AppSheet – Security and Compliance – compendium

Publication date: 2022-06-13

In this article, I will try to answer the most common questions about AppSheet application security.

You can also consider this article as a good resource to address any concerns your IT department has about implementing new solutions.

Each relevant subsection will provide a corresponding link with the source.

YES. More details here.

Applications developed with AppSheet are secure because of:

  • AppSheet’s architecture and security infrastructure underlying cloud and mobile technologies (AppSheet is a 100% SaaS platform. AppSheet runs on Google Cloud Computing services)
  • security settings that you have control over.

Applications are created on the platform.

Applications are based on “tables”. Spreadsheets (Google Sheets) can be used, but other data sources are also available.

Other elements of the application (appearance, actions, automations, permissions) are defined using options available on the platform. No code is required, so applications can be created very quickly.

Apps are ditributed by sending a link to:

  • installing the AppSheet app from Google Play, AppStore (there you log into your account and see any apps you have access to)
  • opening the application in a web browser

There are two plans available: secure and public.

In secure you always have to authenticate with OAth using one of the most popular SSO providers.

In public the application is available for everyone. There are, however, significant limitations.

It is a possibility, but it involves many concessions.

When users synchronize their application, the changes they make are sent to AppSheet’s web service via an encrypted protocol (HTTPS). AppSheet then makes the changes to a spreadsheet located in the backend. The latest version of the spreadsheet is read and uploaded back to the mobile app.

More details.

AppSheet is part of Google Cloud. The privacy policy can be found here. Google is a member of the Privacy Shield Framework.

Data Processing and Security Terms for AppSheet Services is available here.


The current status of compliance with all GDPR/CCPA requirements can be found on the pages available here.

You can mark all (or part) of your data in the application as sensitive data. The data will then not appear in the system logs.


It is achievable to meet all HIPAA requirements. A few details need to be taken care of. You can find the details here.


AppSheet is audited by SOC2 Type 2. The SOC report is available to customers upon request.


Management by IT department

If you are a Google Workspace and AppSheet administrator and are worried about security then be sure to check out these resources.


AppSheet dysponuje środkami, aby wdrożyć ograniczenia i wytyczne organizacji.

Polityka to zasada, która limituje jak aplikacje są tworzone, zarządzane oraz dystrybuowane.

Mamy do dyspozycji predefiniowane polityki oraz możliwość tworzenia własnych, niestandardowych.

Przykładowe to:

Predefined policy template


Require sign-in

Apps must require user sign-in

Run-as app creator

Apps cannot be run by the app user

Prevent row delete

Apps cannot delete data

Restrict data source attachable to apps

Apps can access only specific data sources

Restrict providers attachable to apps

Apps can access only specific providers

Acceptable image resolution

Apps require a minimum resolution for captured images

Must sync-on-start

Apps must refresh their data each time they start

Enable offline use

Apps must be configured to run offline

Restrict Prototype Authentication

Apps must:

By default, this policy applies to prototype apps; you can change the targeted apps.

Note: It is required that you use this policy with Restrict Prototype Sharing to fully limit prototype access.

Restrict who can deploy apps

Apps can be deployed only by specific app creators

Apps must have documentation

Apps must include documentation; see App documentation on the About page

Only users from specific domain

Only users from a specific domain can access the app

Enforce FedRAMP compliance

Apps are FedRAMP compliant

Restrict Prototype Sharing

Apps must:

  • Prevent the sharing of apps with an entire domain in the Share dialog
  • Limits the number of users that the app can be shared with in the Share dialog (defaults to 5)

By default, this policy applies to prototype apps; you can change the targeted apps.

See: Share: The Essentials

Note: It is required that you use this policy with Restrict Prototype Authentication to fully limit prototype access.


If you have more questions, check out this subpage in the documentation:

Other useful resources