Can developers of gsuite addons view the data in your sheets / docs?

Q. Are there circumstances under which the developers of the addon be able to read the text contained in the cells of a google sheet (or in a google doc)?

A.Yes, the developers can read the text. Specifically what the application reads and what is done with that data is a mystery however.

When developing Gsuite add-ons you use a programming language called Google Apps Script.(Google gives the creators and internal editor to work in).

When the creator of the add-on writes code wanting to access different parts of the Gsuite API, a scope is automatically added to the manifest file for the application.

The scope list explains what the application is attempting to access as it runs. That list generates the screen seen below.

The permission screen doesn't get anymore specific than that. However, everyone who wants to submit an application into the GSuite marketplace has to submit to a review process.

One of Google's priorities in that process is making sure the add-on's publishers "Take appropriate steps to safeguard user data.".

I’m the developer of the smart references plugin for google docs.

https://gsuite.google.com/marketplace/app/smart_references/139900623597

The answer is that it depends on how the plugin works. The google plugin sandbox is quite limited. The code developers provide that can run on googles servers or in the users browser is limited to a few JavaScript files, and without the ability to import or export data there is only so much those scripts could do. So many plugins send document data to external applications to provide advanced functionality. For example the Smart References plugin does not need to export any data from the docs context because it is relatively simple plugin that just synchronises headings within a document - but consider a grammar checking plugin or an integration into a crm - all the smarts live on external servers that google does not control. As developers we are asked to disclose if and how we use document data in the privacy policy and terms of service. Google does have an independent review process for new plugins but they only review the plugin code not the workings or administration of any external api.

So when you permission a plugin you are potentially giving access to your data to the plugin developers and you should make an active decision on whether or not to trust them. This is the case with any cloud software or desktop apps that use APIs to work.

I think it is possible. See below link.

https://developers.google.com/gsuite/add-ons/editors/sheets

You can create custom functions. Then you can use UrlFetchApp to communicate with external server. https://developers.google.com/apps-script/reference/url-fetch This service requires script.external_request scope.

I have attached a screenshot below.You can see all the scopes this particular add-on needs. You will get this prompt while installing the add-on. Connect to an external service is the scope you are looking for.