Terms of Service / Privacy Policy

[jamalbernhard]

I was looking at installing this for our development team, but our security team is nervous about exposing our Google docs to a third-party add on. Do you have any official policy in place stating that you don't store any text that you operate on? Thanks!

[alexwforsythe]

I do not have an official policy, but I will consider adding one. In the meantime, here is why you should not be nervous about installing Code Blocks:

The server-side code for Code Blocks (as with all Google Docs add-ons) runs on Google's servers. This means the add-on must request operating permissions from you, the user, and Google can enforce these permissions on the backend.

Code Blocks requests the bare minimum permissions to do its job:

• View and manage documents that this application has been installed in
• Allow this application to run when you are not present

Many other add-ons will request more permissions in order to interact with external services. You will not see this with Code Blocks because I have made the add-on work entirely with bundled JavaScript. That means the only servers that can see your data are the ones running the add-on for you, which are owned by Google.

The only minor exception to this is the Google Analytics snippet I have embedded into the sidebar's HTML here. This allows me to see how many pageviews Code Blocks gets and is also handled by Google's servers. Using Google Analytics to track usage is extremely common practice, but you can find information about opting-out here.

Finally, all of the code for this add-on is publicly available on GitHub via this repository. Anybody is welcome to inspect it for the presence of nefarious behaviour.

If you have any more questions, feel free post here. I'll leave this issue open for discussion and to remind me to create a policy. Thanks.

[jamalbernhard]

Thanks! I appreciate the quick and detailed response. You have appeased our security team so I can go ahead. But just to respond to your last point about the code being publicly available, we could look through it now and then it might change (without our knowledge, I'm assuming) in the future. And even if we trust you, a completely different developer could take over the project at some point. So an explicit policy could still be quite nice IMO.

Thanks again.

[alexwforsythe]

No problem. Glad it's working out! You have some good points there. I'll try to draft up a policy sometime in the next week or so. Thanks again for bringing this to my attention. This is my first time owning a project with real users, so it really helps to have input from the community 😄. I'll keep you posted.

[vmrob]

Would you also consider providing an OSS license? MIT, Apache, BSD, etc. As is, the copyright is completely yours and nobody would be able to copy or modify it without violating that copyright. My team might be interested in using it, but without a license, there's nothing we can really do.

[captainstatic]

A quick note on the Google Analytics side, IP addresses are considered private information in the EU. You must configure your analytics with the ga('set', 'anonymizeIp', true); and set your account properly to anonymize them (it drops the last octet). Without it, you are breaking the e-Privacy directive from 2011. Although with GDPR, it opens you up to being sued in an EU court without it.

[alexwforsythe]

The MIT OSS license has been added to the repository by @abeaclark. Cheers!