
Revenue.io Is Now Google CASA Tier 2 Verified
Revenue.io has successfully completed Google’s Cloud Application Security Assessment (CASA) and achieved Tier 2 verification. This means an independent, Google-authorized security lab has validated that Revenue.io meets rigorous security standards for handling Google Workspace data, including Gmail access for email activity capture and synchronization with Salesforce.
If your security team has ever asked “what happens to our data when we connect Revenue.io to Google Workspace?”, this certification provides the answer backed by independent verification rather than a vendor’s promise. Here is what CASA is, what the verification required, and why it matters for your organization.
What Is CASA?
CASA (Cloud Application Security Assessment) is Google’s security review program for third-party applications that access Google Workspace data. Google introduced CASA to ensure that applications requesting access to sensitive user data, such as Gmail, Google Calendar, and Google Drive, meet verified security standards before and after they are granted access.
When your team authorizes an application to access Google Workspace through OAuth, the “Allow” button grants access but tells you nothing about whether the application handles that data securely. CASA exists to close that gap. It provides a structured, independent assessment of how applications store, process, transmit, and protect the Google Workspace data they access.
CASA verification is not optional for applications that use restricted Google API scopes. Applications that access Gmail content, as Revenue.io does for email activity capture, must complete CASA assessment at the level Google requires for that scope of access.
The Three Tiers of CASA
Google’s CASA program operates across three assurance levels, each representing a progressively more rigorous verification process.
Tier 1: Self-Assessment. The developer scans their own application and attests to the results. This is the baseline level and does not involve independent verification.
Tier 2: Independent Verified Assessment. A Google-authorized, independent security lab validates the application against the CASA security standard. This is the level Google requires for applications using restricted scopes such as Gmail access. The assessment is conducted by a qualified third-party assessor, not by the application developer.
Tier 3: Full Lab Assessment. The most rigorous level, involving deeper hands-on verification by an independent lab. Reserved for the highest-risk access patterns.
Revenue.io has achieved Tier 2 verification because the platform accesses restricted Gmail scopes for email activity capture, logging, and synchronization with Salesforce. Tier 2 is the assurance level Google requires for applications with this scope of access, and it means that an independent security firm, not Revenue.io, has validated our security practices.
What the Assessment Verified
CASA Tier 2 is not a checkbox exercise. It is a comprehensive security review conducted by an independent, Google-approved assessor covering data handling, infrastructure security, privacy practices, and secure development processes.
Secure Data Handling
The assessment verified how Revenue.io processes, transmits, and stores data accessed through Google Workspace integrations. This includes encryption of data in transit using TLS, access controls ensuring that only authenticated and authorized users can access their organization’s data, and data handling practices that align with the principle of minimal data collection and retention.
Infrastructure Security
The assessment evaluated Revenue.io’s hosting infrastructure, secrets management, vulnerability management, and security monitoring. As a Salesforce-native platform, Revenue.io’s architecture stores customer data inside Salesforce rather than in a separate proprietary database, which reduces the data handling surface area that the assessment needed to cover and reflects a security-by-design approach where the customer’s CRM remains the system of record.
Privacy and Data Minimization
The assessment confirmed that Revenue.io requests only the OAuth scopes necessary for the platform’s functionality. Email data accessed through Gmail integration is used for activity capture, call and email logging, and synchronization with Salesforce records. The assessment verified that data access permissions align with the platform’s stated functionality and that data is not used for purposes beyond what customers authorize.
Secure Development Practices
The assessment reviewed Revenue.io’s software development lifecycle including code review processes, dependency management, vulnerability scanning, and incident response procedures. These practices ensure that security is maintained not just at the point of assessment but as an ongoing discipline as the platform evolves.
Why This Matters for Your Organization
For IT, security, and RevOps leaders evaluating or currently using Revenue.io, CASA Tier 2 verification provides three specific assurances.
Independent verification, not self-certification. CASA Tier 2 means a qualified, Google-authorized security firm reviewed Revenue.io’s practices and confirmed they meet the CASA standard. This is independent validation, not a vendor telling you “trust us.” The assessment was conducted by a third party with no commercial relationship to Revenue.io beyond the assessment itself.
Google’s ongoing compliance requirement. CASA is not a one-time certification. Applications are subject to periodic reassessment, and Google can restrict or revoke API access for applications that fail to maintain compliance. Revenue.io’s continued access to Google Workspace APIs depends on maintaining the security standards that CASA Tier 2 requires.
Verified handling of your Google Workspace data. When your organization connects Revenue.io to Google Workspace for email activity capture, you are trusting the platform with access to Gmail data. CASA verification means that an independent assessor has confirmed how that data is accessed, processed, transmitted, and protected. The verification covers the specific data flows that matter to your security team: what data is accessed, how it moves between systems, and what controls protect it.
How CASA Fits into Revenue.io’s Security Posture
CASA Tier 2 verification is one component of Revenue.io’s broader security commitment. The platform’s Salesforce-native architecture provides inherent security advantages that complement the CASA certification.
Data residency inside Salesforce. Revenue.io stores customer data, including call recordings, activity logs, coaching scores, and pipeline analytics, inside Salesforce rather than in a separate external system. This means your data is governed by your existing Salesforce security policies, access controls, and compliance configurations. CASA verification covers the Google Workspace integration layer. Salesforce’s own security certifications (SOC 2, ISO 27001, HIPAA, FedRAMP) cover the data at rest.
No separate data store to secure. Many sales technology platforms that integrate with both Salesforce and Google Workspace maintain their own databases where customer data is stored, processed, and retained. Each additional data store creates additional security surface area, additional compliance requirements, and additional risk. Revenue.io’s native architecture minimizes this by using Salesforce as the system of record rather than replicating data into a proprietary system.
Enterprise-grade access controls. Revenue.io inherits Salesforce’s role-based access controls, field-level security, and sharing rules. Users can only access the data their Salesforce permissions allow. This eliminates the common security concern with external sales tools where a separate permission model must be configured and maintained independently of the CRM.
What This Means for Procurement and Security Reviews
If your organization is evaluating Revenue.io or conducting a security review for renewal, CASA Tier 2 verification streamlines the process in three ways.
Pre-answered Google Workspace security questions. Many enterprise security questionnaires include questions about how the vendor handles Google API access, OAuth scopes, and data processing. CASA Tier 2 verification provides a standardized, independently validated answer to these questions. Your security team can reference the CASA verification rather than conducting their own assessment of Revenue.io’s Google integration practices.
Reduced vendor risk classification. Organizations that classify vendors by security risk tier can use CASA verification as evidence that Revenue.io meets independently verified security standards for Google Workspace data handling. This can accelerate approval timelines and reduce the scope of custom security assessments.
Documented compliance for regulated industries. For organizations in financial services, healthcare, insurance, and other regulated industries, CASA verification provides documented evidence that a third-party vendor’s Google integration has been independently assessed. This documentation supports your own compliance obligations around vendor risk management and third-party data handling.
Frequently Asked Questions
What is Google CASA Tier 2?
CASA (Cloud Application Security Assessment) Tier 2 is an independent security verification conducted by a Google-authorized assessor. It validates that an application accessing Google Workspace data meets rigorous security standards for data handling, infrastructure security, privacy practices, and secure development. Tier 2 is the level Google requires for applications using restricted scopes such as Gmail access.
Why does Revenue.io need CASA verification?
Revenue.io accesses Gmail data through restricted Google API scopes to capture email activity and synchronize it with Salesforce records. Google requires CASA Tier 2 verification for any application using these restricted scopes. The verification confirms that Revenue.io handles Gmail data securely and in accordance with Google’s security requirements.
Does CASA verification expire?
CASA is not a one-time certification. Applications are subject to periodic reassessment, and Google can restrict or revoke API access for applications that fail to maintain compliance. Revenue.io’s continued Google Workspace integration depends on maintaining the security standards that CASA Tier 2 requires.
Where does Revenue.io store data accessed from Google Workspace?
Revenue.io is built natively on Salesforce. Customer data, including activity logs from email capture, is stored inside Salesforce and governed by your existing Salesforce security policies and access controls. Revenue.io does not maintain a separate proprietary database for customer data.
How does CASA relate to other security certifications?
CASA specifically covers how applications handle Google Workspace data. It complements other security certifications rather than replacing them. Revenue.io’s Salesforce-native architecture means that data at rest is covered by Salesforce’s security certifications (SOC 2, ISO 27001, and others). CASA covers the integration layer between Google Workspace and the platform. Together, they provide end-to-end security coverage for the data flows that matter to enterprise customers.
Can I see the CASA verification documentation?
Contact the Revenue.io team to request CASA verification documentation for your security review. We are happy to provide the information your security and procurement teams need to complete their evaluation.
Conclusion
Google CASA Tier 2 verification confirms what Revenue.io’s architecture was designed to deliver: secure, verified handling of customer data at every integration point. An independent, Google-authorized assessor has validated that Revenue.io meets rigorous security standards for accessing and processing Google Workspace data. Combined with the platform’s Salesforce-native architecture, which keeps customer data inside the CRM governed by your existing security policies, CASA verification provides enterprise customers with independently confirmed assurance that their data is protected.
Security is not a feature we added. It is how the platform was built. CASA Tier 2 verification is the independent confirmation.