MonitorWorkspace Achieves CASA Certification
MonitorWorkspace has completed the Cloud Application Security Assessment (CASA) — an independent security review required for apps that access sensitive Google Workspace data.
MonitorWorkspace has completed CASA certification — the Cloud Application Security Assessment required for applications that access sensitive Google Workspace data at scale.
This matters if you are an IT admin in an industry that cares about third-party vendor security posture. Healthcare, education, government, and financial services organizations routinely ask whether the tools in their environment have been assessed by an independent party. Now the answer for MonitorWorkspace is yes.
What CASA Is
CASA is a security assessment framework developed by the App Defense Alliance, a collaboration between Google, Microsoft, Meta, and MITRE. It is specifically designed for cloud applications that handle OAuth-scoped access to sensitive user data.
The assessment evaluates an application against OWASP ASVS (Application Security Verification Standard) security requirements. These cover authentication, session management, access control, cryptography, data handling, API security, and how secrets and credentials are stored and rotated.
There are three CASA tiers. The tier assigned to your app depends on the sensitivity of the OAuth scopes it requests and the scale at which it operates. Applications that access Gmail content or admin directory data at domain-wide scope are assessed at a higher tier than, say, a read-only calendar integration.
MonitorWorkspace operates on domain-wide delegation, which means the assessment covered the controls that matter most when a single service account can access data across an entire organization.
What the Assessment Covered
The independent assessor reviewed the application across several areas:
Access controls. How MonitorWorkspace enforces tenant isolation — ensuring that an admin from one organization cannot access data belonging to another — was a primary focus. The multi-tenant architecture, row-level query design, and token scoping were all evaluated.
Credential and secret handling. Service account keys, OAuth tokens, and API credentials were reviewed for how they are stored, rotated, and protected from unauthorized access.
Authentication and session management. The OAuth flow, session token lifecycle, and admin privilege separation were assessed against ASVS controls.
Data in transit and at rest. Encryption practices for data moving between the application, Google APIs, and the database were examined.
API security. Every API endpoint — authentication enforcement, rate limiting, input validation, error handling — was tested for common vulnerabilities.
Audit logging. The completeness and tamper-resistance of the audit trail was verified, which is directly relevant to the compliance use case MonitorWorkspace is built for.
What This Means for Your Procurement Process
If your organization has a vendor security review process, CASA certification gives your security team something concrete to reference. The assessment is documented, conducted by an independent third party, and mapped to OWASP ASVS controls that your team will recognize.
For education customers subject to FERPA, nonprofits with board-level data governance requirements, and government agencies evaluating third-party cloud tools, this removes a meaningful friction point in the approval process.
CASA certification does not replace your own due diligence — no third-party assessment does. But it gives you a verified starting point rather than a self-reported security questionnaire.
Combined with Google OAuth Verification
CASA certification arrives alongside Google's own OAuth app verification. That verification process confirmed that every scope MonitorWorkspace requests is appropriate for the functionality it provides, and that the application handles Workspace data in accordance with Google's API Services User Data Policy.
Together these two certifications represent two independent organizations — Google and an ASVS-accredited assessor — reviewing MonitorWorkspace's security posture from different angles. One confirms what the app can access. The other confirms how it protects what it accesses.
Both are now complete.
Recertification Schedule
Like Google's OAuth verification, CASA certification requires annual renewal. We treat this as a minimum — the controls that CASA evaluates are things we monitor and maintain continuously, not things we revisit once a year for an audit.
If you have specific questions about the assessment scope or controls, reach out through the support page.