This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

When do I have to submit for security assessment

Posted on 11-16-2021 03:56 AM
bjaskulski
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

I wanted to publish my app on Google Cloud Platform, when I bumped into the fact that using sensitive scopes (Sheets API in this case) requires me to verify my app.

 

I am fine with that, but I cannot understand exactly the process. Is my app required to be submitted to security assessment, period.

I've seen some exceptions to the fact that the security assessment is needed, but unfortunately my app wouldn't hit any of those points (maybe the limit of users, but that potentially only in an early stage).

 

The scope that is required to me is whole CRUD for google sheets with endpoint googleapis.com/auth/spreadsheets

 

Is there any possibility that I would not be required to undergo security assessment or it's there by default and I will be obliged to pay a fee for such an audit?

Solved Solved
0 3 464
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
sbazyl
Staff
In response to bjaskulski
Reply posted on --/--/---- --:-- AM

3rd party security assessments are only required for a few specific scopes clasified as restricted -- see https://developers.google.com/terms/api-services-user-data-policy#additional-requirements-for-specif...

Sensitive scopes currently don't require a 3rd party assessment. The app will still get some more scrutiny during reviews to review usage of those scopes, but it mostly comes down to justifying the use of the scopes and data and providing a video showing how the scopes are presented in the context of the app. 

View solution in original post

Jump to Solution
3 REPLIES 3

Posted on --/--/---- --:-- AM
davidsalomon
Staff
Reply posted on --/--/---- --:-- AM

Leave it as internal (if you use Google Workspace) and have tests users (up to 100) if the API will be only for your use. You need to run the verification process if you make your app public.

Jump to Solution

Posted on --/--/---- --:-- AM
bjaskulski
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Thanks for the answer @davidsalomon 

I definitely have to go public with the app. The main question is whether verification process always comes with security assessment from an external researcher.

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
sbazyl
Staff
In response to bjaskulski
Reply posted on --/--/---- --:-- AM

3rd party security assessments are only required for a few specific scopes clasified as restricted -- see https://developers.google.com/terms/api-services-user-data-policy#additional-requirements-for-specif...

Sensitive scopes currently don't require a 3rd party assessment. The app will still get some more scrutiny during reviews to review usage of those scopes, but it mostly comes down to justifying the use of the scopes and data and providing a video showing how the scopes are presented in the context of the app. 

Jump to Solution