Mailflow LogoMailflow
We're CASA Tier 2 Certified: What This Means for Your Gmail Security
Back to Blog

We're CASA Tier 2 Certified: What This Means for Your Gmail Security

January 12, 2026

We're excited to announce that Mailflow has successfully completed Google's Cloud Application Security Assessment (CASA) and achieved Tier 2 certification. If you've ever wondered what happens when you click "Allow" on a Google OAuth screen, this article explains why CASA matters and what it means for your data security.

What is CASA?

CASA (Cloud Application Security Assessment) is Google's security review program for third-party applications that access Google Workspace data. It was introduced to ensure that apps requesting access to sensitive user data meet rigorous security standards.

When an app wants to access your Gmail, Google Drive, or Calendar, it needs to go through the OAuth consent process. But that "Allow" button doesn't tell you much about whether the app is actually secure. That's where CASA comes in.

The Three Tiers of CASA

Google's CASA program has three assurance levels (tiers), based on how thoroughly an app's security is verified:

Tier 1 - A self-assessment: the developer scans their own application and attests to the results.

Tier 2 - A verified assessment: an independent, Google-authorized security lab validates the application against the CASA standard. This is the level Google requires for apps using restricted scopes, such as Gmail access.

Tier 3 - The most rigorous level: a full lab-conducted assessment with deeper hands-on verification, reserved for the highest-risk cases.

Mailflow is certified at Tier 2 because we use restricted Gmail scopes to read incoming emails and create draft replies. Tier 2 is the assurance level Google requires for applications like ours.

What We Had to Prove

The CASA assessment isn't a checkbox exercise. It's a comprehensive security review conducted by an independent, Google-approved assessor. Here's what we had to demonstrate:

Secure Data Handling

  • No email storage: We process email content to generate replies but don't store your raw emails on our servers.
  • Encryption in transit: All communication between your browser, our servers, and Google uses TLS encryption.
  • Access controls: Only authenticated users can access their own data, enforced through JWT tokens and application-level access controls.

Infrastructure Security

  • Secure hosting: Our infrastructure is hosted on Hetzner (EU, Germany). The Next.js frontend, Fastify backend, and self-hosted PostgreSQL database all run on the same VPS, managed via Dokploy.
  • Secrets management: API keys and credentials are stored securely, never in code repositories.
  • Regular updates: We maintain up-to-date dependencies and patch security vulnerabilities promptly.

Privacy by Design

  • Minimal data collection: We only request the OAuth scopes we actually need.
  • No AI training on your data: We call LLMs through OpenRouter (currently OpenAI's GPT-4o) via our managed Vectoria layer, under API terms that exclude training on customer data. Your knowledge base is used only for retrieval at reply time.
  • Data deletion: We never store email content. The metadata we do retain (opaque message IDs, your settings, and your knowledge base) is deleted within 30 days of account disconnection.

Secure Development Practices

  • Code review: All code changes go through review before deployment.
  • Dependency scanning: We monitor for vulnerabilities in third-party packages.
  • Incident response: We have documented procedures for security incidents.

Why This Matters for You

When you see a Google OAuth screen, you're trusting that app with access to your data. CASA certification means:

  1. Independent verification: A qualified security firm reviewed our practices, not just us saying "trust us."

  2. Ongoing compliance: CASA isn't one-and-done. We're subject to periodic reassessment.

  3. Google's stamp of approval: Apps that fail CASA can have their access restricted or revoked by Google.

The Process Wasn't Easy

Getting CASA certified took us several months and required significant investment in documentation, security infrastructure, and the assessment itself. We had to:

  • Document every data flow in our system
  • Prove our encryption and access controls
  • Show evidence of secure development practices
  • Pass penetration testing and vulnerability scans
  • Fix any issues identified by the assessor

But it was worth it. Our users deserve to know their email data is handled securely, and CASA gives them that assurance.

Our Commitment to Security

CASA certification is just one part of our security commitment. We also:

  • Never store raw email content: We process emails in memory and only save metadata needed for the reply.
  • Use cookie-free analytics: We use Umami for privacy-focused analytics that doesn't track individual users.
  • Operate under GDPR: As a Belgian company, we're fully GDPR compliant.
  • Provide transparency: This blog post, our privacy policy, and our terms of service explain exactly how we handle data.

Questions?

If you have questions about our security practices or CASA certification, reach out to us at contact@mailflowai.com. We're happy to discuss how we protect your data.

Want to try Mailflow? Sign up for free and see how AI-powered email drafts can save you hours each week - with the security you can trust.