If you don’t see an answer to your question about Xwa, please contact us.

Select a question to expand it to show its answer. When you’re finished reading the answer, you can select the question again to make the answer disappear.

What can I do with Xwa?

Above all, with Xmart Web Api you can:

1. Connect VBA to databases without using connection strings
2. Generate VBA code from SQL and SQL code from Office objects using ORM
3. Commercially distribute Office files with licensing system
4. Strictly control who and when is using your solutions
5. Upload and download files with cloud storage
6. Send emails and text messages from VBA without exposing api secrets
7. Guard VbaProject against post-publish edit and unprotection attempts
8. Automate database installs and updates
9. Use other api features, such as asynchronous operations, serial port connections, media playback etc.
10. Save time generating data access layers
11. Quickly integrate existing solutions making them safer to use

In addition, with Xwa you don’t have to know how to program databases. For instance, ORM tools can generate this syntax for you. Therefore, you can focus on developing dashboards, reports and other important parts of Office application.

To whom is Xwa dedicated?

* Companies that use VBA solutions and should secure their applications and document workflows

Tons of software has been written using VBA and Microsoft Office. Banks, insurance companies and any other large enterprises are still actively using their Office VBA solutions. At some point these files expose connection strings with makes them highly insecure. Documents might leak, with usually leads to disastrous results. For example, ransomware can encrypt data and block access to it unless a ransom is paid. And that’s just one scenario.

Xmart Web Api can prevent that, because with Xwa secrets are never exposed.

* Individual developers that use Office and VBA

Xmart Web Api can make your life easier, because you will control usage of your applications. In order to use your application, users need to activate licenses. In addition, this also improves documents workflow security, because application prepared with Xwa is unusable when api is not installed or license is not active.

* Anyone who uses VBA for reading and writing data from/to SQL databases

With Xwa you can easily move your VBA solutions to the cloud. Therefore, your users may use application at any time. This allows for live dashboards data and highly actual raptors on demand.

Do users have to install/download anything?


User distribution can be simply done using Office documents. User gets a document, opens it and the whole process is automated from that point. Installation is done per user, so no system administrator is involved. This greatly improves distribution process and allows for always up-to-date deployments.

If needed, installation can also be authorized. In that case, user is prompted for admin credentials. It improves security but requires system admin involvement.

With Office versions are supported?

Xwa is compatible with these Microsoft Office for Windows versions:

  • 2019
  • 2016
  • 2013
  • and of course Office 365

In addition, Xwa works on these versions, but they are not officially supported:

  • 2010

With database systems are supported?

Xwa currently supports these database systems:

  • Microsoft SQL Server (all versions)
  • Microsoft Azure SQL

Caution: when using Microsoft SQL Server in cloud scenarios, the minimum version should be 2008 SP4, because it’s the earliest version that supports the TLS 1.2 protocol.

The support for below database systems is under development:

  • SQLite
  • MariaDb
  • MySql

Other systems that are currently prioritized: Oracle, PostgreSQL.

Where are connection strings kept?

There are two options:

1. Key Vault Service

This service provides database connections on VBA’s demand. Values are kept on server, encrypted with custom secrets. Because passwords are on developer’s side, it is 100% safe to use service instance hosted by X-mart. However, it is also possible to host Key Vault Service in your company’s network.

Recommended for cloud based solutions and intranets.

2. Encrypted block in Office file structure

Xwa technology allows to embed encrypted connection strings directly into the Office file structure. In other words, connection strings can be encrypted inside Office document.

Since this option never requires internet (or intranet) access, it is recommended for offline solutions.
Of course you can also use this approach in cloud or any other solution – your database connections don’t have to be depended on any service.

Either way, connection strings are never exposed to VBA or anywhere on Office document. See How it works for working example.

How is my data protected?

1. Connection strings (and any other secrets) are never exposed in VBA code or in Office documents

See How it works for working example.
Effect: in contrast to classic VBA, nobody can see vulnerable data – even in unprotected documents.

2. Hybrid data encryption

Hybrid data encryption approach is used for best possible cryptographic effect on any sensitive data that requires protection.
Effect: there are no applications that can read data with is encrypted that way.

3. Server-side connection storage with Key Vault Service

Connection strings can be kept on server using Key Vault Service. For more information, please expand the “Where are connection strings kept” node.
Effect: connection strings are even more secure, because server can only be accessed by data administrator (above all, recommended in cloud scenarios).

4. Encrypted database connections with SSL/Tls 1.2 (ready for Tls 1.3)

Any data that is exchanged with database can be additionally encrypted in TLS tunnel. Data server has to be configured with SSL certificate, with greatly increases security. All data sources used in cloud scenarios should use TLS.
Effect: additional data protection – it is impossible to read data without proper SSL certificate.

5. Possible token validation

Client requests can be additionally validated with optional JWT or custom tokens. For instance, database can decide if client request should be processed or not.
Effect: extra protection logic with allows for custom client validations.

6. Vba project protection

With Xwa, VbaProject can be guarded against any unprotection attempts and/or code changes. Therefore, an attempt to unprotect or edit post-published code will result in faulted state, in with application is unusable.
Effect: guarantees that once published, application code stays intact.

7. Protection by licensing system

Office solutions based on Xwa will only work on workstations that were previously validated with licensing system. In other words, user’s computer must pass a one-time license activation. Office documents that use Xwa will only work on activated licenses. Both license activation and update requires internet access.
Effect: user needs a valid license to use Office application prepared with Xwa.

8. Possibility to restrict connection usage only to certain workstations

Developer can decide with workstations can use certain connections. This allows to create applications with will work only for certain customers.
Effect: even when workstation’s license is valid, application can by used only by exclusive customers.

9. Native database security

If database system is supported by Xwa, you can use all of it’s native security system. This means that in addition to above security layers, you can setup your database to be maximally secured. For example, you can use standard security or trusted connections (active directory) in Microsoft Sql Server.
Effect: Xmart Web Api is fully compatible with database system’s security settings.

What are licensing options?

Every Xwa application requires a license. License can be granted for a certain amount of time and must be activated. In order do activate, customer needs to input credentials (can be automated).

Once activated, a license is bound with its host computer and can be only used there. Usage time can be changed in any moment. Both license activation and its update require access to the internet.

When granted time passes, application cannot be used and will not run. Any attempt to break a license, including system time manipulations, will occur in locking the license.

Licensing system guarantees that only validated users will use applications prepared with Xwa. In conclusion, it allows for commercial distribution and also for strict control of who uses company’s documents.

Can users share Office files?


Generally no, but – as always – it depends:

No – Office applications prepared with Xwa can only be used on workstations with active licenses. Therefore, if user’s computer doesn’t have Xwa installed and activated, Office application will be unusable.

Yes – if two workstations have active Xwa licenses, they can share the same Xwa application.

However, developer can restrict usage for certain customers. This means that even when user has valid license, application can be used only if it is exclusive.

Application usage can also be restricted with tokens – see “how is my data protected” node for more information.