Evaluate a Marketplace app's security

Because G Suite Marketplace apps are developed and offered by third-party developers, you should install an app only if you trust the app’s developer and vendor. You are solely responsible for any compromise or loss of data that may result from using a Marketplace app. Please see the G Suite Marketplace Terms of Service for more information.

G Suite Marketplace app developers must adhere to the Marketplace's listing requirements, program policies, and Developer Agreement, which requires developers to be clear in setting forth the terms under which they offer their services.

How to evaluate a vendor or application

Here are some things you can do to help verify whether an app is trustworthy, before installing:

  • Look at customer reviews and ratings (available for all Marketplace apps).
  • Carefully read through the vendor’s Terms of Service, privacy policy, and deletion policy.
  • Contact the vendor directly with any questions.
About gadgets

Some vendors may include gadgets in their apps. Gadgets are full-fledged web applications (HTML, CSS, and Javascript) that run within the context of G Suite. They can be installed in Gmail, Calendar, Drive, and Sites.

Gmail contextual gadgets are a special class of gadgets that extract data from a message and provide contextually relevant information to your users in the message pane.

A poorly written gadget may have vulnerabilities, and expose your users to risks, including phishing attacks and data loss. Only install gadgets that you trust.

G Suite Marketplace Security Assessment Program

Under the new G Suite Marketplace Security Assessment Program, developers can submit their app to a third-party security firm which performs a security assessment of their Marketplace app. Apps that pass the security assessment display a security badge in their Marketplace listing:

To earn a security badge, apps must pass testing and review by the security firm in four key areas:

  • External Network Penetration - Identifies potential vulnerabilities in external, internet-facing infrastructure systems
  • Application Penetration - Identifies potential vulnerabilities in applications that access user data
  • Deployment Review - Identifies exploits and vulnerabilities in developer infrastructure
  • Policy and Procedure Review - Examines efficacy of information security policies and procedures

While the security assessment badge is not a guarantee against every possible threat or harm, it shows that an app has successfully passed a security review based on all the criteria above. For specific information on what's included in each assessment, see the Google Cloud Platform Help Center

To keep a security badge, apps must be reassessed every 12 months.

As always, G Suite admins have the ability to turn off and disable installation of G Suite Marketplace apps, delete an app, or grant or revoke data access for an app.

Was this article helpful?
How can we improve it?