Last Updated: June 22, 2022

Security is a top priority at You’ve entrusted us with your sensitive and valuable data, and we take this responsibility seriously. We work continually to improve our security processes and controls. Below we’ve provided an overview of our security practices and tools. If you have questions about any of this, send us a note to

Infrastructure, network security, and file storage

All servers are instances of the Amazon Elastic Compute Cloud (Amazon EC2) service from Amazon Web Services (AWS). Our EC2 servers reside within an Amazon Virtual Private Cloud (Amazon VPC) and cannot be accessed via the public internet. The access mechanisms to these servers are limited to an essential set of protocols and ports via internet-facing proxy servers. The file attachments you upload within are stored and served from the Amazon Simple Storage Service (Amazon S3).

Server locations, regions, and government compliance

All data resides in the US on US-based AWS servers in the US-East-1 region (Northern Virginia). We plan to provide additional global regions in the future, and we are working toward AWS GovCloud support giving government customers and partners compliance with the FedRAMP High baseline; the DOJ’s Criminal Justice Information Systems (CJIS) Security Policy; U.S. International Traffic in Arms Regulations (ITAR); Export Administration Regulations (EAR); Department of Defense (DoD) Cloud Computing Security Requirements Guide (SRG) for Impact Levels 2, 4 and 5; FIPS 140-2; IRS-1075; and other compliance regimes.

Encryption in transit uses TLS 1.2 to transmit data between your device and our cloud servers. TLS termination happens at Amazon Elastic Load Balancers (Amazon ELB) and the keys are managed by the ELB service itself.

Encryption at rest

Your spreadsheet data in is stored using the MongoDB Atlas cloud database service managed by MongoDB on AWS. Atlas cloud service database clusters are configured to store data in encrypted form using the industry standard AES-256 symmetric encryption algorithm for everything: databases, backups, snapshots, and logs.

Symmetric Keys uses the Amazon Key Management Service (Amazon KMS) for lifecycle management of all symmetric encryption keys. does not maintain private keys in cleartext on disk.

Access Control supports OAuth2 based Google Account Authentication as well as email and password based authentication. We plan to add support for 2-factor authentication (2FA) soon.

Sub-processors utilizes the following services to store and transmit your data, and to provide a continuous and reliable service. We’ve taken care to vet the security and privacy practices of these vendors.

Amazon Web Services
MongoDB Atlas

SOC 2 Type II Report has successfully completed a System and Organization Controls (SOC) 2 Type II audit. Developed by the American Institute of Certified Public Accountants (AICPA), the SOC 2 information security standard is an audit report on the examination of controls relevant to the trust services criteria categories covering security, availability, processing integrity, confidentiality and privacy. A SOC 2 Type II report describes a service organization's systems and whether the design of specified controls meets the relevant trust services categories, and assesses the effectiveness of those controls over a specified period of time.’s SOC 2 Type II report did not have any noted exceptions and therefore was issued with a “clean” audit opinion. The report is available to all customers and prospective customers on request. Please email us at

In addition, is continually monitored by Vanta to ensure we remain in compliance with SOC 2.

HIPAA compliance is in the process of aligning our service with The U.S. Health Insurance Portability and Accountability Act (HIPAA) through the offering of a business associate agreement (BAA) and continual HIPAA compliance monitoring by Vanta.

GDPR compliance is in the process of confirming compliance with European General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) provisions. This includes setting up continual GDPR compliance monitoring by Vanta. will soon be able to enter into Data Processing Agreements (DPAs) with customers on request. The DPA will include standard contractual clauses, which are the mechanism for GDPR-compliant data transfer.