Hi HN,<p>I am building an email screening service for Gmail. Given that LLMs have more or less passed the Turing test and looking at the number of LLM-wrapper startups in the making, going forward, I doubt that humans and AI writing can be meaninguflly distinguished and email seems slated to become an even noisier communications tool.<p>Inspired by Hey.com’s feature, I am trying to build a service that screens first-time senders in a deterministic way (yes → all emails reach inbox; no → all emails go to trash).<p>My application needs to:<p>- receive webhooks when a new email is received<p>- move emails to trash, to inbox, or to archive (depending on whether it's blacklisted or whitelisted or neither)<p>- when a user sends an email, automatically whitelist the recipients so any replies won't be screened<p>Based on Gmail's policy, these operations require "sensitive scopes" and I will need to pay for a Tier 2 Cloud Application Security Assessment (CASA). To be fair to Google, most of the rules and requirements are pretty clear (create a YouTube video, illustrate the data flows etc.), but some key uncertainties remain:<p>1. Has anyone done this assessment before and is able to advise on the process? Specifically I am interested in:<p>- How much it costs or otherwise has a recommended company? (Please drop me an email at hello@inboxhero.org if you don't wish to disclose publicly.) Almost none of the companies doing the assessment publish their prices online and I am worried about getting ripped off.<p>- How does one write a privacy policy and/or a terms of service? I am working on this myself and don't have experience doing this. I have found some generators online, but am not sure which to use/trust!<p>2. From a security perspective, how does this assessment ensure that the application isn't misusing user data? I understand that I don't need to share my source code with the company doing the assessment (unlike my previous experience with pen-testing) and the assessment is done once every year (so who's to say what is happening with the data flows in the meantime). I am not sure if this is security theater.<p>3. In my test with early users (mostly friends and family), I am told that they are only willing to grant me the extensive permissions needed to screen emails because they know me personally. From a user perspective, what would it take for you to trust a stranger on the Internet? Is saying "I've verified with Google!!" is enough, or whether I should try other ways to build trust. Get the endorsement of influencers? Open source the code?<p>Would be grateful for any advice, both for the security assessment and for the product in general. Thanks!