Your data is yours. We designed PathFinder so we never see it, never store it, and never have access to it. Here's how.
PathFinder never reads, stores, or transmits your spreadsheet data. All operations run inside your own Google account. We send instructions in — your data never comes out.
Authentication tokens are encrypted with AES-256-GCM (the same standard used by banks and governments). Tokens are never stored in plaintext — only cryptographic hashes exist in our database.
Multiple independent security layers protect every request. If any single layer fails, the others still block unauthorized access. No single point of compromise.
Your AI can only do what your plan allows. Read-only users can't write. Basic users can't run automations. These limits are enforced server-side — they can't be bypassed from the client.
Every request follows a strict security pipeline. Here's what happens when your AI talks to your spreadsheet:
Every request requires a unique, cryptographically-generated API token. The token is verified against a one-way hash — even if our database were compromised, your raw token cannot be recovered from what we store.
Your active subscription and plan tier are verified on every request. Expired subscriptions are blocked immediately. Each tier has a specific set of allowed operations — requests outside your tier are rejected before execution.
Before any code runs in your spreadsheet, it passes through a multi-layer pattern filter that blocks dangerous operations — things like sending emails, accessing external services without permission, or modifying system configurations. These filters are enforced server-side and cannot be bypassed.
All code executes inside Google's own Apps Script runtime, within your Google account. PathFinder's server never touches your spreadsheet data directly. Google's infrastructure handles all data access, using the same security that protects Google Sheets itself.
Requests are rate-limited to prevent abuse. Automation triggers have additional limits to stay within Google's own quotas. Excessive requests are blocked before they reach your account.
✓ We store: A one-way hash of your API token, your encrypted OAuth refresh token, your subscription status, and your Google account email.
✕ We never store: Your spreadsheet data, cell contents, formulas, file names, or any data from your Google Drive. We never see it.
✓ Encryption: OAuth tokens are encrypted with AES-256-GCM before storage. API tokens are stored as SHA-256 hashes. Raw credentials exist only in memory during request processing.
✓ Deletion: When you disconnect, your API keys are revoked immediately. Your encrypted tokens are deleted. There is nothing left to access your account.
PathFinder uses Google's OAuth 2.0 to connect to your account. This means:
You sign in directly with Google — we never see or handle your Google password. Google gives us a limited-scope token that can only access Google Sheets and Apps Script. We cannot access your Gmail, Drive files, Calendar, or any other Google service.
CSRF protection — the OAuth flow is protected against cross-site request forgery with time-limited, cryptographically-signed state tokens. Replayed or tampered authorization attempts are rejected.
One account, one connection — reconnecting automatically revokes all previous API keys. Old tokens are cleaned up immediately, so there's never a stale credential that could be misused.
CORS policy: Our API only accepts requests from authorized origins. Cross-origin requests from unknown domains are rejected.
HTTPS everywhere: All communication between your AI tool, PathFinder's servers, and Google's APIs is encrypted in transit with TLS. No exceptions.
No URL-based auth: Authentication tokens are only accepted in HTTP headers, never in URL query parameters. This prevents tokens from appearing in server logs, browser history, or referrer headers.
Tier-based permissions: You choose what your AI can do. Basic plan is read and write. Pro adds automations. Dev adds external data access. Each tier is a hard boundary enforced on our servers.
Instant disconnect: You can revoke PathFinder's access at any time — from the Google Sheets sidebar, or from your Google Account's security settings. Disconnecting immediately invalidates all tokens.
Undo everything: Every write operation is reversible. PathFinder maintains an undo buffer so you can roll back the last 5 changes at any time. Preview mode lets you see what will happen before it runs.
Full transparency: Every action your AI takes through PathFinder is visible to you. There are no hidden operations. What you see is what runs.
Hosting: PathFinder's proxy runs on Vercel's edge network with automatic scaling, DDoS protection, and global distribution.
Database: Authentication data is stored in Supabase (built on PostgreSQL) with row-level security policies. Database access requires service-role credentials that are never exposed to clients.
Secrets management: All encryption keys, API credentials, and service tokens are stored in environment variables — never in code, never in version control, never in client-accessible locations.
If you have security questions or want to report a vulnerability, reach out to us at support@morous.dev.