Oh sorry maybe I read this wrong. So they are on the external page and then will they have access to your NetSuite in general. I don't think so. I think they could get the parameters your suitelet is using and make bad calls if they wanted to. For instance, they could pay the wrong invoice.