Email Unsubscriber™ Security Transparency Report
Last Updated: April 22, 2026
We believe security claims should be verifiable, not just marketable. This report details our verification status, security tooling, and how to confirm our claims yourself.
1. Google Verification Status
Our Google OAuth integration has completed every stage of Google's multi-stage verification pipeline, including CASA (Cloud Application Security Assessment) — a security framework administered by the App Defense Alliance that Google requires for apps accessing sensitive user data:
- OAuth compliance — Approved
- Privacy policy — Approved
- Scope justification — Approved
- Limited Use compliance — Approved
- CASA security assessment — Approved
Both Google and Microsoft OAuth integrations are fully verified;
2. Security Assessment
We perform continuous static application security testing (SAST) and software composition analysis (SCA) using FluidAttacks — the same tool used by ADA-authorized assessment labs to evaluate applications.
| CASA Tier 2 Requirement | Our Practice | |
|---|---|---|
| Scope | 73 specific CWEs | Full OWASP catalog |
| Frequency | Annual | Every release |
| Open critical/high findings | — | 0 |
| Open medium findings | — | 0 |
| Tolerance | Low-risk acceptable | Zero tolerance — all findings addressed |
Our most recent assessment found 0 open CWEs across all severity levels. We don't limit ourselves to the minimum CASA threshold — every finding is resolved before release, regardless of severity. Our testing covers the full OWASP ASVS catalog;
3. Architecture at a Glance
Your emails never leave your browser. For the complete technical breakdown, see our Privacy Policy.
1. Email scanning happens entirely client-side via direct API calls to your email provider
2. Our backend receives an identity token only — it cannot access your emails
3. Your email access token is never transmitted to or through our servers
4. We request read-only access — we cannot modify, delete, or send emails
4. Verify It Yourself
Our OAuth service is fully open source. Audit exactly how we handle authentication and confirm that email tokens never reach our infrastructure:
github.com/micro-solutions-llc/email-unsubscriber-open-oauth