Building in Public: Six Months Building NeatDrive - What Nobody Tells You About Shipping a Security Product
- NeatDrive Team
- 3 days ago
- 4 min read
Updated: 1 day ago

Six months ago I started building NeatDrive because I had a problem I couldn't find a good solution for: I didn't have a central overview of what was in my Google Drive — who had access to what, what was shared publicly, or why my storage kept filling up. The tools I found could spot duplicate files, but they missed everything else: exposed sharing permissions, stale content, naming inconsistencies, folder structure drift. And none of them let me make sweeping changes. None helped me organize file names or folder structures. They diagnosed the clutter; they couldn't fix it. I figured other people had the same problem. So I built a tool that could.
That description makes it sound more straightforward than it's been. Here's what the six months actually looked like.
What the app does
NeatDrive connects to your Google Drive, runs a full audit, and gives you a health score, which is a number that reflects how exposed, cluttered, and disorganized your Drive actually is. It finds files shared publicly (including ones you forgot about), external sharing with people outside your domain, duplicates eating your storage, empty folders, stale content, naming violations, and more. Everything comes back as a finding, with a one-click action plan to address it.
Nothing changes in your Drive until you explicitly approve it. Every action is previewed, logged, and reversible for 30 days.
Getting Google to trust you is a job in itself
To connect to someone's Google Drive, you need OAuth approval. That's not a form you submit and wait a week for. It involves a privacy policy review, a security assessment from a third party, written justifications for every scope you request, a review queue without a published timeline, and rounds of follow-up questions. If anything on your application changes — even briefly, like a privacy policy URL going down for a day — parts of the process can reset. I've been through multiple rounds of this. It's still not finished.
I'm not saying Google is wrong to be careful about apps that touch people's files. They should be. But it's not something you can drop into a sprint and ship.
A security audit is its own chapter
The CASA Tier 2 assessment is complete. The DAST scan ran, nine findings came back, and each one got addressed — headers and CORS configuration fixed in vercel.json, false positives documented with evidence. The revalidation is now in progress through the ESOF portal, which is the last step before the Letter of Validation lands. That goes to Google as part of the OAuth approval process.
I went through this voluntarily. A product that audits your security posture should be able to pass a security audit of its own. It cost more than I budgeted for, in time and money both. Worth it.
The parts nobody sees
The most visible thing in NeatDrive is the UI: the health score, the findings list, the action plan. What took the longest to build correctly was everything underneath it: a scan pipeline that handles tens of thousands of files without timing out, duplicate detection that doesn't fall apart at scale, integrity checking to make sure findings stay accurate between scans, the billing integration, the email system, access controls that make it impossible for one user to see another's data.
None of that shows up in a screenshot. All of it determines whether the product actually holds up.
There's also the non-app stuff like the LLC registration (done), business license (done), EIN (done), Dun & Bradstreet (done), trademark (in progress).
Accessibility isn't optional, and it takes longer than you'd expect
Before I could feel good about launching, I ran a full WCAG AA compliance pass of every page, every contrast ratio, ARIA labels, keyboard navigation, screen reader behavior. It's the kind of work that doesn't make a good demo but matters if someone needs it. It took longer than I expected, and I'm glad I did it before rather than after.
Building in Public: Where things stand
Early access signups are open from 7/8/26-7/15/26 and offer 30 days of pro-tier access in exchange for your feedback. The focus here is stability and real user scans to dial in UX/UI as actual people run audits on their actual Drives, to smooth things out for our first paid users. If you manage a Google Drive and have ever wanted to actually understand what's in there, this is the tool for that.
The app is live at app.neatdrive.net. The scan pipeline works end-to-end. Billing is live through Wix pricing plans. Transactional emails fire. There's an AI assistant built into the app that can answer questions about your findings and help you decide what to address first. The iOS app is coming soon. Uploading the build and screenshots to App Store Connect and Google Play.
What I'd tell myself
It takes longer than you think, and costs more. That's not pessimism, just what's true, and worth saying plainly to anyone thinking about building something like this.
The parts that look simple from the outside have layers; Getting OAuth approved, passing a security review, setting up email infrastructure that actually delivers. The parts that actually felt hard going in, like designing the product, turned out to be pretty enjoyable.
Build the boring infrastructure first. Get the security right before you get the growth right. Don't launch until you can honestly stand behind all of it.
I'm not there yet on the scale, but I think I'm almost there on the product. Want to help bring it to market? Sign up now for Early access!
NeatDrive is at https://www.neatdrive.net. Free scan up to 1K files, no card required.
— Ariana Berry, founder

Comments