Amadeo - User Data Policy

User data security is ensured by:

All user’s sensitive data are encrypted

Compliance with Standards

Several mandatory verification steps to have access to user’s data

Annual third-party security assessment from empanelled security assessors

Amadeo has read-only access to the user’s personal data.

Amadeo uses OAuth2 to access users' data - Google’s (Gmail, Calendar, Google Drive), Microsoft’s (Microsoft Teams, Skype for Business), Atlassian’s (Jira, Confluence), GitHub, Outlook, etc. One of the mandatory conditions upon the integration with most of these solutions is completing several steps of the verification process.

Amadeo is categorized as a restricted scope app and that’s why requires a more extensive review process to satisfy the standards. But that, in turn, ensures all user data will be fully protected.


Here is an example of verifications needed to access Google’s user data:

1. As an app that access Google APIs we must verify that we accurately represent our identity and intent as specified by Google’s API Services User Data Policy. If we change any of the details that appear on the OAuth consent screen, such as the project's icon, display name, homepage or privacy policy URL, or authorized domains, we need to have our app re-verified for branding prior to updates being published to our OAuth consent screen.

2. As an app that requests restricted scopes we must verify that we follow Google’s API Services User Data Policy, and we must also meet the Additional Requirements for Specific Scopes. One of these additional requirements is an independent, third-party security assessment.


Security assessment

As an app that requests access to restricted scope Google user’s data and has the ability to access data from or through a third-party server is required to go through a security assessment from Google empanelled security assessors. This assessment helps keep Google users’ data safe by verifying that all apps that access Google user data demonstrate capability in handling data securely and deleting user data upon user request. In order to maintain access to restricted scopes, we will need to undergo this security assessment on an annual basis, this process is called the security reassessment, also known as annual recertification.