Early-stage SaaS Momentum

This week marked a turning point for Clarity Inbox, our AI personal assistant for emails. After months of building, we finally saw the product come alive in a way that felt real. Clarity can remember context, handle complex conversations, and actually feels smart.

But just as we were preparing for launch, we hit a classic early-stage startup roadblock: Google’s CASA Tier 2 security requirement. It’s expensive, it’s slow, and it means we’re stuck with an “Unverified App” label for now. It's super frustrating, but every step forward comes with its own set of challenges.

We understand security is important. We value protecting our user data, and it isn’t just checking a checkbox for us. It’s “a must,” and we fully support going through this. Still, when everything is finally clicking, being handed a new, complex requirement feels like a gut punch.

What is CASA Tier 2?

Google requires apps that request sensitive Gmail permissions to complete a security review called CASA (Cloud Application Security Assessment) Tier 2. This isn’t just a checkbox. It is a formal, third-party security audit that evaluates how our app handles, stores, and protects user data. Only after passing this assessment can we remove the “Unverified App” warning that Google shows to users trying to connect ClarityInbox to Gmail.

The Process (and the Pain)

Here’s how submitting your app to Google works:

• Google requires us to submit verifications on the Gmail Scope being used, privacy policy documents, and a tutorial on how to use our app.

• Finally, that is all settled… then Google notifies us that our app needs CASA Tier 2.

• We have to choose a security lab (Google’s preferred partner) and pay for the assessment, currently $540–$720 per year, depending on the package.

• The lab would scan our app for vulnerabilities, review our security policies, and may request credentials to test our app.

• If issues are found, we have to fix them and re-submit.

• Once we pass, we will receive a Letter of Validation, and Google removes the “Unverified App” warning for your users.

The catch? The whole process can take 1–2 months, even if we are responsive at every step. And it’s not a one-time thing, the assessment must be renewed annually.

This feels like the SOC 2 compliance I was selling. It’s a mini-taxation for us to go through. 😅

Why It’s a Blocker

Right now, Clarity is flagged as an “Unverified App.” Anyone trying to connect their Gmail account sees a warning from Google, which can undermine trust and slow down our sales momentum. We can’t launch publicly or onboard customers at scale until we are through this process.

And then there’s the cost. For an early-stage, lean startup like us, $700+ a year for security certification is a real hit, especially since it is required to get out of the gate.

How I’m Handling It

Frustration aside, I know this is a necessary step. Security is non-negotiable when handling customer data, and Google’s requirements are there for a reason. We are moving forward with the CASA assessment, gathering documentation, and prepping for the security scans. In the meantime, we’re focusing on QA, product UX polish, and creative ways to demo Clarity without triggering the Gmail integration blocker.

Moving Forward

My advice for fellow founders is to budget for their security process early and don’t underestimate the time it takes. Security and compliance are basically “a rite of passage” for any SaaS.

We will get through it, but for now, it’s a startup we must take.

Thanks for following along on the founder journey. More updates soon as we (slowly) clear this hurdle!

Read more about my startup journey: https://growthwithgary.com/archive?tags=Startup

P.S. If you have 2 min, please take this three-questions survey about this newsletter for me @ https://tally.so/r/3EaPyl 

I write daily*** about my learning on launching and leading PLG. Feel free to subscribe.

I am Gary Yau Chan. 3x Head of Growth. Product Growth specialist. 26x hackathon winner. Building ClarityInbox. I write about #PLG and #BuildInPublic. Please follow me on LinkedIn, or read about what you can hire me for on my Notion page.