Here is the email:
Dear Developer,
Thank you for your response and patience.
It is critical that 3rd-party apps handling Gmail data meet minimum security standards to minimize the risk of data breach. We require apps that store data on non-Google servers to demonstrate a minimum level of capability in handling data securely and deleting user data upon user request.
Since your OAuth callback URL indicates that data access is not restricted to users’ devices and not managed by Google, you will need to go through a security assessment for your app.
Applications accessing restricted scopes must demonstrate that they adhere to certain security practices. These applications must pass an annual security assessment and obtain a Letter of Assessment from a Google-designated 3rd party.
When Security Assessment is Not Required
The following scenarios do not require a security assessment.
Local Data Storage: If you don’t want to go through a security assessment, you will need to change your server storage to local storage only. Local client applications do not need to undergo a security assessment because data is run, stored, and processed only on the user’s device (such as a computer, mobile phone, or tablet).
As an example, apps such as Deseat.me have migrated from server storage to local web-client storage, and as a result a security assessment is no longer required for this app. It also increases the level of trust users may have with this app.
Fewer than 100 Users: If your app is intended for a small audience and your users are in direct interaction with you, your app will be granted access for up to 100 users with an unverified app screen.
Users are Enterprise Accounts: If your app will be used exclusively by G Suite accounts, your app can be enabled via domain install or whitelisting by a G Suite domain administrator. Your app can also be listed on the G Suite Marketplace. Keep in mind that many enterprises value a third-party security assessment and a completed assessment for the Restricted Scopes verification will provide a “Security Assessment” badge in your Marketplace listing.
No Restricted Scope(s) Requested: You can update your project so that it does not request any restricted scopes, thereby avoiding the security assessment requirement.
Update Scope Type: Upon further review of your request, we noticed that you have selected the following scope in the OAuth Google Cloud Console, which is causing your application to require a security assessment: https://www.googleapis.com/auth/script.external_request
Below are steps to remove this scope so that you do not need to go through a security assessment:
Sign-in to the Google Cloud Console
Select the project-id ##########
Go to Credentials on the OAuth Consent Screen
Go to Scopes for Google APIs and delete the scope: https://www.googleapis.com/auth/script.external_request
Security Assessment Assessors
Our 3rd party security assessment assessors, Leviathan Security and Bishop Fox, have been extensively qualified and trained to ensure consistent and high-quality assessments. We are closely monitoring the needs of the program and will add additional assessors when necessary.
Cost
Depending on the scope and complexity of your app, the cost for the 3rd party assessment may vary from $15,000 to $75,000. Smaller apps will be on the lower end while more complex apps will require more review and expense.
Existing assessments that meet the security assessment program standards may reduce the scope and cost of your review. These will be considered by the assessors.
For more information, review the FAQ for Restricted Scopes App Verification and the Google API User Data Policy. If you have additional questions, respond to this email