‹ Newsroom

Engineering

ZenMail is CASA Tier 2 verified

· ZenMail Team

ZenMail has successfully completed the Cloud Application Security Assessment (CASA), satisfying all Tier 2 requirements. The assessment was conducted by an independent security lab authorized by the App Defense Alliance — the same body backed by Google to set application security standards across the industry.

Security and privacy have been the foundation of ZenMail since day one. CASA Tier 2 verification is the structured, third-party confirmation that the architecture lives up to that promise.

What is CASA?

The Cloud Application Security Assessment is an industry-standard security framework developed by the App Defense Alliance and backed by Google. It builds on the OWASP Application Security Verification Standard (ASVS), the canonical reference for application-layer security, and codifies it into a consistent set of requirements that any app handling sensitive user data must meet.

Tier 2 verification combines a rigorous organizational policy review with a code security scan and threat audit, conducted by an independent lab certified by the App Defense Alliance.

Why did ZenMail get verified?

Many of the Google APIs ZenMail uses — most importantly the Gmail API — are classified as Restricted Scope. Apps using restricted scopes must complete independent security verification before Google clears them for general public access. Without it, an app's OAuth consent screen stays in testing mode, capped at a small list of manually-added test users.

CASA Tier 2 is the bar that clears an app for production. ZenMail meets it.

What this means for ZenMail users

ZenMail was built around a simple principle: your email belongs to you, and it should live on your machine. ZenMail talks directly to the Gmail API — no intermediate cloud sync service, no provider dashboard with everyone's inboxes, no shared infrastructure. Email is stored locally in an encrypted SQLite database on your Mac. The codebase is native Rust, which eliminates whole categories of memory-safety vulnerabilities by construction. The UI runs in the system's WKWebView with a strict Content Security Policy that blocks every third-party script.

CASA Tier 2 verification is independent confirmation of that architecture. An outside auditor walked through the code, the data flow, and the operational policy, and signed off that ZenMail meets the security bar Google sets for apps handling sensitive user data.

Will there be ongoing security assessments?

Yes. CASA verification is not a one-shot certificate — to maintain Gmail API access, ZenMail re-audits on Google's annual cadence, and any material architectural change triggers a fresh review. The continuous standard is the bar, not a single moment in time.

Your trust is what makes ZenMail worth building. CASA Tier 2 verification is one more way of earning it.

Frequently asked questions

What is CASA Tier 2?
CASA (Cloud Application Security Assessment) Tier 2 is Google's required security verification for apps requesting restricted OAuth scopes — including full Gmail access. It's an independent audit performed by Google-approved labs, covering static code analysis, dependency scanning, penetration testing, architecture review, and security policy. Apps without CASA Tier 2 cannot ship production Gmail-API access to the general public.
Is ZenMail safe to give Gmail access to?
ZenMail has passed CASA Tier 2 — Google's required independent security audit for apps with full Gmail access. Your email stays on your Mac in an encrypted local database; ZenMail does not run any server that touches your inbox. The codebase is native Rust, which eliminates entire categories of memory-safety vulnerabilities by construction.
Does ZenMail send my email to its own servers?
No. ZenMail talks directly to Gmail's API from your Mac and stores email in an encrypted local SQLite database. There is no ZenMail-controlled server that touches your mail at any point. This was independently verified during the CASA Tier 2 architecture review.
How often does CASA verification get re-checked?
CASA verification is not a one-time certificate. Verified apps re-audit on Google's required cadence (typically annually), and any material architectural change triggers a fresh review. Continuous compliance is the bar, not a snapshot.
What other security measures does ZenMail use?
Local-first encrypted storage (SQLite encrypted at the app layer), native Rust core for memory safety, native WKWebView (no bundled Chromium), strict Content Security Policy blocking all third-party scripts, no analytics SDKs, no ad networks, and no remote-loaded code paths. Security updates ship through a signed auto-updater so users get patches automatically.