Security by Design
SheetLink is built with security and privacy as core principles. Your financial data flows through us — it doesn't stay with us.
Pass-Through Architecture
Your transaction data never sits on our servers. Here's the complete data flow:
Your bank → Plaid
Bank authentication handled exclusively by Plaid — SheetLink never sees your credentials
Plaid → SheetLink API
Token exchange only — no transaction data stored at this step
SheetLink API fetches transactions
Data exists in memory for less than 1 second during sync, then deleted
SheetLink → Your destination
Written directly to Google Sheets, Excel, Postgres, SQLite, JSON, or CSV — your data, your storage
Guarantee: Transaction data exists on SheetLink servers for less than a second during sync — just long enough to fetch from Plaid and return to your client. Nothing is cached or logged.
What We Store
We do store
Plaid access tokens
Fernet-encrypted (AES-128-CBC + HMAC). Decrypted only during sync.
Google user ID + email
Used to restore your connections across devices.
Sheet metadata
Sheet ID and title — to write transactions to the right destination.
Plaid metadata
Item IDs, institution IDs, sync cursors. No transaction content.
Subscription tier
Free / Pro / MAX — to enforce feature limits server-side.
We never store
- Transaction amounts, merchants, categories, or dates
- Account balances or transaction history
- Bank usernames or passwords (Plaid handles these)
- Google OAuth tokens (stay in your browser)
- Your spreadsheet or database contents
JWT Authentication
Authentication flow
- 1.User signs in with Google OAuth
- 2.Backend verifies Google ID token with Google's API
- 3.Backend generates a signed JWT (60-minute expiry)
- 4.Extension stores JWT in Chrome's encrypted storage
- 5.All API requests send JWT in Authorization header
- 6.Backend verifies signature and enforces tier limits on every request
Token security
- ✓Cryptographic signatures — tokens can't be tampered with
- ✓60-minute expiry — limited validity window
- ✓HTTPS only — encrypted in transit
- ✓Stateless — no server-side session tracking
Protected endpoints
/tier/status/plaid/sync/plaid/backfill
Tier-based access control enforced server-side — FREE users can't access PRO or MAX features even with modified client code.
Minimal Extension Permissions
The Chrome extension requests only what's needed to function:
Store encrypted tokens and user preferences locally
Google OAuth authentication
Schedule JWT token refresh before expiry
googleapis.com (Sheets/Drive APIs), cdn.plaid.com (Plaid SDK), api.sheetlink.app (SheetLink backend)
API Security
CORS restrictions
Only SheetLink domains and extension IDs allowed
Rate limiting
All endpoints protected against abuse
Input validation
All user input sanitized and validated
Privacy middleware
Sensitive data automatically suppressed from logs on Plaid endpoints
Sheet permission check
Write access verified before connecting a sheet
HTTPS / TLS 1.2+
All communication encrypted in transit
Third-Party Security
Plaid
- ✓Handles all bank authentication
- ✓SOC 2 Type II certified
- ✓Trusted by thousands of companies
- ✓OAuth 2.0 authentication
- ✓Sheets API for write-only access
- ✓Industry-leading security standards
Microsoft
- ✓Office.js API for workbook writes
- ✓Managed dialog for OAuth and Plaid
- ✓SheetLink does not send workbook data to Microsoft
Anthropic MAX
- ✓Claude AI for conversational transaction queries
- ✓Data sent to Anthropic API on your behalf only
- ✓SheetLink does not retain data submitted to Claude
Audit the Code Yourself
All client-side code — the Chrome extension and this landing site — is open source on GitHub. Review every line before installing.
Report a Vulnerability
If you discover a security issue, please report it responsibly. Do not publicly disclose before we've patched it.
Email: security@sheetlink.app
Response time: Within 48 hours
Disclosure: Coordinated with you — we'll credit researchers in release notes (with permission)