Security Assessment

To maintain the security of Google user's data, apps that request access to restricted scopes need to undergo an annual security assessment. This assessment verifies that the app can securely handle data and delete user data upon request. Upon successfully passing the security assessment, the app will be awarded a "Letter of validation" (LOV) from the security assessor, indicating its ability to handle data securely.

To improve and standardize our security assessment process, we implemented the App Defense Alliance and the Cloud App Security Assessment framework (CASA).

Key features of the security assessment framework:

  • Standardized requirements based on the OWASP's app Security Verification Standard (ASVS) allowing more automated testing and faster remediation.
  • Tiering: CASA adapted a risk-based, multi-tier assessment approach to evaluate app risk based on users count, scopes accessed, and other app specific items. Each project will fall under a specific tier.
  • Accelerator: The CASA accelerator is a tool that minimizes the checks you have to complete based on the certifications you have already passed.
  • Annual Recertification: All apps must be revalidated every year. The app tier can increase to a higher tier for the following year than what it was the previous year. Once an app has been validated at tier 3 it will continue to be validated at tier 3 level at each following year. 

When should I do a security assessment?

Security assessment of an app is the final step of the restricted scopes review process. Before initiating a security assessment of your app, it is important to complete all other verification requirements. If your app is requesting access to restricted scopes, the Google Trust and Safety team will reach out to you when it's time to start the security assessment process.

To learn more please refer to  CASA.


Was this helpful?

How can we improve it?
Clear search
Close search
Google apps
Main menu
Search Help Center