CASA Tier 2 update: step 1 of 6 cleared, lab scan starts next

Update (July 2026): the review is complete. We cleared all six steps and Google verified DataToRAG on June 29, 2026. This was step 1 of 6 at the time of writing. Here's the wrap-up.
Earlier this month we wrote about why DataToRAG shows Google's "unverified app" warning and what we were doing about it (read that first if you missed it). This is a short progress update.
Application intake with TAC Security, the CASA-authorized lab we engaged for the Tier 2 assessment, is complete. Step 1 of 6 is cleared in their dashboard. The lab scan starts next.

What just finished
Step 1 covers application scoping. You submit your architecture, the OAuth scopes in scope for the review, the runtime environment, the data-handling story, and the contact information for the engineers responding to findings. TAC reviewed and accepted ours.
For us, that meant documenting:
- Production architecture (Node, TypeScript, Drizzle, Postgres on AWS Lightsail)
- Restricted Google scopes we use: Gmail (modify, send), Drive (full), Calendar, Contacts, Sheets, Slides, Docs
- OAuth handling, including the refresh-token rotation and family-revoke we shipped two weeks ago
- Where user tokens are stored and how they are encrypted at rest
- Logging, retention, and access-control posture
What comes next
Five steps left:
- Scan Your App. TAC runs an automated and manual security scan of the application against the CASA requirements. This is the part with the largest variance in duration.
- Report Generated. We get a findings report with anything that needs to change.
- Remediation. We fix the findings. Whatever's there, this is where the real engineering work lands.
- Rescanning. TAC re-validates against the fixed application.
- LOV Submitted. TAC files the Letter of Validation with the App Defense Alliance, which is what Google reads to flip our verification status.
Google's deadline for completion is August 3, 2026. We have ten weeks. TAC quotes four to six weeks for a clean run, which gives us buffer for at least one round of findings and fixes.
What this means if you use DataToRAG today
Nothing changes yet. You'll still see Google's unverified-app warning when you connect your Workspace, because the warning is tied to Google flipping verification at the end of step 6. Until then, the three-click path through the warning is unchanged, and so is what we do with the access you grant.
The reason we're posting this is accountability. We said we'd ship the assessment by August, and "we're going through it" is easier to say than to show. This is the show.
We'll post another update when the scan report lands.
Ready to connect your data to AI?
Give Claude write access to your Google Workspace. Start free, or talk to us about your setup.
Related articles
Google approved our verification on June 29, 2026. The 'unverified app' warning is gone. Here's how the CASA Tier 2 review actually went, and what changes for you.
The 'unverified app' warning, explained: where we are with Google's CASA reviewDataToRAG is going through Google's CASA Tier 2 security assessment. Until it's done, you'll see Google's 'unverified app' warning when connecting your Workspace. Here's what's happening and why you can click through it.
You Can Self-Host a Google Workspace MCP for Free. The OAuth Verification Is the Catch.The open-source Google Workspace MCP servers are genuinely good. The cost isn't the code. It's the Google Cloud project, the consent screen, and the verification that comes after.