Security
Last updated: June 11, 2026
Stagger reads and updates extract refresh schedules. It cannot see the data inside your workbooks. This page covers what access you grant, how your credentials are stored, and how to revoke access. Questions: staggersupport@gmail.com.
What Stagger can — and cannot — access
Can: list workbooks, datasources, and projects; read extract refresh tasks and their schedules; update those schedules when you explicitly apply a change; read your site's extract timezone setting; and (optionally) read Tableau's own Admin Insights job history to show real run durations and queueing.
Cannot: read workbook content, dashboard visuals, datasource rows, or any data inside your extracts; download or publish content; manage users or permissions; or delete anything. These boundaries are enforced by the API scopes below, which don't include those capabilities.
The API scopes Stagger uses
Stagger authenticates with short-lived JWTs (about five minutes each) signed with your Connected App secret. Every request declares these scopes and nothing more:
| Scope | Used for |
|---|---|
| tableau:content:read | Listing workbooks, datasources, and projects so tasks display with their names and folders. |
| tableau:tasks:* | Reading extract refresh schedules, and updating them — the only write Stagger ever performs, and only when you click Apply. |
| tableau:sites:read | Reading your site's extract timezone so schedules display in the right local time. |
| tableau:viz_data_service:read | Optional, used in an isolated session: reads Tableau's Admin Insights "Job Performance" data for observed run durations and queueing. If unavailable, Stagger degrades gracefully — core features keep working. |
How your credentials are stored
- Your Connected App secret is stored in Supabase Vault, encrypted at rest with keys managed outside the database.
- It is decrypted only server-side, per request, to sign a short-lived JWT — it is never sent to your browser and never appears in client-side code or logs.
- All traffic is encrypted in transit (TLS).
- Deleting your account permanently deletes your stored credentials and all analysis history.
Revoking access
Access is granted by a Connected App that lives in your Tableau site, so revocation is in your hands: disabling or deleting it in Tableau Cloud (Settings → Connected Apps), or rotating its secret, immediately invalidates the credentials Stagger holds. No action on our side is required. You can reconnect at any time by entering new credentials.
Tenant isolation
Every database table enforces row-level security, so your organization's data is isolated from other customers at the database layer — not just in application code. Applied schedule changes are recorded in an immutable audit trail: who changed what, when, and the result.
Sub-processors
| Provider | Purpose | Region |
|---|---|---|
| Supabase | Database, authentication, encrypted credential vault | United States |
| Vercel | Application hosting and delivery | United States |
| Stripe | Subscription billing and payment processing | United States |
No AI training on your data
Your schedule metadata, credentials, and account data are never used to train AI or machine-learning models — ours or anyone else's.
Reporting a vulnerability
Found something? Email staggersupport@gmail.com and we'll respond promptly. We appreciate responsible disclosure.