pages crawled by the headless browser, the latency of the GA4 Data API for the specified date range, and the complexity of the BigQuery queries for data quality checks.
Reports & Deliverables
2 questions
Audit results can be exported as PDF, PPTX, and Excel (XLSX) files. Each export includes detailed findings, severity levels, specific remediation guidance, and the overall measurement integrity score.
Yes, white-labeling is available for agency and enterprise plans. It is a managed setup process, not a self-serve feature, so your brand guidelines are applied correctly. Contact us to discuss your specific formatting and delivery requirements.
Diagnostics & Troubleshooting
2 questions
The most common issue is insufficient permissions. First, verify the Google account you're authenticating with has at least Viewer role on the target GA4 property. Second, ensure you granted consent on the Google OAuth screen. If the connection still fails after retrying, please contact us at support@8ms.com with the property ID.
Checks are skipped when they aren't applicable to the property's configuration. For example, the 33 e-commerce checks will be skipped if no purchase events are detected in the audit period. Similarly, Google Ads linking checks are skipped if no Ads account is linked. This prevents irrelevant findings.
Still have questions?
Run it on your own property
Free audit, read-only OAuth, results in under 10 minutes.