Skip to content
News

Email Unsubscriber is now CASA Tier 2 validated

Our app just cleared ADA's CASA Tier 2 and we're really hyped about it! Here's what it unlocks and what that means for users.

Email Unsubscriber Team 1 min read
CASA Tier 2 validation badge

Google has just received the Letter of Validation confirming that Email Unsubscriber passed App Defense Alliance’s CASA Tier 2 - the independent verification required by Google for every app requesting to read users’ emails in Gmail.

The assessment was carried out by TAC Security — Google’s preferred authorized assessment lab — and covered 100+ automated security checks against the Cloud Application Security Assessment (CASA) framework, plus a thorough review covering 20+ security aspects on how we handle data, credentials, access, and incidents.

Why it matters

  • Independent proof, not a marketing claim. A third-party lab, authorized by ADA, reviewed our code and our operating practices. The word “secure” on our site is no longer a self-report.
  • Reassurance that “No access to email data” was the right approach. A recurring theme in the review: “Where does user data live and how do you protect it?” Our answer stayed simple — we don’t store any of the users’ email data anywhere because we never access it. Only the user’s browser does - the scanner runs there directly.
  • Formal confirmation of what we already built. The assessment validates the things we architected from day one: read-only OAuth scopes, AES-256 encryption at rest, browser-side scanning, and one-off payments that remove the incentive to hoard data for retention metrics.

What this unlocks

Gmail is now supported. Until today, Microsoft/Outlook was the only provider we supported, and Gmail sat behind a “Coming soon” label pointing to our security page. With the CASA validation in hand, Google has finalized our verification and we officially support Gmail accounts.

What’s next

We’re committed to making Email Unsubscriber available to as many users as possible, so expanding the support to other well-known email providers — and maybe even custom integrations, who knows? — is on the roadmap. Stay tuned!

Thanks for being patient while we worked through it. It took us a few weeks of infrastructure improvements, paperwork, and back-and-forth with Google and our chosen assessor, but it was worth it: outside validation is the only way a privacy claim means anything.