Security and Architecture

This page covers how the Daloopa Excel Add-In is built, what it can and cannot access within your desktop environment, and the controls that govern its behavior. It is intended to give your IT or information security team what it needs to assess the add-in and approve it for use.

Overview

The Daloopa add-in is deliberately lightweight. It runs on Microsoft's current, recommended web add-in framework, not the legacy installed-application model. That design choice removes most of the risk that security teams historically associate with Excel plugins.

The points that matter most:

  • Nothing is installed on the workstation. The add-in is a web application that runs inside Excel's own sandbox. There is no MSI, no EXE, and no locally installed binary.
  • It cannot run macros or execute code. It has no access to Visual Basic, the file system, or the operating system. It cannot write or execute VBA, download files, or read the local disk.
  • Its permissions are fixed in a manifest. Everything the add-in is allowed to do is declared in a Microsoft-reviewed manifest, available at https://addin.daloopa.com/manifest.xml. That permission set cannot be silently widened — any change requires a fresh Microsoft approval cycle.
  • Source links resolve to a single Daloopa domain. The add-in cannot generate links to arbitrary destinations, so there is no long list of external domains to whitelist.

Taken together, these properties keep the attack surface very small. The sections that follow expand each point into the specific questions a reviewer is likely to ask.

Access model and blast radius

How much access does the add-in have inside Excel, and what is installed on the workstation?

Nothing is installed on the machine. The add-in uses Microsoft's current web add-in framework, so it runs as a static front-end web application inside Excel's sandbox rather than as an installed desktop application.

  • There is no MSI or EXE and no locally installed binary.
  • The add-in interacts with the workbook only through the supported Office JavaScript API. It can read the open workbook and write cell values and citation links, but it does so through Excel's controlled API surface, not through direct system access.
  • This is a materially narrower footprint than a traditional installed add-in, which typically has broad access to the Excel instance and the host machine.
What are the built-in mitigations that limit the add-in's blast radius if something goes wrong?

The framework itself is the primary control. Because the add-in runs in Excel's sandbox with no system-level access, a compromise cannot reach the operating system, the file system, or other applications.

  • Capabilities are constrained to what the manifest declares.
  • The add-in cannot access the COM or user-system layer, cannot read from the local disk, and cannot write files to the workstation.

In practical terms, the worst case is contained within the boundaries Excel enforces on any web add-in, rather than extending to the host environment.


Macros and code execution

Can the add-in create or run macros, or execute its own code?

No. The add-in cannot create any macro and cannot execute arbitrary code.

  • Everything the add-in can access is defined in the Microsoft manifest. If a capability is not declared there, the add-in does not have it.
  • It has no access to the COM or user-system layer. It cannot download anything to the user's machine and cannot read from the local disk.

This directly addresses the classic malicious-macro attack pattern, where an Office file carries VBA that fetches and runs a payload. The add-in has no VBA capability and no path to the file system, so that pattern does not apply.


The manifest, updates, and supply-chain risk

Is the manifest fixed, or can it be changed with an update? Can we review it independently?

The manifest defines the add-in's entire permission set and cannot be changed at will. Any change must be submitted to Microsoft and pass Microsoft's review before it takes effect.

  • The permission set cannot be silently widened. An attacker who wanted the add-in to perform a riskier action would have to get a modified manifest through Microsoft's approval process first.
  • The manifest is available for independent inspection at https://addin.daloopa.com/manifest.xml.

If a future manifest requested a capability the current one does not have, that request is visible and gated by Microsoft's process, rather than arriving quietly through a routine update.

If Daloopa were compromised and an attacker tried to push a malicious update, would it reach us automatically?

To push a malicious update, an attacker would need to access the add-in listing, submit an altered manifest, and get approval from the Microsoft security team. That analysis takes on average at least a week and requires communication with Daloopa's internal security team, making it impossible to pass unsupervised. No malicious change can reach customers automatically or silently.

  • Updates are delivered automatically after Microsoft approves the manifest, ensuring users are always on the latest version.
  • A malicious change to the add-in's capabilities would require a new, Microsoft-approved manifest, adding a second independent checkpoint outside Daloopa's control.

A successful attack would therefore have to defeat both your administrators' control over deployment and Microsoft's manifest review.

How do you maintain security in your own development process?

Development-process integrity is covered as part of a full vendor assessment, and we are happy to complete your standard security questionnaire and share supporting documentation.

In the web add-in model, the manifest and Microsoft's review act as an external control on what any build of the add-in is permitted to do. Review teams generally find this line of questioning becomes less load-bearing than it is for an installed application, because the permission boundary sits outside Daloopa's codebase entirely.


Source links and document rendering

How are source-citation links generated, and where do they point? Do we need to whitelist many domains?

Links point only to Daloopa's own web application on a single Daloopa domain. The add-in cannot produce an arbitrary link.

  • The link structure is fixed. The only element that varies is an identifier specifying which data point is being referenced; the web application then serves the corresponding content.
  • Because every link resolves to one Daloopa domain, there is no need to whitelist a broad or changing list of external domains.

This removes the risk of a link being altered to point at a malware distribution site, because the destination is not a free-form URL to an arbitrary location on the internet.

When we open a source link, does it take us to the original document on the internet?

No. The link opens a Daloopa-rendered copy of the source document, hosted by Daloopa, not the original file at a third-party location.

  • Daloopa stores and renders its own copy of the underlying document. Users are never routed directly to an external investor-relations page or third-party PDF.
  • This is a deliberate design choice: it keeps citation traffic on a known, controlled surface and avoids exposing users to arbitrary external content.

Why the web add-in model reduces risk

The historic concern with Excel add-ins is well founded: a traditional installed add-in has significant access within the Excel instance and can interact with VBA and the host system. That is why many institutions have historically kept their approved add-in list short.

The Daloopa add-in does not follow that model. It uses the approach Microsoft now recommends, in which the add-in runs as a sandboxed web application with a declared, reviewed permission set. The questions above resolve to the same conclusion from several independent directions:

  • No installed footprint on the workstation.
  • No macro creation, no arbitrary code execution, no filesystem or OS access.
  • A fixed, externally reviewed permission manifest that cannot be silently widened.
  • Deployment under your administrators' control.
  • Citation links confined to a single Daloopa domain, rendering stored document copies.

Each of these independently limits what can go wrong. Together they keep the overall attack surface small, which is the conclusion security reviewers have reached in prior assessments.