Skip to content

Security

Data apps

Observable is committed to providing users with a secure way to host and share data apps, whether on our infrastructure or yours.

Observable Framework is a static site generator, which means that data is generally generated at build time instead of runtime. Data loaders and page loaders use secrets to access your private data; when your app builds, they output static files (like CSVs and JSON); when a viewer looks at your page, it only loads the static file. This lets you restrict which pieces of your private data your data app viewers can see. To learn more about static site generators, see this video and blog post.

For example, your data loaders could access your complete sales records, but then output a file that only exposes the sum of total sales in some category. When viewers load a page and its data, they do not have any access to the underlying live data sources. The static files and pages may still contain sensitive information, so we provide extensive tools for configuring secure sharing.

The build process can be run on Observable Cloud or on your own on-premises infrastructure (or your chosen third party, like GitHub or AWS). Similarly, the resulting files can be served from Observable Cloud or from your own on-premises servers (or your chosen third party). If you use Observable Cloud, your secrets are encrypted at rest. If you choose on-premises infrastucture, no machine outside your network need ever access your secrets or private data or see the resulting files and pages.