Resolving data security issues with spreadsheets

2024-10-23
Avatar for Luke Posey

Luke Posey, Product Manager

@QuadraticHQ

We’ve spoken to numerous enterprises who have voiced valid concerns about their data storage and security in spreadsheets. In particular, users of Sheets and Excel have concerns with features that expose their enterprise to data security risks. They come to us asking for custom solutions to their concerns.

Most enterprises are contending with this tension between wanting to find valuable insights from hordes of data, but also understanding their data is extremely valuable and sensitive. Modern data tools should be able to aid in resolving this tension, meeting their enterprise customers some place in the middle (which can still be murky). Some companies may not need advanced security, as they house primarily public data devoid of sensitive information. However, many companies house private, sensitive data they want to sincerely protect.

Different teams have different data control requirements, but many expect at least one (if not all) of the following to be true:

  • Data can’t be taken out of the tool by users (disabling exporting features)
  • Data can’t live on servers that don’t belong to the company (allowing self-hosting)
  • The tool needs to have security guarantees (trust/security certifications)

1. Disabling data exporting

For some companies this feature is not a concern. For others it’s a security risk in plain sight. In spreadsheets there are two primary vectors of exposure:

  • Exporting the sheet (or its data) to pass around to fellow employees who may or may not have the relevant permissions
  • Having the capability to freely copy/paste the data elsewhere, often again to someone who may or may not have the relevant permissions

One simple solution (not foolproof) is an administrator-controlled option for enterprises that allows disabling features in the spreadsheet which are viewed as potential security risks. For enterprises we think the following make sense as a first step:

  • Optional disabling of exporting sheets of any file type
  • Optional disabling of copying (clipboard) data that can be pasted outside of the app

2. Self-hosting options

A wide variety of enterprise requirements around hosting data exist. For many European companies data must be stored in a data center in their home country (due to GDPR and other relevant regulations). For other companies globally we’ve heard that they can’t put any of their data in a cloud product hosted outside their own servers.

We’ve heard that requirement loud and clear and allow Quadratic to be self-hosted by enterprises in their clouds or local infrastructure, powered by Docker Compose. Contact us for help with self-hosting.

3. Security guarantees

Companies serious about data security need to minimally pursue security guarantees. Two common certifications that signal trust in modern applications are SOC 2 and HIPAA. Quadratic has achieved both certifications and is transparent with

  • How those certifications were achieved.
  • How Quadratic conform's to them on an ongoing basis.

You can view our certifications and controls at trust.quadratichq.com.

Additionally, we’re big believers that transparent source code increases trust. Our code, roadmap, bug fixes and product decisions are always transparent on GitHub. Anyone is able follow day-by-day as we ship code to improve the product.

Data controls start with you

Enterprises need to ensure their employees are trained and kept up to date on proper data controls with tools like spreadsheets (or any data tool your company relies on). That said, we also believe there are a number of steps we can take as providers of data tools to aid with responsible data security.

You can contact us to get help with your deployment in Quadratic or try Quadratic Cloud today.

Quadratic logo

The spreadsheet with code.

Use Quadratic for free