SheetsSync is built with security as a fundamental priority. This page details our compliance with QuickBooks and Google requirements, our security practices, and how you can manage your data.
Trust Indicators
QuickBooks Integration Compliance
OAuth 2.0 Implementation
SheetsSync uses Intuit's official OAuth 2.0 protocol for secure authentication:
- Authorization code flow with PKCE where supported
- Secure token storage with encryption at rest
- Automatic token refresh before expiration
- Proper token revocation on disconnect
- Never stores user passwords
API Scopes Requested
| Scope | Purpose |
|---|---|
com.intuit.quickbooks.accounting |
Read and write access to QuickBooks accounting data |
openid |
User identity verification |
Controlled Access: SheetsSync syncs data from QuickBooks to your sheet. With Two-Way Sync enabled (Pro), you can also push changes back to QuickBooks. All write operations require explicit user action — nothing is modified automatically without your control.
QuickBooks Webhooks
We implement QuickBooks webhooks to handle:
- App disconnection events (immediate token cleanup)
- Data change notifications (for future real-time sync)
- Webhook signature verification using HMAC-SHA256
Google Workspace Compliance
Google APIs Used
- Google Sheets API for data writing
- Google Identity Services for user authentication
- Google Apps Script for add-on functionality
OAuth Scopes
| Scope | Purpose |
|---|---|
spreadsheets.currentonly |
Write to the current spreadsheet only |
script.container.ui |
Display sidebar and dialogs |
userinfo.email |
Identify the current user |
Infrastructure Security
Vercel Edge Network
- Enterprise-grade hosting platform
- Automatic DDoS protection
- Edge functions with automatic scaling
- Automatic HTTPS with TLS 1.3
Supabase Database
- Enterprise-grade managed PostgreSQL
- Row Level Security (RLS) policies
- AES-256 encryption at rest
- Point-in-time recovery
- Automatic backups
Data Handling Practices
What We Store
| Data Type | Storage | Encryption | Retention |
|---|---|---|---|
| User Email | Database | At rest | Until deletion |
| QB Realm ID | Database | At rest | Until disconnect |
| OAuth Tokens | Database | AES-256 | Until disconnect/expiry |
| Sync Logs | Database | At rest | 90 days |
What We Do NOT Store
Your actual QuickBooks financial data (invoices, customers, payments, etc.) is never stored on our servers. Data is:
- Fetched from QuickBooks API
- Processed in-memory on our serverless functions
- Written directly to your Google Sheet
- Never persisted, cached, or logged
Disconnect and Data Deletion
How to Disconnect
You can disconnect SheetsSync at any time through multiple methods:
Method 1: From the Add-on
- Open Google Sheets
- Click Extensions > SheetsSync > Settings
- Click "Disconnect QuickBooks"
Method 2: From Intuit Account Manager
- Visit accounts.intuit.com
- Sign in to your Intuit account
- Navigate to Security > Apps connected
- Find "SheetsSync" and click "Remove access"
Method 3: API Request
What Happens on Disconnect
- OAuth tokens immediately deleted from our database
- Connection record removed
- Sync settings preserved (in case you reconnect)
- Previously synced data remains in your Google Sheet
- No further API calls made to QuickBooks
Vulnerability Disclosure
We take security seriously. If you discover a security vulnerability, please report it responsibly:
Security Contact
We aim to respond within 24 hours and will keep you updated on remediation progress.
Compliance Certifications
| Standard | Status | Coverage |
|---|---|---|
| Infrastructure Security | Enterprise-grade (Vercel & Supabase) | Hosting & database |
| GDPR | Compliant | Data handling |
| CCPA | Compliant | California users |
| Intuit Partner Guidelines | Compliant | QuickBooks integration |
Contact
For compliance questions, data requests, or security concerns:
- Security Issues: support@getsheetssync.com
- General Inquiries: support@getsheetssync.com
- Privacy Requests: privacy@getsheetssync.com