Security & Audit Center
Security transparency

Security, privacy, and audit records for Yuki.

This page is the public home for Yuki security assessments and trust documentation. It currently includes our CASA Tier 2 assessment details and will hold future audits, attestations, and security reviews.

Current audit

CASA Tier 2

Last assessed

March 2026

CASA Tier 2 Assessment

CASA stands for Cloud Application Security Assessment. Google requires CASA review for applications that request restricted Gmail scopes. Yuki completed a Tier 2 independent third-party security assessment for the Gmail access needed to extract structured user insights such as flight bookings, receipts, deliveries, and subscriptions.

Audit type
CASA Tier 2 Verified Assessment
Most recent assessment
March 2026
Cadence
Annual reassessment required by Google
Authorized assessor
Available on request — email [email protected] for the public attestation letter

What the assessment covered

OAuth implementation — token handling, refresh flow, and scope management
Data storage — encryption at rest, access controls, and retention
Data transmission — TLS configuration and certificate handling
Authentication and authorization — session management and role enforcement
Input validation — protection against injection, XSS, and abuse
Logging and monitoring — audit trails, error handling, and secrets management
Vulnerability management — dependency scanning and patch cadence
Incident response — detection and disclosure procedures

The assessor reviewed source code, infrastructure configuration, deployed services, and internal policies against the CASA security baseline.

How Yuki handles Gmail data

Read-only by default

Yuki reads Gmail only to extract user-facing insights such as trips, receipts, deliveries, and subscriptions. Email sending is only used for explicit user-triggered quick replies.

Feature delivery only

Google API data is used only for the Yuki features the user enables. It is not used for advertising, market research, or unrelated profiling.

No data sale

We do not sell, rent, or trade Gmail data or derived Google API data.

No human review

Humans on our team do not read user emails. Automated systems process email text strictly for the product features above.

Yuki's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including Limited Use requirements.

Controls available to users

  • Disconnect Gmail: revoke Yuki's Gmail access from the app settings at any time.
  • Revoke at Google: remove Yuki directly from myaccount.google.com/permissions.
  • Delete account: remove your account and associated data from Yuki in the app's Privacy & Data settings.
  • Export data: request a copy of your account data from the app or by contacting support.

Where Yuki goes beyond the baseline

EU-first infrastructure

Primary app infrastructure is deployed in European regions where practical, including GCP europe-west1 and EU-hosted observability where supported.

Token isolation

Google tokens are never logged and are stored encrypted at rest. Disconnecting Gmail revokes our stored authorization path.

Row-level access controls

User-owned data is protected by row-level security patterns so app data access stays scoped to the authenticated user.

Raw email minimization

Yuki extracts structured facts and stores derived insights rather than keeping raw email bodies as a permanent product database.

Questions or audit requests?

Email [email protected]. Public-safe attestation materials can be shared with partners or reviewers when appropriate.