Synceipt Passes CASA Tier 2 Security Assessment — Verified by TAC Security

April 27, 2026 · 6 min read · Security & Privacy

We're proud to announce that Synceipt has passed the Cloud Application Security Assessment (CASA) Tier 2, independently verified by TAC Security in just 10 days. Here's what that means for you.

We built Synceipt to handle some of your most sensitive data: bank transactions, email receipts, and financial records. From day one, security has not been an afterthought — it has been a core design requirement. Today, we're proud to share that Synceipt has successfully completed the Cloud Application Security Assessment (CASA) Tier 2, independently verified by TAC Security, a Google-recommended assessor authorized by the App Defense Alliance.

Synceipt completed the CASA Tier 2 assessment in approximately 10 days with just one additional remediation scan — a result that reflects the security-first architecture we've maintained since launch.

What Is CASA Tier 2?

The Cloud Application Security Assessment (CASA) is a framework established by the App Defense Alliance (ADA) — a collaboration between Google, ESET, Lookout, Zimperium, and other major security organizations. It is required for applications that access sensitive user data through Google APIs, such as Gmail and Google OAuth.

CASA has three tiers. Tier 1 is a lightweight self-assessment. Tier 2 requires an independent review by an authorized third-party lab. Tier 3 is the most rigorous and grants the official 'Independent Security Verification' badge on the Google Workspace Marketplace. Synceipt completed Tier 2, which means our security controls were independently validated — not just self-reported.

• Tier 1 — Self-assessment questionnaire
• Tier 2 — Independent review by an App Defense Alliance authorized assessor (Synceipt's level)
• Tier 3 — Full penetration test; grants the Google Workspace Marketplace verification badge

Why Tier 2 and Not Tier 3?

The required CASA tier is determined by the sensitivity of the Google API scopes your application requests. Tier 3 is mandated for applications that request write or modify access to a user's Gmail — for example, apps that can send emails, delete messages, or alter labels on the user's behalf.

Synceipt requests read-only access to Gmail. We scan your inbox for purchase confirmation emails and extract receipt data — that is the full extent of our email interaction. We cannot send emails, delete messages, move them, or modify anything in your mailbox. Because Synceipt operates exclusively within read-only Gmail scopes, Tier 2 is the correct and complete requirement for our application. Pursuing Tier 3 would not be appropriate for our access model and is not required by Google for read-only use cases.

Synceipt holds read-only email access. We can never send, delete, or modify your emails — which is precisely why Tier 2 is the correct certification level for our use case.

What Was Assessed?

The assessment evaluated Synceipt's application against the OWASP Application Security Verification Standard (ASVS), which covers a broad range of security domains relevant to applications handling sensitive personal and financial data:

• Authentication — How users sign in and how sessions are managed
• Access Control — Whether users can only access their own data
• Data Protection — Encryption of data in transit and at rest
• API Security — Protection of backend endpoints against unauthorized access
• Session Management — Token handling, expiry, and revocation
• Input Validation — Defense against injection attacks and malformed input
• Error Handling — Prevention of information leakage through error messages
• Cryptography — Algorithm strength and key management practices
• Sensitive Data Exposure — Prevention of accidental leakage of PII and financial data

Why Did Synceipt Pursue CASA Tier 2?

Synceipt accesses Gmail and Outlook accounts via OAuth 2.0 to extract email receipts — a sensitive capability that requires a high degree of trust. Google requires CASA Tier 2 for applications accessing restricted Gmail scopes to ensure they meet baseline security standards before being allowed to handle user email data at scale.

Beyond compliance, we pursued this assessment because our users deserve to know that an independent expert has reviewed our security architecture. Anyone can claim their app is secure. CASA Tier 2 means a qualified, Google-authorized assessor verified it.

Our Security Journey: 10 Days to Certification

We're pleased to share that Synceipt completed the CASA Tier 2 process in approximately 10 days, requiring only one additional remediation scan. This outcome reflects the security-first architecture we've maintained throughout the product's development.

Key security measures already in place before the assessment began:

• AES-256-GCM encryption for sensitive stored data (email receipt content), with authenticated encryption for integrity verification
• OAuth 2.0 for all third-party access — Gmail, Outlook, bank connections via Plaid — with no passwords stored on our servers
• Read-only bank access through Plaid — Synceipt cannot transfer, move, or spend money
• PBKDF2-HMAC-SHA256 key derivation with 65,536 iterations for encryption key management
• HTTPOnly cookie-based session management to prevent XSS-based token theft
• Input validation and parameterized queries throughout the backend to prevent injection attacks
• Rate limiting on all public API endpoints to protect against abuse
• Role-based access control enforced at the API layer — users can only access their own data

What This Means for You

Completing CASA Tier 2 is a meaningful milestone, but it is one piece of an ongoing security commitment. Here's what you can expect from Synceipt:

1. Step 1: Annual recertification — CASA certification must be renewed annually. We will repeat this process every year to ensure our security controls continue to meet evolving standards.
2. Step 2: Ongoing security reviews — Beyond CASA, we continuously review our architecture for new risks and apply security patches promptly as the threat landscape evolves.
3. Step 3: Transparency — We will continue to be open about our security posture. If you have specific questions about how we protect your data, reach out through our feedback form.

Frequently Asked Questions

What is CASA Tier 2?

CASA (Cloud Application Security Assessment) Tier 2 is an independent security review required by Google for apps accessing sensitive user data via Google APIs. It is conducted by App Defense Alliance authorized assessors and validates compliance with OWASP security standards.

Who performed the assessment?

TAC Security, a Google-recommended and App Defense Alliance authorized assessor, independently reviewed Synceipt's security architecture and controls.

Does CASA Tier 2 mean Synceipt is completely secure?

CASA Tier 2 validates that our application meets a rigorous set of OWASP-aligned security controls as assessed by a qualified independent lab. No application can guarantee zero risk, but this assessment confirms that we have implemented industry-recognized security best practices across authentication, data protection, API security, and more.

Does Synceipt have the Google 'Independent Security Verification' badge?

The official badge on the Google Workspace Marketplace is reserved for Tier 3 participants. Synceipt completed Tier 2, which requires an independent third-party review. We can and do reference our Tier 2 validation in our own communications and home page.

What happens to my data if Synceipt ever shuts down?

Our Privacy Policy describes data deletion procedures. You can also delete all your data at any time from the Settings page. We are committed to data minimization — we only store what is necessary to provide the service.