Security

We know how important it is to protect sensitive data, and we have designed SSFeatures with both security and privacy as our number one focus. This page answers the most frequently asked questions about security.

If this page does not answer your question, and you have a security question about a specific feature, please visit the Features page for answers about that specific feature. Alternatively Contact us and send us your question directly and we will promptly respond.

How does SSFeatures Work?

SSFeatures is an extension that you add to your browser, and it interacts directly with the HTML and JavaScript on the Smartsheet website. SSFeatures interacts directly with the HTML to add new buttons, input fields, and simulates actions like clicking a button.

SSFeatures leverages Smartsheet's own JavaScript code, calling the same functions that Smartsheet uses. This ensures consistent behavior, minimizes the risk of breaking anything, and maintains a seamless user experience.

This is a major advantage for security. Since SSFeatures handles everything in your browser, it never sends your data to our servers, and you don't need to provide a Smartsheet API key.

SSFeatures uses your browser's Local Storage to securely save all of your settings. This approach ensures that none of your settings are ever sent to our servers or stored in any database, keeping everything private and contained within your browser. The one downside is that if you uninstall SSFeatures, your browser will automatically delete all saved settings, and they cannot be recovered.

Using Automatic Sorting as an example:

The user opens Smartsheet.
SSFeatures waits until Smartsheet loads the HTML and JavaScript.
SSFeatures adds a new "SSFeatures" button into the HTML.
SSFeatures reads the user's settings from the browser's local storage.
SSFeatures notices that "automatic sorting" is enabled on this sheet.
SSFeatures calls Smartsheet's sortGridRows_invokeSort function to sort the data.

If you're a developer and familiar with using your browser’s developer tools, you can paste the following code into your browser's console to interact directly with Smartsheet’s code. This snippet selects and scrolls to the first column in your sheet, which is the exact same function used by SSFeatures in its "Hide / Unhide Columns" feature:


 // Get the Smartsheet grid object. 
 grid = formObjectHandler.getFormObjectByConstructor(JscMegaGrid); 

 // Get the first column in the grid. 
 column1 = grid.gridColumnSet[0]; 

 // Select the column so that it highlights. 
 column1.select(); 

 // Scroll the user's page to this column 
 grid.scrollToView_column(column1);

How can I view SSFeatures' source code?

To publish a browser extension on Chrome, Safari, Firefox, and Edge, each browser requires us to provide the full, unobfuscated source code. This means you can review and audit the actual code that runs in your browser. However, you may not copy, reproduce, or reuse any part of the source code.

To view the source code, simply install SSFeatures and open your browser’s developer tools. In the developer tools, go to the Sources tab and navigate to: SSFeatures > javascript/webpage/webpage-main.js.

The webpage-main.js file contains the complete source code of the extension.

Frequently Asked Questions - Security

Do you ever send any of my Smartsheet data from my browser to your servers?

Absolutely not. SSFeatures stores all your data within your browser's local storage using your browser's local storage API. We do not send any of this data to our servers or save it in our databases.

However, we do send the email address you use to log into Smartsheet to our server to verify that you are on the free trial or have a paid subscription.

Do you ever store any of my Smartsheet data in your databases?

Absolutely not. We do not even send any of your data from your browser to our servers.

Why does SSFeatures require permission 'storage'?

The SSFeatures requires the 'storage' permission to save your settings within your browser. This allows us to store your settings locally without sending any data to our servers or database. For example, when you enter sort settings in the Smartsheet sort popup, we save those settings in the browser storage so we can automatically fill out the window for you the next time you open it.

This is crucial to ensure that we never have to send any of your data to our servers.

Why does SSFeatures require "host permissions"?

We designed SSFeatures to be as user-friendly as possible, with a key goal of integrating our features directly into the Smartsheet web application. For example, we aimed to add a 'Sort Automatically' checkbox directly onto the webpage to enhance the user experience. To achieve this, browsers require us to add a script onto the Smartsheet webpage, enabling interaction with all of Smartsheet's HTML elements.

This approach also allows us to call Smartsheet's code directly. For instance, instead of implementing our own data sort function, we can use Smartsheet's built-in data sort function directly.

Does SSFeatures tamper, decompile, deobfuscate, disassemble, or reverse-engineer any Smartsheet code?

No, fortunately Smartsheet does not compile, assemble, or obfuscate their web application code. SSFeatures calls Smartsheet's code directly without modifying or tampering with their code in anyway.

Do any Smartsheet Partner's have browser extensions that execute Smartsheet code similar to SSFeatures?

Yes, for example, Gia Thinh Technology Company Limited has a SmartForm browser extension that modifies Smartsheet Forms similar to how SSFeatures modifies Sheets and Reports.

Can I view SSFeature's source code?

Yes, SSFeature's source code is fully visible within your browser. In fact, the Chrome, Edge, Firefox, and Safari extension stores require that our code is completely visible so that it is auditable.

To view the source code, open your browser's developer tools, go to "Sources" and then open "SSFeatures > javascript/webpage/webpage-main.js". This file contains all of the Javascript code that runs on your Smartsheet page.

Even though I can view your source code, is it possible for you to remotely inject new code onto the page?

No. The browser extension stores detect any attempt to remotely inject source code and they flag and deny extensions that attempt to do this. This Chrome article explains how and why it rejects extensions with remote code execution. This GitHub thread contains many examples of Chrome rejecting extensions because they accidentally included remote source code via a third party library. Extension stores take this very seriously!

Is communication from SSFeatures encrypted in transit with TLS 1.2 or greater?

Yes

Do you utilize full-disk encryption (AES-256 or greater) solution for all employee computers?

Yes

Would my SSFeatures Dashboard data be removed from your server if requested?

Yes, please contact us using the "Contact Us" page.

In case of any security incidents impacting SSFeatures user data, will I be notified within 24 hours?

Yes

Will any of my information be shared with another entity, software, or 3rd party?

Which cloud provider do you use to process or store data?

DigitalOcean

Where are the physical locations of the cloud provider?

North America

Does SSFeatures require access to my organization's network?

Does SSFeatures require a software agent running on my organization's hosts?

Does SSFeatures require a connection to my organization's network whatsoever?

No, you can use SSFeatures from any network that you wish.

Do you use a "least access" model with users and employees gaining access only to what they need?

Yes

Do you have logical access controls for your servers, systems, and databases?

Yes

Is access to SSFeatures data logged and reviewed internally?

Yes

For your internal systems, is there a process to periodically evaluate whether access is still needed?

Yes

For your internal systems, when access is no longer needed, is it removed within a reasonable time frame?

Yes, within 2 weeks of the periodic evaluation.

Do you require 2-factor authentication (2FA) for remote access into your internal network?

Yes

Do you have protections against brute force login attempts?

Yes

Do you have protection against DDoS attacks?

Yes, all of our traffic is proxied through Cloudflare's DDoS protection.

Is technical maintenance only executed from secured maintenance workstations with encrypted hard drives?

Yes

When accessed from a public network location, is the maintenance environment only accessible with a strong (multi-factor) authentication?

Yes

Is there a backup and restore plan for when things go wrong during maintenance?

Yes

Is there a description of the information system, operating procedures, and configuration?

Yes

Do users have the ability to upload or store information within SSFeatures?

Does SSFeatures push Smartsheet data to another party, other than Smartsheet?

Does any third party have the ability to remote access the servers or databases?