SheetLink

Security by Design

SheetLink is built with security and privacy as core principles. Here's how we protect your financial data.

Pass-Through Architecture

Your transaction data never sits on our servers. Here's the complete data flow:

Your Bank

Via Plaid

SheetLink API

In-memory (<1 second)

Your Browser

Extension

Your Sheet

Google Sheets

What this means: Transaction data exists in our backend for less than 1 second during sync. No persistence, no storage, no logs of your financial activity.

Excel Add-in: The same pass-through architecture applies. Transaction data flows from Plaid → SheetLink API → Excel Add-in task pane → your Excel workbook via the Office.js API. SheetLink does not transmit workbook data to Microsoft.

What We Store (Encrypted)

Plaid Access Tokens

Encrypted using Fernet (AES-128-CBC + HMAC). Only decrypted during sync operations.

Google User ID

Your email or stable Google ID. Used to restore your Plaid Items across devices.

Sheet Metadata

Sheet ID and title. Used to write transactions to the correct destination.

Plaid Metadata

Item IDs, institution IDs, sync cursors, and timestamps. No transaction content.

JWT Tokens (Browser Only)

Stored in Chrome's secure storage (chrome.storage.sync). Tokens are never persisted on our servers. They expire after 60 minutes and are automatically deleted.

Subscription Tier

Your subscription tier (FREE/PRO) to enforce feature limits and data access policies. Not encrypted as it's not sensitive data.

What We DON'T Store

Transaction Line Items

No amounts, merchants, categories, or dates

Account Balances

Your current or historical balances are never stored

Bank Credentials

Handled exclusively by Plaid, never seen by SheetLink

Google OAuth Tokens

Remain in your browser, never sent to our servers

Sheet Contents

We write data but never read your spreadsheets

JWT Authentication & Authorization

SheetLink uses industry-standard JWT (JSON Web Token) authentication to securely identify users and enforce subscription tier limits.

Authentication Flow:

  1. 1. User signs in with Google OAuth (trusted identity provider)
  2. 2. Backend verifies Google ID token with Google's API
  3. 3. Backend generates signed JWT token (60-minute expiry)
  4. 4. Extension stores JWT in Chrome's secure storage
  5. 5. All API requests include JWT in Authorization header
  6. 6. Backend verifies JWT signature and enforces tier limits

Token Security

  • Cryptographic signatures: Tokens can't be tampered with
  • 60-minute expiry: Limited validity window
  • HTTPS only: Encrypted transmission
  • Stateless design: No server-side session tracking

Identity Verification

  • Google OAuth: Trusted identity provider
  • ID token verification: Backend validates with Google
  • Prevents impersonation: Can't fake user identity
  • Re-auth on expiry: Continuous security validation

Protected API Endpoints:

The following endpoints require JWT authentication:

  • /tier/status - Get subscription tier and features
  • /plaid/sync - Sync transactions with tier-based field filtering
  • /plaid/backfill - Fetch historical data within tier limits

Tier-Based Access Control: Backend enforces limits based on authenticated user's subscription tier. FREE users can't access PRO features even if they modify the extension code.

Minimal Extension Permissions

The Chrome extension requests only what's needed to function:

storage

Store encrypted tokens and user preferences locally

identity

Google OAuth authentication

alarms

Schedule JWT token refresh

host permission

Access to googleapis.com (Google Sheets/Drive APIs), cdn.plaid.com (Plaid SDK), and api.sheetlink.app (SheetLink backend)

We do NOT request: Browsing history, access to other websites beyond the essential APIs listed above, clipboard access, or camera/microphone access.

API Security

  • CORS restrictions: Only SheetLink domains and extension ID allowed
  • Rate limiting: All endpoints protected against abuse
  • Input validation: All user input sanitized and validated
  • Privacy middleware: Sensitive data suppressed from logs
  • Sheet permission verification: Tests write access before connecting
  • HTTPS/TLS 1.2+: All communication encrypted in transit

Third-Party Security

Plaid

  • Handles all bank authentication
  • SOC 2 Type II certified
  • Trusted by thousands of companies
Learn more about Plaid Security →

Google

  • OAuth 2.0 authentication
  • Sheets API for write-only access
  • Industry-leading security standards
Learn more about Google Security →

Microsoft

  • Office.js API for workbook writes
  • Managed dialog for OAuth and Plaid
  • SheetLink does not send workbook data to Microsoft
Microsoft Privacy Statement →

Report a Vulnerability

We take security seriously. If you discover a vulnerability, please report it responsibly:

Email: security@sheetlink.app

Response time: Within 48 hours

Disclosure: We'll coordinate responsible disclosure with you

Please do not publicly disclose the vulnerability before we've had time to patch it. We acknowledge security researchers in our release notes (with permission).

Audit the Code Yourself

All client-side code (extension and landing site) is open source and available on GitHub. You can review every line before installing.

View on GitHubRead Privacy Policy