Google received the Letter of Validation confirming that Email Unsubscriber™ passed App Defense Alliance’s CASA Tier 2. CASA Tier 2 is the independent verification Google requires of every app that reads users’ emails in Gmail.
TAC Security, Google’s authorized assessment lab, ran the assessment. The audit covered 100+ automated security checks against the Cloud Application Security Assessment (CASA) framework, plus a thorough review of 20+ security aspects covering data handling, credentials, access, and incidents.
Why it matters
- Independent proof of our security claims. A third-party lab, authorized by ADA, reviewed our code and our operating practices. Outside validation now backs the word “secure” on our site.
- Validation of “No access to email data.” A recurring theme in the review: “Where does user data live and how do you protect it?” Our answer is short. We don’t store users’ email data because we never access it. The scanner runs in the user’s browser. Our servers see nothing.
- Formal sign-off on what we built. The assessment validates the architecture we picked from day one: read-only OAuth scopes, AES-256 encryption at rest, browser-side scanning, and one-off payments that remove the incentive to hoard data for retention metrics.
What this unlocks
We support Gmail now. Until today, Microsoft/Outlook was the only provider we supported. Gmail sat behind a “Coming soon” label pointing to our security page. With CASA validation in hand, Google finalized our verification, and Gmail accounts work today.
What’s next
We want Email Unsubscriber to reach more users. The roadmap covers more email providers, with custom integrations as a longer-term goal.
The validation took a few weeks of infrastructure improvements, paperwork, and back-and-forth with Google and the assessor. Outside validation backs a privacy claim better than self-reporting can, and that’s why we did it.
