Share
In this article, I will try to answer the most common questions about AppSheet application security.
You can also consider this article as a good resource to address any concerns your IT department has about implementing new solutions.
Each relevant subsection will provide a corresponding link with the source.
Are AppSheet apps and my data safe?
YES. More details here.
Applications developed with AppSheet are secure because of:
- AppSheet’s architecture and security infrastructure underlying cloud and mobile technologies (AppSheet is a 100% SaaS platform. AppSheet runs on Google Cloud Computing services)
- security settings that you have control over.
Where and how are AppSheet applications developed?
Applications are created on the AppSheet.com platform.
Applications are based on “tables”. Spreadsheets (Google Sheets) can be used, but other data sources are also available.
Other elements of the application (appearance, actions, automations, permissions) are defined using options available on the platform. No code is required, so applications can be created very quickly.
How are AppSheet applications distributed?
Apps are ditributed by sending a link to:
- installing the AppSheet app from Google Play, AppStore (there you log into your account and see any apps you have access to)
- opening the application in a web browser
Does every user need to authenticate?
There are two plans available: secure and public.
In secure you always have to authenticate with OAth using one of the most popular SSO providers.
In public the application is available for everyone. There are, however, significant limitations.
Can I publish my app to the Google Play store or AppStore?
It is a possibility, but it involves many concessions.
How is the data processed?
When users synchronize their application, the changes they make are sent to AppSheet’s web service via an encrypted protocol (HTTPS). AppSheet then makes the changes to a spreadsheet located in the backend. The latest version of the spreadsheet is read and uploaded back to the mobile app.
AppSheet certifications and documents
Privacy Policy and Data Processing and Security Terms for AppSheet Services
AppSheet is part of Google Cloud. The privacy policy can be found here. Google is a member of the Privacy Shield Framework.
Data Processing and Security Terms for AppSheet Services is available here.
GDPR/CCPA
The current status of compliance with all GDPR/CCPA requirements can be found on the pages available here.
PII – Personally Identifiable Information
You can mark all (or part) of your data in the application as sensitive data. The data will then not appear in the system logs.
HIPAA
It is achievable to meet all HIPAA requirements. A few details need to be taken care of. You can find the details here.
SOC
AppSheet is audited by SOC2 Type 2. The SOC report is available to customers upon request.
Management by IT department
If you are a Google Workspace and AppSheet administrator and are worried about security then be sure to check out these resources.
Governance policies
AppSheet dysponuje środkami, aby wdrożyć ograniczenia i wytyczne organizacji.
Polityka to zasada, która limituje jak aplikacje są tworzone, zarządzane oraz dystrybuowane.
Mamy do dyspozycji predefiniowane polityki oraz możliwość tworzenia własnych, niestandardowych.
Przykładowe to:
Predefined policy template | Description |
Require sign-in | Apps must require user sign-in |
Run-as app creator | Apps cannot be run by the app user |
Prevent row delete | Apps cannot delete data |
Restrict data source attachable to apps | Apps can access only specific data sources |
Restrict providers attachable to apps | Apps can access only specific providers |
Acceptable image resolution | Apps require a minimum resolution for captured images |
Must sync-on-start | Apps must refresh their data each time they start |
Enable offline use | Apps must be configured to run offline |
Restrict Prototype Authentication | Apps must:
By default, this policy applies to prototype apps; you can change the targeted apps. Note: It is required that you use this policy with Restrict Prototype Sharing to fully limit prototype access. |
Restrict who can deploy apps | Apps can be deployed only by specific app creators |
Apps must have documentation | Apps must include documentation; see App documentation on the About page |
Only users from specific domain | Only users from a specific domain can access the app |
Enforce FedRAMP compliance | Apps are FedRAMP compliant |
Restrict Prototype Sharing | Apps must:
By default, this policy applies to prototype apps; you can change the targeted apps. Note: It is required that you use this policy with Restrict Prototype Authentication to fully limit prototype access. |
Source: https://support.google.com/appsheet/answer/11948767?hl=en&ref_topic=11918354
Other IT questions
If you have more questions, check out this subpage in the documentation: https://support.google.com/appsheet/answer/10104707?hl=en&ref_topic=11918354#zippy=
Other useful resources
https://help.appsheet.com/en/collections/377986-security
https://help.appsheet.com/en/articles/962161-information-for-an-it-department