Trade-off
We gave up persistent servers
Stateless containers are harder to build and can't rely on local state between requests. But nothing persists after analysis - no disk, no leftover data.
We protect your data by minimizing what we store.
Most analytics tools permanently store your customer data. Jetti Sheets keeps core analytics on Google's infrastructure, avoids permanent raw-data storage, and only sends aggregated report metrics to Anthropic if you choose AI summaries.
0
Permanent databases of customer data
4
OAuth permissions requested
24h
Maximum cache retention
Opt-in
AI summaries via Anthropic
We set out to build a safer sidebar.
A tool that lives inside your spreadsheet, processes data in memory, and keeps nothing is architecturally safer than a standalone platform that permanently stores every customer record in its own database. That's not a workaround - it's a better model.
Standalone analytics tools ask you to connect your Stripe account and hand over your entire transaction history - forever. If they get breached, years of your data is exposed. If you leave, your data stays behind. We built Jetti Sheets to be the opposite of that. Process, return, don't store.
It's harder to engineer this way. But it means there's no permanent copy of your customer data on our servers, ever. And as we expand to direct API integrations, every new feature follows the same principle.
Trade-off
We gave up our own database
A permanent database would make our product faster and easier to build. Instead, we use a 24-hour cache you control - because your data shouldn't live on our servers.
Trade-off
We gave up multi-cloud flexibility
Core analytics processing runs on Google Cloud. If you choose AI summaries, aggregated report metrics are sent to Anthropic.
Trade-off
We gave up control over deletion
You can see and delete your cached data anytime from the sidebar. We deliberately built it so you don't need our permission or our help to remove your data.
Architecture
Six layers of protection
Every component minimizes how much data we touch, how long we touch it, and who can access it.
Stateless processing
Google Cloud Run containers with no persistent disk. Your data lives in memory during analysis, then the container shuts down. Nothing is written to disk, ever.
Encrypted temporary cache
Analysis results can be cached up to 24 hours for faster repeat views. Encrypted at rest with AES-256, isolated per-user, and auto-deleted. You can also clear it instantly from the sidebar.
Two-layer authentication
Every API request is verified twice. Google Cloud Run IAM validates your Google identity at the network edge, then our License API confirms your subscription and available tokens.
Google-first processing
Core analytics processing stays on Google Cloud. If you choose AI summaries, aggregated report metrics are sent to Anthropic over encrypted transport.
Per-user isolation
Cached data is keyed to a SHA-256 hash of your email address. No user can access, see, list, or delete another user's cache entries. Completely isolated.
Optional AI summaries
If you choose Ask AI, only aggregated report metrics, report structure, and report context are sent to Anthropic's commercial API over encrypted transport. Raw customer records, names, emails, and identifiers are not sent.
Data Flow
What happens when you click Generate
Your data makes one round trip through Google's encrypted network and comes back as a report in your spreadsheet. Optional AI summaries follow a separate, opt-in path using aggregated report metrics only.
Your Sheet
Source of truth
Google Network
Encrypted in transit
Analysis Engine
In-memory, stateless
Your Report
Written to your sheet
Your spreadsheet remains the source of truth. Core analytics return to your sheet, and optional AI summaries use aggregated report metrics only.
Permissions
What Jetti Sheets can and can't access
We request the minimum OAuth scopes required to function. Nothing more.
| Permission | Why it's needed |
|---|---|
| View and manage spreadsheets | Read your data for analysis, write results to new tabs in your spreadsheet. |
| Connect to external service | Send data to our analysis engines running on Google Cloud Run. |
| Display sidebar content | Render the Jetti Sheets interface panel inside Google Sheets. |
| Google Drive (file picker only) | Let you select specific files to upload via Google Picker UI. We can only see files you explicitly choose - never your full Drive. |
Full Drive access Gmail Calendar Contacts Other spreadsheets Background execution
Not requested. Not accessible. Jetti Sheets can only see your active spreadsheet and files you explicitly select via the file picker.
Google Workspace Marketplace verified. Jetti Sheets passed Google's security review for OAuth scope compliance, data handling, and permission requirements.
Data Retention
Everything we store. Nothing more.
Three categories. That's the complete list.
| Data | Duration | Purpose |
|---|---|---|
| Email + license key | Until you request deletion | Subscription validation |
| Cached analysis results | 24 hours max (auto-delete) | Faster repeat views. Encrypted, isolated, user-deletable anytime. |
| Request metadata | 30 days | Debugging only. Timestamps, row counts, masked emails. |
We do not store: customer names, revenue figures, transaction history, spreadsheet contents, payment data, or your raw customer data. Your spreadsheet remains the source of truth, and Jetti Sheets does not permanently store raw customer data.
Comparison
A fundamentally different architecture
Traditional analytics tools need a permanent connection to your payment provider and a database to store everything. We need neither.
Standalone analytics tools
Customer data
Stored permanently - every record, forever
Revenue database
Yes, accessible to their support team
Where data lives
Copied to their AWS/GCP servers
If breached
Full customer history exposed
Delete your data
Submit a request and wait
API connection
Permanent OAuth to Stripe
Payment provider credentials
Holds your Stripe API keys
Data visibility
No way to see what they've stored about you
Jetti Sheets
Customer data
No permanent storage
Revenue database
No database exists
Where data lives
Core analytics: your sheet -> Google Cloud -> your sheet. Optional AI summaries: aggregated report metrics -> Anthropic.
If breached
Core analytics exposure is limited to encrypted, auto-deleting cache. Optional AI-summary data is handled separately under Anthropic's commercial terms.
Delete your data
Delete it yourself, instantly, from the sidebar
API connection
None required - works from your spreadsheet
Payment provider credentials
Not required - no API keys to your payment provider
Data visibility
See every cached file - its size, type, and age - from the sidebar
FAQ
Security questions
No. The analysis pipeline is fully automated - your data goes in, results come out, no human is involved at any point. Cached data is encrypted, isolated per-user, and auto-deleted within 24 hours.
There's no database of customer records, no transaction history, and no API credentials to payment providers. The worst-case exposure is cached analysis results from the last 24 hours - encrypted at rest and isolated per-user. Compare this to a breach at a standalone analytics tool, which would expose your entire customer history from the day you connected your account.
Open the Reports tab in the Jetti Sheets sidebar. You'll see every cached file - its size, type, and age. Select individual entries or clear everything at once. It takes about two seconds. Anything remaining auto-deletes after 24 hours regardless.
Jetti Sheets does not use your data to train models. If you choose AI summaries, aggregated report metrics are sent to Anthropic's commercial API to generate the summary. Anthropic says it does not use inputs or outputs from its commercial products to train models by default.
Your reports stay in your spreadsheet - they're regular tabs you own. Any cached data auto-deletes within 24 hours. Your license record (email + key) is kept so you can reactivate later, but email support@jettisheets.com and we'll delete that within 48 hours.
No. When we add direct API integrations (for example, connecting to Stripe), they'll follow the same privacy-preserving architecture: process your data, return results, don't store it permanently. The same stateless processing, the same temporary cache model, the same user-controlled deletion. The principles that define this security page won't change as the product grows.
Infrastructure
Technical specifications
For security teams and technical evaluators.
Processing
Google Cloud Run - stateless containers with no persistent disk, in-memory only, per-request lifecycle. Containers terminate after each analysis.
Cache storage
Google Cloud Storage with 24-hour lifecycle policy. AES-256 encryption at rest via Google-managed keys. Per-user isolation via SHA-256 hashed identifiers.
Authentication
Layer 1: Google Cloud Run IAM validates Google identity tokens at the network edge. Layer 2: License API verifies active subscription + available tokens.
Network
Single-region deployment on Google Cloud for core analytics. All traffic is encrypted in transit. Optional AI summaries are sent to Anthropic's commercial API over encrypted transport.
License database
Google Cloud SQL (PostgreSQL) with regional HA. Stores email + license key only. No customer data, no revenue data, no spreadsheet contents.
AI summaries
Optional Ask AI requests send aggregated report metrics to Anthropic's commercial API. Anthropic says commercial inputs and outputs are not used for model training by default and are deleted within 30 days by default, subject to limited exceptions.
Security Roadmap
What's in place and what's next
We're transparent about where we are and where we're going. This page will be updated as items ship.
Shipped
Stateless, in-memory processing
AES-256 encrypted cache
24-hour auto-expiry on all cache
User-controlled cache management
Two-layer authentication
Email masking in all system logs
Per-user SHA-256 isolation
Google Cloud-first analytics infrastructure
Coming next
Formal cache access audit logging
SOC 2 Type I certification
Data processing agreements
Customer-managed encryption keys
External penetration testing
Have a question about security?
We take every inquiry seriously and respond within 48 hours.