In order to perform your certification, here are questions that you should be prepared
to discuss with TRUSTe personnel.
- Is your app available independent of Google single-sign on?
- Does your application use SSL when communicating with Google's APIs?
- Does your application securely store sensitive information including user password, OAuth tokens, & application credentials?
- Does the app list API's in the manifest that the app is NOT actually accessing?
- Do the manifest descriptions clearly explain accurate usage of Google data?
(Example: is Read only listed but description indicates manipulation of data? Or is description vague – describes 'what' is accessed but not 'why')
- Is there a link provided to the app's Deletion Policy from the App Settings Page?
- Does the app ask for the creation of separate log-in credentials?
- What Personal Information does your app directly collect either from the administrator or individual user?
- Do you access or collect any sensitive personal information?
- If yes, is SSL encryption used to secure the transfer of this sensitive data?
- Does your app allow users to create a profile (including personal photo, bio, etc)?
- If yes, is it a public or private facing profile?
- Do you share personal information with other 3rd parties (outside of Google) including service providers?
- What 3rd parties are you sharing personal information with outside of Google & why?
- If sharing with other 3rd parties, how does the user know this information is being shared?
- Does your app allow users to share information via other single sign-on features?
- Does your app send marketing communications to either the administrator or individual user?
- Do you have a dedicated email address to receive privacy related complaints?
(Example: most companies create a privacy@COMPANY NAME.com email alias)
- If you access an administrator or users contact lists (names, email addresses, etc.) through a Google API, how are these used?