Sign in to manage
When you sign in to manage a deployment, deploy-service holds your Google OAuth tokens to call your Cloud Run on your behalf. Tokens are encrypted at rest with Fernet, retained on a ≤24h sliding window (1-day GCS lifecycle floor), and deleted when you sign out. Memory content never traverses deploy-service for Manage operations. Operational logs hosted by Vercel may include your deployment's project identifier for up to 24 hours (rc.1 limitation; path-indirection privacy upgrade ships rc.2). Spec 036 migrates the encryption to KMS.
Full version at /privacy#manage-session.
We never see your Google password. The Suvadu deploy-service holds your OAuth tokens on your behalf — see the disclosure above.