Apps that access restricted scopes are required to complete a security assessment every 12 months. This 12-month period is calculated from the effective date of the app's previous Google "Letter of Validation" (LOV).
The OAuth verification team will contact you via email once it’s time for your app to reverify. Keeping your Project Owner and Editor information up-to-date in your Cloud Project Console will ensure the right members of your team are notified of this annual re verification.
How do I prepare for my annual security reassessment ?
- The OAuth verification team will contact you to start the re-verification process.
- During the re-verification, your app will be reviewed for compliance with the Google APIs Terms of Service, Google's API Services User Data Policy, the product specific User Data Policy (if applicable), and the Additional Requirements for Specific Scopes.
- Please keep an eye out for communication from the OAuth verification team and follow the instructions provided. In most cases, the OAuth verification team will be able to complete the compliance checks without any action required from the developers.
- After compliance requirements are reverified, you will receive instruction to complete a security assessment as per the revalidation requirements of CASA framework and receive a renewed "Letter of validation".
- If you have any other projects that you wish to add to your Letter of validation, please ensure that these projects have undergone the OAuth verification process, and that Google has granted you the necessary eligibility to proceed with a security assessment.
- To obtain a Letter of validation (LOV), you must address any critical or high findings from the current year's assessment test.
- We require the annual security reassessment to be a comprehensive test of your app, regardless of any changes made to the app.