Security, privacy, and audit records for Yuki.
This page is the public home for Yuki security assessments and trust documentation. It currently includes our CASA Tier 2 assessment details and will hold future audits, attestations, and security reviews.
Current audit
CASA Tier 2
Last assessed
March 2026
Contact
support@yukihq.comCASA Tier 2 Assessment
CASA stands for Cloud Application Security Assessment. Google requires CASA review for applications that request restricted Gmail scopes. Yuki completed a Tier 2 independent third-party security assessment for the Gmail access needed to extract structured user insights such as flight bookings, receipts, deliveries, and subscriptions.
What the assessment covered
The assessor reviewed source code, infrastructure configuration, deployed services, and internal policies against the CASA security baseline.
How Yuki handles Gmail data
Read-only by default
Yuki reads Gmail only to extract user-facing insights such as trips, receipts, deliveries, and subscriptions. Email sending is only used for explicit user-triggered quick replies.
Feature delivery only
Google API data is used only for the Yuki features the user enables. It is not used for advertising, market research, or unrelated profiling.
No data sale
We do not sell, rent, or trade Gmail data or derived Google API data.
No human review
Humans on our team do not read user emails. Automated systems process email text strictly for the product features above.
Yuki's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including Limited Use requirements.
Controls available to users
- Disconnect Gmail: revoke Yuki's Gmail access from the app settings at any time.
- Revoke at Google: remove Yuki directly from myaccount.google.com/permissions.
- Delete account: remove your account and associated data from Yuki in the app's Privacy & Data settings.
- Export data: request a copy of your account data from the app or by contacting support.
Where Yuki goes beyond the baseline
EU-first infrastructure
Primary app infrastructure is deployed in European regions where practical, including GCP europe-west1 and EU-hosted observability where supported.
Token isolation
Google tokens are never logged and are stored encrypted at rest. Disconnecting Gmail revokes our stored authorization path.
Row-level access controls
User-owned data is protected by row-level security patterns so app data access stays scoped to the authenticated user.
Raw email minimization
Yuki extracts structured facts and stores derived insights rather than keeping raw email bodies as a permanent product database.
Questions or audit requests?
Email support@yukihq.com. Public-safe attestation materials can be shared with partners or reviewers when appropriate.