Security

Last Updated: June 22, 2022

Security is a top priority at Spreadsheet.com. You’ve entrusted us with your sensitive and valuable data, and we take this responsibility seriously. We work continually to improve our security processes and controls. Below we’ve provided an overview of our security practices and tools. If you have questions about any of this, send us a note to info@spreadsheet.com.

Infrastructure, network security, and file storage

All Spreadsheet.com servers are instances of the Amazon Elastic Compute Cloud (Amazon EC2) service from Amazon Web Services (AWS). Our EC2 servers reside within an Amazon Virtual Private Cloud (Amazon VPC) and cannot be accessed via the public internet. The access mechanisms to these servers are limited to an essential set of protocols and ports via internet-facing proxy servers. The file attachments you upload within Spreadsheet.com are stored and served from the Amazon Simple Storage Service (Amazon S3).

Server locations, regions, and government compliance

All Spreadsheet.com data resides in the US on US-based AWS servers in the US-East-1 region (Northern Virginia). We plan to provide additional global regions in the future, and we are working toward AWS GovCloud support giving government customers and partners compliance with the FedRAMP High baseline; the DOJ’s Criminal Justice Information Systems (CJIS) Security Policy; U.S. International Traffic in Arms Regulations (ITAR); Export Administration Regulations (EAR); Department of Defense (DoD) Cloud Computing Security Requirements Guide (SRG) for Impact Levels 2, 4 and 5; FIPS 140-2; IRS-1075; and other compliance regimes.

Encryption in transit

Spreadsheet.com uses TLS 1.2 to transmit data between your device and our cloud servers. TLS termination happens at Amazon Elastic Load Balancers (Amazon ELB) and the keys are managed by the ELB service itself.

Encryption at rest

Your spreadsheet data in Spreadsheet.com is stored using the MongoDB Atlas cloud database service managed by MongoDB on AWS. Atlas cloud service database clusters are configured to store data in encrypted form using the industry standard AES-256 symmetric encryption algorithm for everything: databases, backups, snapshots, and logs.

Symmetric Keys

Spreadsheet.com uses the Amazon Key Management Service (Amazon KMS) for lifecycle management of all symmetric encryption keys. Spreadsheet.com does not maintain private keys in cleartext on disk.

Access Control

Spreadsheet.com supports OAuth2 based Google Account Authentication as well as email and password based authentication. We plan to add support for 2-factor authentication (2FA) soon.

Sub-processors

Spreadsheet.com utilizes the following services to store and transmit your data, and to provide a continuous and reliable service. We’ve taken care to vet the security and privacy practices of these vendors.

Amazon Web Services
MongoDB Atlas
SendGrid
Pusher

SOC 2 Type II Report

Spreadsheet.com has successfully completed a System and Organization Controls (SOC) 2 Type II audit. Developed by the American Institute of Certified Public Accountants (AICPA), the SOC 2 information security standard is an audit report on the examination of controls relevant to the trust services criteria categories covering security, availability, processing integrity, confidentiality and privacy. A SOC 2 Type II report describes a service organization's systems and whether the design of specified controls meets the relevant trust services categories, and assesses the effectiveness of those controls over a specified period of time.

Spreadsheet.com’s SOC 2 Type II report did not have any noted exceptions and therefore was issued with a “clean” audit opinion. The report is available to all customers and prospective customers on request. Please email us at support@spreadsheet.com.

In addition, Spreadsheet.com is continually monitored by Vanta to ensure we remain in compliance with SOC 2.

HIPAA compliance

Spreadsheet.com is in the process of aligning our service with The U.S. Health Insurance Portability and Accountability Act (HIPAA) through the offering of a business associate agreement (BAA) and continual HIPAA compliance monitoring by Vanta.

GDPR compliance

Spreadsheet.com is in the process of confirming compliance with European General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) provisions. This includes setting up continual GDPR compliance monitoring by Vanta. Spreadsheet.com will soon be able to enter into Data Processing Agreements (DPAs) with customers on request. The Spreadsheet.com DPA will include standard contractual clauses, which are the mechanism for GDPR-compliant data transfer.