Security and governance

Security and governance

Every step of the way


Google AppSheet is secure by design


AppSheet’s built-in encryption enables AppSheet apps to be securely accessed anywhere, from any device.

Encryption Encryption

Up to date, everywhere

The AppSheet platform is updated across the globe, with no need for patching.

Up to date, everywhere Up to date, everywhere

Cloud first

Powered by Google Cloud Platform, AppSheet offers a browser-based approach on a platform trusted by enterprises worldwide.

Cloud first Cloud first
Up to date, everywhere
Cloud first


Built to meet your compliance needs

application security

Manage user access and data for your apps

User access
App data
App usage

User access

Control who can access your apps based on roles and teams, without sharing your underlying datasource with users.

User access User access

App data

Use security filtering and conditional logic to choose who has access to specific data and features within your app.

App data App data

App usage

Track and monitor app usage, such as who has used your app, what features they’re using, and more.

App usage App usage


Govern your organization’s AppSheet apps and ecosystem with advanced controls

Govern applications

Manage how apps are created and deployed. Enforce usage policies and track app usage in your organization.

Govern applications Govern applications

Govern data

Set up detailed policies to control which data sources and data types can be used.

Govern data Govern data

Govern AppSheet app creators

Set up groups and group policies that define how their users can engage with the platform.

Govern AppSheet app creators Govern AppSheet app creators
Govern applications
Govern data
Govern AppSheet app creators

Find the security answers you need

Does AppSheet store our data in its cloud?

Data stored in AppSheet applications is primarily stored in a location of your choosing, which can either be in a cloud storage service such as Google Sheets, in a cloud database such as Cloud SQL, or in a database of your choosing. In some cases, AppSheet stores your application data temporarily for performance and to support features such as the audit log. You can control these features in the application configuration.

The configuration of your applications (e.g. look-and-feel, branding, sharing) and certain user information (e.g. teams, data source configuration, administrative policy) are stored securely by AppSheet in Google Cloud.

How do I authenticate against AppSheet?

All AppSheet users (including both application creators and users) are authenticated using a single-sign-on provider of your choosing (including Google, Microsoft, Apple, Dropbox, Smartsheet, Box, and Salesforce). AppSheet does not use, process, or store passwords for application creators or users.

When a user authenticates with AppSheet, we store an OAuth2 credential which allows AppSheet to access Cloud Storage services (such as Google Drive) and other data sources (such as Google Calendar).

Some supported data sources such as databases (MySQL, PostgreSQL, etc.) support username/password authentication. AppSheet stores these credentials encrypted in a secure database in Google Cloud.

Does AppSheet support domain groups for authentication?

In some cases AppSheet can integrate with domain groups, such as Google Groups, AD Groups, and Okta. Custom groups defined in your IDP can then be leveraged for roles-based access inside of individual applications. You can read more about this here.

Is AppSheet SOC compliant?

Yes. AppSheet is SOC2 Type 2 audited. Our SOC Report is available to customers under NDA and upon request.

Is AppSheet HIPAA compliant?

AppSheet supports customers’ compliance with the U.S. Health Insurance Portability and Accountability Act (HIPAA), which governs the safeguarding, use, and disclosure of protected health information (PHI). If you are subject to HIPAA and wish to use AppSheet for PHI processing or storage, please follow the steps outlined here.

Is there granular control over which users can see which applications?

Yes. Each app in your organization can have its own security. You can either (A) explicitly list users, (B) enable domain authentication support for this one application, or (C) enable domain group support if your provider supports that feature. You can learn more here.

Does AppSheet have a REST API for inbound requests?

Yes. You can invoke add, delete, edit, find, and run actions. We have several help articles to get you started. You can learn more about AppSheet’s REST API here.

Ready to try AppSheet?

Try AppSheet