2021: ✅  Done — year in review


Last Updated: January 26, 2022

Security is a top priority at Spreadsheet.com. You’ve entrusted us with your sensitive and valuable data, and we take this responsibility seriously. We work continually to improve our security processes and controls. Below we’ve provided an overview of our security practices and tools. If you have questions about any of this, send us a note to info@spreadsheet.com.

Infrastructure, network security, and file storage

All Spreadsheet.com servers are instances of the Amazon Elastic Compute Cloud (Amazon EC2) service from Amazon Web Services (AWS). Our EC2 servers reside within an Amazon Virtual Private Cloud (Amazon VPC) and cannot be accessed via the public internet. The access mechanisms to these servers are limited to an essential set of protocols and ports via internet-facing proxy servers. The file attachments you upload within Spreadsheet.com are stored and served from the Amazon Simple Storage Service (Amazon S3).

Encryption in transit

Spreadsheet.com uses TLS 1.2 to transmit data between your device and our cloud servers. TLS termination happens at Amazon Elastic Load Balancers (Amazon ELB) and the keys are managed by the ELB service itself.

Encryption at rest

Your spreadsheet data in Spreadsheet.com is stored using the MongoDB Atlas cloud database service managed by MongoDB on AWS. Atlas cloud service database clusters are configured to store data in encrypted form using the industry standard AES-256 symmetric encryption algorithm for everything: databases, backups, snapshots, and logs.

Symmetric Keys

Spreadsheet.com uses the Amazon Key Management Service (Amazon KMS) for lifecycle management of all symmetric encryption keys. Spreadsheet.com does not maintain private keys in cleartext on disk.

Access Control

Spreadsheet.com supports OAuth2 based Google Account Authentication as well as email and password based authentication. We plan to add support for 2-factor authentication (2FA) soon.


Spreadsheet.com utilizes the following services to store and transmit your data, and to provide a continuous and reliable service. We’ve taken care to vet the security and privacy practices of these vendors.

Amazon Web Services
MongoDB Atlas

Ongoing SOC 2, HIPAA, and GDPR monitoring

SOC 2 compliance

Spreadsheet.com is currently undergoing a Service Organization Controls (SOC 2 type 2) audit, and is in the process of setting up continual SOC 2 Type II monitoring with Vanta.

HIPAA compliance

Spreadsheet.com is in the process of aligning our service with The U.S. Health Insurance Portability and Accountability Act (HIPAA) through the offering of a business associate agreement (BAA) and continual HIPAA compliance monitoring with Vanta.

GDPR compliance

Spreadsheet.com is in the process of confirming compliance with European General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) provisions. This includes setting up continual GDPR compliance monitoring with Vanta.