google-chromegoogle-workspaceprivacygsuite-addons

Can developers of gsuite addons view the data in your sheets / docs?


Suppose we install a gsuite addon, we may see something like:

enter image description here

Suppose we have a google sheet/doc containing some plain text (a pretty standard use), equations, etc; e.g. it may contain: Here's something top secret: my_secret_123_abcxyz?!

Are there circumstances under which the developers of the addon be able to read the text contained in the cells of a google sheet (or in a google doc)?

For reference: here are the T&C and privacy policy for the example above - note that there's no clear answer to the question contained in either of those policies.

Note: this is an extremely important consideration for handling client data, or meeting data governance requirements/laws at company and/or federal levels.


Solution

  • Q. Are there circumstances under which the developers of the addon be able to read the text contained in the cells of a google sheet (or in a google doc)?

    A.Yes, the developers can read the text. Specifically what the application reads and what is done with that data is a mystery however.

    When developing Gsuite add-ons you use a programming language called Google Apps Script.(Google gives the creators and internal editor to work in).

    When the creator of the add-on writes code wanting to access different parts of the Gsuite API, a scope is automatically added to the manifest file for the application.

    The scope list explains what the application is attempting to access as it runs. That list generates the screen seen below.

    Scope example

    The permission screen doesn't get anymore specific than that. However, everyone who wants to submit an application into the GSuite marketplace has to submit to a review process.

    One of Google's priorities in that process is making sure the add-on's publishers "Take appropriate steps to safeguard user data.".