Discussion -


Discussion -


AppSheet – Security and Compliance – compendium

In this article, I will try to answer the most common questions about AppSheet application security.

You can also consider this article as a good resource to address any concerns your IT department has about implementing new solutions.

Each relevant subsection will provide a corresponding link with the source.

Are AppSheet apps and my data safe?

YES. More details here.

Applications developed with AppSheet are secure because of:

  • AppSheet’s architecture and security infrastructure underlying cloud and mobile technologies (AppSheet is a 100% SaaS platform. AppSheet runs on Google Cloud Computing services)
  • security settings that you have control over.

Where and how are AppSheet applications developed?

Applications are created on the AppSheet.com platform.

Applications are based on “tables”. Spreadsheets (Google Sheets) can be used, but other data sources are also available.

Other elements of the application (appearance, actions, automations, permissions) are defined using options available on the platform. No code is required, so applications can be created very quickly.

How are AppSheet applications distributed?

Apps are ditributed by sending a link to:

  • installing the AppSheet app from Google Play, AppStore (there you log into your account and see any apps you have access to)
  • opening the application in a web browser

Does every user need to authenticate?

There are two plans available: secure and public.

In secure you always have to authenticate with OAth using one of the most popular SSO providers.

In public the application is available for everyone. There are, however, significant limitations.

Can I publish my app to the Google Play store or AppStore?

It is a possibility, but it involves many concessions.

How is the data processed?

When users synchronize their application, the changes they make are sent to AppSheet’s web service via an encrypted protocol (HTTPS). AppSheet then makes the changes to a spreadsheet located in the backend. The latest version of the spreadsheet is read and uploaded back to the mobile app.

More details.

AppSheet certifications and documents

Privacy Policy and Data Processing and Security Terms for AppSheet Services

AppSheet is part of Google Cloud. The privacy policy can be found here. Google is a member of the Privacy Shield Framework.

Data Processing and Security Terms for AppSheet Services is available here.



The current status of compliance with all GDPR/CCPA requirements can be found on the pages available here.

PII – Personally Identifiable Information

You can mark all (or part) of your data in the application as sensitive data. The data will then not appear in the system logs.



It is achievable to meet all HIPAA requirements. A few details need to be taken care of. You can find the details here.



AppSheet is audited by SOC2 Type 2. The SOC report is available to customers upon request.


Management by IT department

If you are a Google Workspace and AppSheet administrator and are worried about security then be sure to check out these resources.


Governance policies

AppSheet dysponuje środkami, aby wdrożyć ograniczenia i wytyczne organizacji.

Polityka to zasada, która limituje jak aplikacje są tworzone, zarządzane oraz dystrybuowane.

Mamy do dyspozycji predefiniowane polityki oraz możliwość tworzenia własnych, niestandardowych.

Przykładowe to:

Predefined policy template


Require sign-in

Apps must require user sign-in

Run-as app creator

Apps cannot be run by the app user

Prevent row delete

Apps cannot delete data

Restrict data source attachable to apps

Apps can access only specific data sources

Restrict providers attachable to apps

Apps can access only specific providers

Acceptable image resolution

Apps require a minimum resolution for captured images

Must sync-on-start

Apps must refresh their data each time they start

Enable offline use

Apps must be configured to run offline

Restrict Prototype Authentication

Apps must:

By default, this policy applies to prototype apps; you can change the targeted apps.

Note: It is required that you use this policy with Restrict Prototype Sharing to fully limit prototype access.

Restrict who can deploy apps

Apps can be deployed only by specific app creators

Apps must have documentation

Apps must include documentation; see App documentation on the About page

Only users from specific domain

Only users from a specific domain can access the app

Enforce FedRAMP compliance

Apps are FedRAMP compliant

Restrict Prototype Sharing

Apps must:

  • Prevent the sharing of apps with an entire domain in the Share dialog
  • Limits the number of users that the app can be shared with in the Share dialog (defaults to 5)

By default, this policy applies to prototype apps; you can change the targeted apps.

See: Share: The Essentials

Note: It is required that you use this policy with Restrict Prototype Authentication to fully limit prototype access.

Source: https://support.google.com/appsheet/answer/11948767?hl=en&ref_topic=11918354

Other IT questions

If you have more questions, check out this subpage in the documentation: https://support.google.com/appsheet/answer/10104707?hl=en&ref_topic=11918354#zippy=

Other useful resources




Wojciech Szczepanik

I am a stoic entrepreneur with the power of leadership. I have been on both sides of entrepreneurship, and know how to help people succeed. I have a background in engineering and business development, which has given me a unique perspective on what it takes for an organization to be successful. I believe that being able to wear different hats is critical for any leader, so I spend time working on many projects simultaneously. Propably the biggest fan of AppSheet in Europe. I am a trainer at Akademia Aplikacji, where I teach AppSheet to the next generation of developers.


Submit a Comment

Your email address will not be published.

Passwords and why they suck

Passwords and why they suck

A lot of history here, a lot of data loss, a lot of battles with your users. Passwords are essential in modern world or at least it seems so. So what is going on here?