After submitting my answers to the SAQ questions, I was asked to provide EVIDENCE for three of the questions. Here is what they wrote: "Please share the evidence of point no. 4, 15, 20 from the SAQ." Here are the three questions: ➡ 04. Verify that all sensitive data is identified and classified into protection levels. ➡ 15. Verify that the application, configuration, and all dependencies can be re-deployed using automated deployment scripts, built from a documented and tested runbook in a reasonable time, or restored from backups in a timely fashion. ➡ 20. Verify that the application protects against LDAP injection vulnerabilities, or that specific security controls to prevent LDAP injection have been implemented. At this point, I do not know how to provide this evidence, so I'm going ask José and get this figured out. Once I figure it out, I'll post the answer below here.

Because my extension uses gmail.modify and authenticates through OAuth, Google automatically triggered a CASA review. It’s a thorough process, and for anyone trying to prepare, here are the actual SAQ questions I received. FYI... I went through TAC Security for the CASA review as that is what google recommeneded. However, thre was one peice of it that my developer José saved me over $1000 becuase of how TAC Security lists the pricing options. I'll document that later and put a link here when its up. Here are the questions: 1. Verify documentation and justification of all the application's trust boundaries, components, and significant data flows. 2. Verify the application does not use unsupported, insecure, or deprecated client-side technologies such as NSAPI plugins, Flash, Shockwave, ActiveX, Silverlight, NACL, or client-side Java applets. 3. Verify that trusted enforcement points, such as access control gateways, servers, and serverless functions, enforce access controls. Never enforce access controls on the client. 4. Verify that all sensitive data is identified and classified into protection levels. 5. Verify that all protection levels have an associated set of protection requirements, such as encryption requirements, integrity requirements, retention, privacy and other confidentiality requirements, and that these are applied in the architecture. 6. Verify that the application employs integrity protections, such as code signing or subresource integrity. The application must not load or execute code from untrusted sources, such as loading includes, modules, plugins, code, or libraries from untrusted sources or the Internet. 8. Verify that the application has anti-automation controls to protect against excessive calls such as mass data exfiltration, business logic requests, file uploads or denial of service attacks. 9. Verify that files obtained from untrusted sources are stored outside the web root, with limited permissions. 10. Verify that files obtained from untrusted sources are scanned by antivirus scanners to prevent

I’m launching a Chrome extension and recently found out that requesting gmail.modify was enough to trigger a CASA review. I’m fully supportive of Google taking security seriously… I just didn’t realize upfront how quickly certain scopes escalate the process. Note for my extension I am not changing, storying, editing, modifying or even reading the emails inside Gmail. Here’s what actually triggered it: 1. Using gmail.modify Even though my extension only needs to delay and adjust outgoing emails, any scope that can read or modify message content pushes you toward CASA. 2. chrome.identity + OAuth Once you combine OAuth with a scope that touches user email, Google wants a clear explanation of how data is handled end-to-end. 3. Storing small amounts of email-related activity Even encrypted metadata (like tracking edits) requires details on encryption, access, storage, and retention. What Google asked me for: - Encryption algorithms - Screenshot of encrypted Firestore data - Whether any Google user data is stored - Why gmail.modify is required - Where the data lives and who can access it The process is thorough and ultimately a good thing… it just sets a higher bar than I expected when I started. If you’ve gone through CASA or are preparing for it, share your experience. Hopefully this helps other devs know what to expect before they hit that point.