Sourcetable Security

Last Updated: February 2026

Sourcetable is a spreadsheet application with AI superpowers that combines the familiar interface of spreadsheets with the power of modern data analysis, artificial intelligence, and real-time collaboration. Security is fundamental to everything we build.


This document outlines our security practices and commitments to protect your data and maintain your trust.



Compliance & Certifications


We maintain compliance with industry-standard security frameworks and engage independent security professionals to validate our security controls.


Security Framework

We implement security controls aligned with industry-standard frameworks including SOC 2 and ISO 27001 requirements. We are actively pursuing formal certification and expect to complete our SOC 2 Type II audit in 2026.


Our Security Controls Include:

  • Comprehensive security policies and procedures
  • Access controls and authentication mechanisms
  • Data encryption at rest and in transit
  • Network segmentation and monitoring
  • Incident response and business continuity planning
  • Regular security assessments and testing

Regulatory Compliance

  • GDPR - EU data protection requirements implemented
  • CCPA - California Consumer Privacy Act compliance for US data subjects
  • HIPAA - Security controls aligned with HIPAA requirements (BAA available for healthcare customers upon completion of SOC 2)
  • Data processing agreements (DPA) available for enterprise customers

External Validation

  • Regular security assessments by independent security professionals
  • Continuous vulnerability scanning and remediation
  • Responsible disclosure program for security researchers
  • Transparent incident reporting and communication


Data Protection


Encryption

Data at Rest

  • AES-256-GCM encryption for all customer data
  • Envelope encryption with separate data and key encryption keys
  • Encrypted backups with separate key management
  • Encrypted database storage using industry-standard practices

Data in Transit

  • TLS 1.2+ with Perfect Forward Secrecy for all connections
  • Strong cryptographic cipher suites enforced
  • WebSocket connections secured with WSS (WebSocket Secure)
  • Secure API endpoints with certificate validation

Key Management

  • Secure key storage using cloud provider key management services
  • Regular key rotation policies
  • Separation of key management from data storage
  • Restricted access to encryption keys

Credential Storage

Standard Encryption

  • Integration credentials (API keys, OAuth tokens) encrypted with Sourcetable-managed keys
  • AES-256 encryption for all stored credentials
  • Credentials isolated per organization with separate encryption keys
  • Access restricted to authorized services only

Maximum Encryption Mode (Client-Side Encryption)

  • Optional client-side encryption for maximum security
  • Credentials encrypted with keys derived from user authentication
  • Sourcetable cannot access credentials without an active user session
  • User credentials never transmitted or stored in plaintext
  • Credential decryption only occurs in authenticated user context

This approach allows customers to choose their security model: standard encryption provides convenience with strong security, while maximum encryption ensures zero-knowledge architecture where we cannot access your credentials even if compelled.


Data Isolation

Multi-Tenancy Architecture

  • Logical data separation using organization-partitioned schemas
  • Customer data isolated at the database, application, and API layers
  • No data sharing between customer organizations
  • Dedicated encryption keys per organization

Data Residency

  • Data stored in secure enterprise cloud regions
  • Geographic data storage options available upon request for enterprise customers
  • Regional data storage agreements available for compliance requirements

Data Retention & Deletion

  • Configurable retention policies for workbooks and data
  • Secure deletion processes following industry standards
  • Data removal within 30 days of deletion request
  • Right to erasure supported for GDPR compliance


Infrastructure Security


Cloud Infrastructure

Primary Infrastructure

  • Hosted on enterprise-grade cloud infrastructure providers
  • Leverages tier-1 cloud services with industry-leading durability and availability
  • Multi-availability zone architecture for high availability
  • Geographic redundancy for disaster recovery
  • 99.9% uptime target for production services

Physical Security

  • Enterprise cloud data centers with SOC 2, ISO 27001, and multiple compliance certifications
  • Physical security managed by cloud provider (biometric access, 24/7 monitoring, video surveillance)
  • Redundant power and environmental controls
  • Physical access restricted to authorized personnel only

Network Security

Network Architecture

  • Network segmentation isolating production, staging, and development
  • Zero Trust architecture with no implicit trust boundaries
  • Private VPC networks with controlled internet access
  • DDoS protection and mitigation services

Perimeter Defense

  • Application security controls addressing OWASP Top 10 vulnerabilities
  • Rate limiting and abuse prevention systems
  • Intrusion detection and monitoring capabilities
  • Real-time security monitoring and alerting

Monitoring & Logging

  • 24/7 security monitoring with on-call response team
  • Centralized logging and monitoring
  • Log retention per compliance requirements
  • Real-time alerting for security events


Access Control & Identity


Authentication

User Authentication

  • Multi-factor authentication (MFA) supported for all users
  • Enterprise authentication options available
  • Modern authentication methods
  • Secure session management

Session Management

  • Secure session token generation and storage
  • Automatic session timeout for inactive users
  • Secure cookie handling with HttpOnly and Secure flags
  • Session revocation capabilities

Authorization

Role-Based Access Control (RBAC)

  • Granular permissions at workbook, sheet, and data source levels
  • Role-based access controls for users and teams
  • Fine-grained permission controls for enterprise customers
  • Principle of least privilege enforced across all access

API Security

  • API key authentication for programmatic access
  • Scoped API tokens with granular permissions
  • Rate limiting per API key to prevent abuse
  • API key rotation and revocation capabilities

Internal Access Controls

Employee Access

  • Role-based access to production systems
  • Multi-factor authentication for employee access
  • Approval workflows for privileged access
  • All production access logged and audited

Privileged Access Management

  • Separate administrative accounts for privileged operations
  • Time-limited elevation for administrative tasks
  • Approval workflows for critical operations
  • Comprehensive audit trails for all privileged access


Application Security


Secure Development Lifecycle

Design Phase

  • Threat modeling for new features and architecture changes
  • Security requirements defined during planning
  • Privacy impact assessments for data processing changes
  • Security architecture review before implementation

Development Phase

  • Peer code review required for all changes (PRGB - Peer Review, Green Build)
  • Automated security scanning in CI/CD pipeline
  • Static Application Security Testing (SAST) integrated in development workflow
  • Dependency vulnerability scanning with automated alerts

Testing Phase

  • Security testing in staging environments
  • Penetration testing before major releases
  • Security-focused test cases in test suites
  • Manual security review for high-risk changes

Deployment Phase

  • Immutable infrastructure deployments
  • Automated security checks before production deployment
  • Rollback capabilities for all deployments
  • Deployment strategies designed for minimal downtime

Vulnerability Management

Continuous Monitoring

  • Automated vulnerability scanning of infrastructure and applications
  • Third-party dependency monitoring with automated updates
  • Regular external penetration testing
  • Comprehensive security assessments

Patching & Remediation

  • Critical vulnerabilities patched within 24-48 hours
  • High-severity vulnerabilities patched within 7 days
  • Regular patch management for all systems
  • Emergency patching procedures for zero-day vulnerabilities

Bug Bounty Program

  • Responsible disclosure program for security researchers
  • Recognition and rewards for valid security findings
  • Contact: support@sourcetable.com for program details
  • We welcome responsible security disclosures


AI & ML Security


AI Model Security

Model Training & Deployment

  • Secure model training pipelines with access controls
  • Model versioning and provenance tracking
  • Validation of model inputs and outputs
  • Rate limiting and abuse prevention for AI features

Data Processing

  • Customer data processed only as authorized
  • Anonymized usage patterns and summaries used to improve service quality
  • Customer content and detailed conversation data not used for model training
  • Data minimization principles applied to AI processing
  • Audit trails for all AI-assisted operations

Third-Party AI Services

Provider Selection

  • Security assessment of all AI service providers
  • Data protection measures with all AI vendors
  • Contractual safeguards prohibiting unauthorized data use
  • Regular vendor security reviews

Supported AI Providers

  • Multiple enterprise AI providers supported
  • Direct integrations with leading AI model providers
  • Customer choice of AI provider where applicable

All AI provider connections encrypted in transit with authentication.



Operational Security


Business Continuity

Backup & Recovery

  • Automated backups of all customer data
  • Point-in-time recovery capabilities leveraging cloud provider features
  • Geographic backup distribution for disaster recovery
  • Backup restoration testing performed regularly

Disaster Recovery

  • Documented disaster recovery procedures
  • Leverages cloud provider redundancy and durability features
  • Regular review and testing of recovery procedures
  • Incident response plans for service disruptions

Change Management

  • Documented change control procedures
  • Separate staging and production environments
  • Automated deployment pipelines with rollback capabilities
  • Post-deployment verification and monitoring

Asset Management

  • Comprehensive inventory of all hardware and software assets
  • Lifecycle management for all systems
  • Decommissioning procedures for end-of-life assets
  • Regular asset audits and reconciliation


Personnel Security


Background Checks

  • Background checks performed based on role and access requirements
  • Employment verification and reference checks
  • Enhanced screening for employees with privileged access to production systems
  • Screening aligned with industry best practices

Security Training

General Security Awareness

  • Regular security training for all employees
  • Security best practices and policy training
  • Data handling and privacy training
  • Ongoing security awareness programs

Specialized Training

  • Secure coding training for engineers
  • Incident response training for security team
  • Role-specific security training
  • Regular security updates and communications

Confidentiality

  • Confidentiality agreements signed by all employees and contractors
  • Non-disclosure agreements for sensitive customer information
  • Clear data classification and handling policies
  • Consequences for policy violations defined and enforced


Incident Response


24/7 Security Operations

  • Security team with on-call rotation
  • Real-time monitoring and alerting
  • Automated threat detection and response
  • Incident escalation procedures

Incident Management

Detection & Response

  • Centralized security monitoring and alerting
  • Automated anomaly detection
  • Incident response playbooks for common scenarios
  • Regular incident response drills

Customer Notification

  • Notification within 72 hours of confirmed data breach affecting customer data
  • Transparent communication about incident scope and impact
  • Remediation steps and timelines communicated
  • Post-incident review and lessons learned

Security Status

  • Subscribe to security advisories at sourcetable.com/security
  • Historical incident transparency
  • Proactive communication about security updates


Customer Security Controls


Data Management

Export & Portability

  • Export workbooks and data at any time
  • Standard data formats (CSV, Excel)
  • API access for automated data export
  • No lock-in for your data

Data Deletion

  • Self-service workbook and data deletion
  • Organizational data deletion upon account closure
  • Confirmation required for destructive operations
  • Audit trail of deletion operations

Audit & Compliance

Audit Logs

  • Comprehensive audit logs for all user actions
  • Audit log access and export capabilities
  • Audit log export for compliance requirements
  • Audit log retention per compliance requirements

Compliance Features

  • Access control reporting
  • Compliance reporting capabilities
  • Data retention following security best practices
  • Security and privacy documentation available

Access Management

User Management

  • Invite and remove users from organization
  • Granular permission management
  • Session management and revocation
  • Activity monitoring and reporting

Integration Security

  • OAuth 2.0 for third-party integrations
  • Scoped permissions for connected services
  • Revocable access tokens
  • Integration audit trail


Shared Responsibility


Security is a shared responsibility between Sourcetable and our customers. Understanding this division helps ensure the best security posture.


Sourcetable Responsibilities

Infrastructure Security

  • Physical data center security
  • Network infrastructure and segmentation
  • Server and platform security
  • Database encryption and backups

Application Security

  • Secure application development
  • Vulnerability management
  • Authentication and authorization systems
  • API security

Operational Security

  • 24/7 monitoring and incident response
  • Security patching and updates
  • Compliance and certifications
  • Security training for personnel

Customer Responsibilities

Access Management

  • User account security and MFA enablement
  • Strong password policies enforcement
  • Role and permission assignments
  • Regular access reviews

Data Governance

  • Data classification and sensitivity labeling
  • Retention policy configuration
  • Appropriate data sharing decisions
  • Compliance with data use restrictions

User Security

  • End-user security awareness training
  • Secure device management
  • Network security for accessing Sourcetable
  • Reporting suspicious activity

Configuration

  • Authentication and access settings
  • Integration security settings
  • Workspace and sharing policies
  • Security feature enablement


Contact Us


Security Inquiries

General Security Questions

  • Email: support@sourcetable.com
  • Subject line: "Security Inquiry"
  • Response time: 2 business days for general inquiries

Vulnerability Reports

  • Email: support@sourcetable.com
  • Subject line: "Security Vulnerability Report"
  • Please include detailed reproduction steps
  • Responsible disclosure policy: 90 days

Enterprise Security Documentation

  • SOC 2 reports available under NDA (upon completion)
  • Security questionnaire responses
  • Custom security assessments
  • Contact: support@sourcetable.com

Trust & Compliance Resources

  • Security & Trust Center: sourcetable.com/security
  • Privacy Policy: sourcetable.com/privacy
  • Contact: support@sourcetable.com


Document Information


Version: 1.0

Last Updated: February 2026

Next Review: August 2026


This security documentation is reviewed and updated regularly to reflect our current security practices and certifications. For the most current version, visit sourcetable.com/security.


Document Classification: Public



Sourcetable is committed to protecting your data and maintaining your trust. We continually invest in our security program to defend against evolving threats while enabling innovation and collaboration.



Drop CSV