What CASA means for GoogleFit

Google has tighten the screws for apps and services that wish to access its data. This applies across the board and due to the sensitive nature of the data they process, health & wellness services are no exception. Services are increasingly required to provide a CASA audit as a prerequisite to access Google Fit data. We’re exploring its significance in this blog post.

What is required to draw data from Google Fit?

Access to data from Google Fit is structured around data scopes. Data scopes correspond to a group of data types (e.g. steps, heart rate), that are available within authorized scopes (e.g. body data, activity data). Applications must apply for data scopes within their Google project and let end users authorize the respective scopes within their service.

What is a CASA assessment?

To draw data from Google Fit, apps must certify their trustworthiness and compliance through a CASA assessment. CASA is the abbreviation of Cloud Application Security Assessment.
CASA is a predefined audit scheme, that builds on criteria around data transparency as well as security guidelines (derived from the OWASP). Certificates like SOC2 or ISO27001 help within the process, but are not accepted as a substitute for a CASA certification. Although Google announced detailed audits for services accessing Google Fit data as early as 2020, it only started enforcing CASA audits in 2023.

When is a CASA assessment required?

Casa assessments are required for all apps accessing Google Fit data. An assessment has to be done once and then annually renewed. Apps are not required to do a casa assessment when they’re only for scientific, internal or personal use or have less than 100 users (Google provides details here).

What happens in a CASA assessment?

Auditors assess whether processing and use of data is transparent to end users and follows secure guidelines. This covers the way consent is given, the display of data accessed as well as safety. Services can start their own assessment directly online. Thryve can help with readymade information and details about the technical process of actually drawing data from Google Fit.

How can services get a CASA certification?

Per default, services can self-audit. Services can answer a set of questions online, which are then reviewed and assessed. When accessing sensitive scopes such as health & fitness data, a 3^rd party audit is usually required. Google has defined a list of accepted auditors that can do CASA audits, available online. These encompass specific security agencies, but also consultancies like KPMG. As of 2024, Google was not accepting new auditors for its Casa assessments.

What’s the price of a CASA assessment?

The first step of a CASA assessment can be done alone and free of charge. If a dedicated auditor is mandated for a CASA assessment, the costs vary according to the extend of the app and your preparation. Expect costs for a CASA assessment between 1.000 and 5.000 Euro.

How does Thryve help accessing Google Fit data?

Thryve provides a safe and compliant integration with Google Fit. Through full maintenance of the Google Fit API integration, coupled with a tiered system of Google Fit scope activation and tailored data storage, Thryve takes care of the heavy lifting in compliant data access from Google Fit. As the trusted partner of the most demanding organizations globally, Thryve supports insurances, registered medical devices and government bodies in accessing and understanding health and wellness data. All our partners have yet successfully completed a CASA assessment and are approved for data access at Google Fit.

What’s more? Thryve’s partners benefit from a unified data format across all integrated data sources, full maintenance and continuous extension with additional data types as well as targeted analytics providing actionable insights.

Sources: Image by vectorjuice on Freepik