[atonse]

Not necessarily. A SOC2 audit also often has a "Scope" – that can mean that some apps are in-scope for the audit, and some aren't.

It might be that this particular app was not ready to be in scope for their audit or observation period, so was left out, even if it's in the same infrastructure.

It still means the app is less mature, but I wouldn't go so far as to say it's a red flag.

Either way, I'd wait for something this critical (like giving it access to my email) for a few months to have any low hanging fruit bugs worked out before jumping in.