Security Overview

Executive Summary

The SuiteQL Query Tool is designed with security as a core principle. It operates entirely within your NetSuite environment, respects existing role-based permissions, and gives you complete control over any external integrations.

                        Key Points:
                        All queries execute within NetSuite using your existing permissions
No data is transmitted to external servers by default
AI features are optional and require explicit user action
API keys are stored locally in your browser, never on NetSuite servers
Source code is fully visible and auditable

                    

Architecture Overview

Runs Inside NetSuite

The tool is deployed as a SuiteScript Suitelet, running entirely within your NetSuite account. It does not require any external hosting or infrastructure.

Direct Database Access

Queries are executed using NetSuite's native N/query module, which enforces all standard NetSuite security policies and role restrictions.

Browser-Based UI

The user interface runs in your browser. Settings and preferences are stored in your browser's local storage, not on any external servers.

Transparent Source Code

The entire source code is contained in a single JavaScript file that you deploy. You can review, audit, and modify the code as needed.

Role-Based Security

Users can only query data their NetSuite role permits. The tool cannot bypass or escalate permissions.

Optional AI Features

AI-powered features can be completely disabled via configuration. When disabled, no AI-related code is rendered or accessible.

Data Flow

Understanding where your data goes is critical. Here's a comprehensive breakdown of data flow for each feature:

Feature	Data Destination	External Transfer?
Query Execution	NetSuite database (via N/query module)	No - NetSuite Only
Query History	Browser localStorage	No - Local Only
Theme/Preferences	Browser localStorage	No - Local Only
Schema Explorer Data	Browser IndexedDB	No - Local Only
Excel/CSV Export	Downloaded to your computer	No - Local Only
AI Query Generation	AI provider API (user-initiated)	User Controlled
AI Query Explanation	AI provider API (user-initiated)	User Controlled
Tables Reference	NetSuite Records Catalog API	No - NetSuite Only
Google Sheets Export	Google Sheets API (via Service Account)	User Controlled
Plugin Execution	Depends on plugin code	Plugin Dependent

AI Features - Detailed Security Information

The AI-powered features are entirely optional and can be disabled organization-wide by setting AI_ENABLED: false in the configuration section of the script.

                Important: When using AI features, certain data is sent to third-party AI providers. Understand what is and isn't transmitted before enabling these features.
            

What IS Sent to AI Providers

Your SQL queries - When you ask for explanation, validation, or optimization
Your natural language prompts - When using the AI assistant or quick ask features
Table/column names - Provided as context for query generation
Error messages - When asking for help with query errors

What is NOT Sent to AI Providers

Query results/data - Your actual business data is never sent to AI providers
NetSuite credentials - Your NetSuite login is never shared
Record IDs or specific values - Unless explicitly included in your query text
Other users' queries or data - Each user's AI context is isolated

Supported AI Providers

The tool supports multiple AI providers. You choose which provider to use and provide your own API key:

Anthropic (Claude) - Privacy Policy
OpenAI (GPT) - Privacy Policy
Google (Gemini) - Privacy Policy
Cohere (Command) - Privacy Policy
xAI (Grok) - Privacy Policy
Mistral AI - Privacy Policy
OpenAI-Compatible (Custom) - For self-hosted models or third-party services like OpenRouter, Azure OpenAI, Together AI, or local models via Ollama. Security and privacy depend on the endpoint you configure.

                OpenAI-Compatible Endpoints: When using the OpenAI-Compatible provider option with custom endpoints, you are responsible for understanding the security and privacy practices of that service. The tool will send AI requests to whatever URL you configure. Only use endpoints you trust.
            

API Key Security

API keys are stored in your browser's localStorage (if "Remember" is enabled)
Keys are transmitted directly from your browser to the AI provider via HTTPS
Keys are never stored on NetSuite servers or transmitted to any other party
You can disable "Remember my API key" to use session-only storage
Each user manages their own API key - there is no shared/organization key

Google Sheets Export - Security Information

The Google Sheets export feature allows you to send query results directly to Google Sheets. This feature uses Google Service Account authentication and requires careful security consideration.

                Important: This feature transmits your query results to Google's servers. Only use this feature if your organization permits sharing data with Google Cloud services.
            

How It Works

You provide a Google Cloud Service Account JSON key file
The tool generates a JWT (JSON Web Token) signed with the service account's private key
The JWT is exchanged with Google for an access token
Query results are sent to Google Sheets API using this token
Data is transmitted in batches (500 rows per batch) with progress indication

What Data is Sent to Google

Your query results - All columns and rows from the current result set
Column headers - Field names from your query
Spreadsheet metadata - Spreadsheet ID (if appending) or new spreadsheet name (if creating)

Service Account Key Security

Key Storage Options

Session only - Key is held in memory, cleared when you close the tab
Remember (localStorage) - Key is stored in browser localStorage for convenience
Keys are never sent to NetSuite servers
Keys are only transmitted to Google's OAuth endpoint

Key Management Best Practices

Create a dedicated service account for this integration
Grant minimum required permissions (Sheets API only)
Use "Append to Existing" mode when possible (fewer permissions needed)
Rotate service account keys periodically
Monitor service account activity in Google Cloud Console

Authentication Flow

The tool implements a pure JavaScript RSA-SHA256 JWT signing process because NetSuite's N/crypto module does not support RSA private key operations. This implementation:

Parses PKCS#8 private keys from the JSON key file
Creates properly formatted JWTs with Google's required claims
Signs the JWT locally in your browser (no external services)
Exchanges the signed JWT for an access token via Google's OAuth endpoint
Caches access tokens to minimize authentication overhead

Export Modes

Mode	Required Permissions	Security Notes
Create New Spreadsheet	Full Drive API access	Service account can create files in its Drive space
Append to Existing	Sheets API only	Spreadsheet must be shared with service account email; lower permission footprint

                Recommendation: For production use, create a dedicated Google Cloud project and service account specifically for this integration. Grant only the minimum required scopes and regularly audit the service account's activity and access patterns.
            

Browser Local Storage

The tool uses your browser's local storage to persist settings and improve user experience. Here's what is stored:

Storage Key	Purpose	Contains Sensitive Data?
`sqt_history`	Recent query history	May contain query text (not results)
`sqt_theme`	Light/dark mode preference	No
`sqt_draft`	Auto-saved editor content	May contain query text
`sqt_ai_settings`	AI provider selection and API key	Yes - API key if "Remember" enabled
`sqt_ai_conversation`	AI chat history	May contain prompts and responses
`sqt_params`	Last-used query parameter values	May contain parameter values
`sqt_gsheets_settings`	Google Sheets service account credentials	Yes - Service account private key if "Remember" enabled

                Clearing Stored Data: You can clear all stored data by using your browser's developer tools to clear localStorage for the NetSuite domain, or by clearing your browser's site data.
            

NetSuite Permissions

The SuiteQL Query Tool operates within NetSuite's existing security model:

What the Tool CAN Do

Execute SELECT queries on tables your role can access
View table metadata your role permits
Export data you can already query

What the Tool CANNOT Do

Access tables/records restricted from your role
Modify, insert, or delete data (read-only queries only)
Bypass NetSuite's row-level security
Escalate privileges beyond your role

Deployment Considerations

Deploy the Suitelet with appropriate audience restrictions
Consider creating a dedicated role for query tool users
The "Available Without Login" setting should remain unchecked
Audit logs in NetSuite will capture script executions

Plugin Security

The SuiteQL Query Tool supports a plugin architecture that allows extending functionality. While powerful, plugins require careful security consideration.

                Important Security Warning: Plugins execute with the same permissions and privileges as the main SuiteQL Query Tool. Only install plugins from sources you trust completely. Malicious plugins could potentially access, modify, or exfiltrate data accessible to your NetSuite role.
            

What Plugins CAN Do

Execute JavaScript - Both server-side (in NetSuite) and client-side (in your browser)
Access query data - Plugins can intercept queries and results via hooks
Make network requests - Client-side plugins can fetch external URLs; server-side can use N/https
Modify the UI - Inject HTML, CSS, and JavaScript into 17 different UI injection points
Access localStorage - Read and write browser storage data
Use NetSuite modules - Server-side plugins can use N/query, N/file, N/record, N/https, and other modules
Disable built-in features - Plugins can hide or disable 20+ built-in features (AI, export, history, etc.)
Register custom server handlers - Plugins can create custom server endpoints accessible via fetch requests
Store settings - Both in browser localStorage and NetSuite File Cabinet for persistence

Server-Side Hook Capabilities

Server-side plugin hooks execute within NetSuite's SuiteScript environment and have significant capabilities:

Hook	Timing	Capability
`onBeforeQuery`	Before query execution	Can modify, log, or reject queries before they run
`onAfterQuery`	After query execution	Can process, transform, or log results; can modify what is returned to the client
`onError`	When query fails	Can handle, log, or transform error messages
`Custom handlers`	On demand	Custom server endpoints that can perform any SuiteScript operation

Client-Side Hook Capabilities

Client-side plugin hooks execute in the browser and can interact with the user interface:

Hook	Timing	Capability
`onInit`	App initialization	Set up plugin state, inject UI elements
`onBeforeQuery`	Before query sent	Can modify or cancel queries from the client side
`onAfterQuery`	After results received	Can process results before display
`onResultsDisplay`	During rendering	Can customize how results are displayed
`onBeforeExport / onAfterExport`	Export lifecycle	Can intercept or modify export operations
`onEditorChange`	Editor updates	Can respond to query text changes

Security Best Practices

Before Installing

Review the complete plugin source code
Verify the plugin author/source is trustworthy
Check for obfuscated or minified code (red flag)
Look for unexpected network calls or external URLs
Test in a sandbox environment first

Deployment Controls

Limit File Cabinet folder access for plugins
Document all installed plugins and versions
Establish an approval process for new plugins
Periodically audit installed plugins
Remove unused plugins promptly

Disabling the Plugin System

To completely disable plugin loading, either:

Leave PLUGIN_FOLDER_ID empty - Set PLUGIN_FOLDER_ID: '' in the CONFIG section (default)
Delete the plugin folder - Remove the folder containing plugin files from File Cabinet
Remove all plugin files - Delete individual *.sqt-plugin.js files

When no plugins are configured, no plugin-related code executes and the tool operates in its default state.

Plugin File Locations

Component	Location	Security Implication
Plugin Files	NetSuite File Cabinet	Controlled by File Cabinet permissions
Plugin Settings	Browser localStorage + File Cabinet	Per-user, may contain sensitive configuration
Server-Side Code	Executes in NetSuite	Has access to NetSuite APIs and modules
Client-Side Code	Executes in Browser	Has access to DOM, localStorage, network

                Recommendation: Treat plugin installation with the same rigor as installing any software in your organization. Establish review and approval processes, maintain an inventory of installed plugins, and regularly audit plugin code for security issues.
            

Frequently Asked Questions

Can other users see my queries or results?

No. Each user's query history, AI conversations, and settings are stored in their own browser's local storage. There is no shared storage or server-side logging of queries by the tool itself. (Note: NetSuite's standard audit logging may capture script executions.)

Is my API key safe?

Your API key is stored only in your browser's localStorage and is transmitted directly to the AI provider over HTTPS. It is never sent to NetSuite servers or any other third party. For maximum security, you can uncheck "Remember my API key" to use session-only storage.

Can I use the tool without any AI features?

Yes. AI features can be completely disabled by setting AI_ENABLED: false in the configuration. When disabled, no AI-related UI elements are rendered, and no external API calls are possible.

Does the tool send data to the developer?

No. The tool does not contain any analytics, telemetry, or "phone home" functionality. No data is sent to the tool's developer or any third party (except AI providers when you explicitly use AI features).

Can I audit the source code?

Yes. The entire tool is contained in a single JavaScript file that you deploy to your NetSuite File Cabinet. You have full visibility into all code and can review it before deployment.

What happens if I use Query Share URLs?

Query sharing works by encoding your query text into the URL. Anyone with the URL can see the query text, but they can only execute it if they have access to your NetSuite account and appropriate permissions.

Is the Schema Explorer data sent anywhere?

No. Schema Explorer builds a map of your database schema and stores it locally in your browser's IndexedDB. This data never leaves your browser and is only used to enhance autocomplete functionality.

Are plugins safe to install?

Plugins should be treated like any third-party code. They execute with full privileges in both your browser and NetSuite environment. Only install plugins from trusted sources, and always review the source code before deployment. When in doubt, keep plugins disabled by leaving the PLUGIN_FOLDER_ID configuration empty.

Can plugins access my query results?

Yes. Plugins can register hooks that intercept queries before execution and results after execution. This is by design to enable useful functionality like logging or data transformation. However, it means a malicious plugin could potentially capture or exfiltrate your data. This is why plugin source code review is essential.

Is my Google Service Account key safe?

The service account JSON key is handled similarly to AI API keys. When "Remember" is enabled, it is stored in your browser's localStorage. It is only transmitted to Google's OAuth endpoint (oauth2.googleapis.com) over HTTPS to obtain access tokens. The private key never leaves your browser except for this authentication process. For maximum security, uncheck "Remember" to use session-only storage, and consider using the "Append to Existing" export mode which requires fewer Google Cloud permissions.

Does Google Sheets export send my data outside NetSuite?

Yes. When you use the Google Sheets export feature, your query results are transmitted to Google's servers and stored in Google Sheets. This is the intended purpose of the feature. Only use this feature if your organization's data policies permit sharing data with Google Cloud services. The "Append to Existing" mode allows you to control which spreadsheet receives the data by pre-sharing it with your service account.

What is the "OpenAI-Compatible" AI provider option?

This option allows you to connect to any API that implements the OpenAI API specification, including self-hosted models (Ollama), third-party aggregators (OpenRouter, Together AI), or enterprise deployments (Azure OpenAI). When using this option, you provide a custom base URL. The tool will send AI requests to whatever endpoint you specify. You are responsible for understanding the security and privacy implications of the endpoint you choose.