Observable FAQ
Privacy & Personal Information
What personal data do you collect from users?
We collect your information only with your consent in accordance with our Terms of Service. We only collect personal information that is necessary to fulfill the purpose of your interaction with us. Please see our Privacy Policy for more details about what personal data we collect from users.
Are you GDPR or CCPA compliant?
We’re in the process of getting GDPR and CCPA certified.
Authentication
Do you enforce multi-factor authentication?
Observable uses 3rd party authentication providers (Microsoft, GitHub, Google or Twitter) as well as email login through a one-time-password. Users may have multi-factor authentication configured with their authentication providers.
Do you support SSO/SAML?
We support OpenID Connect with Microsoft and Google. OpenID Connect is a simple identity layer on top of OAuth 2.0. Custom SSO is available for Observable Enterprise customers (learn more). The SAML protocol is not supported at this time.
Network Security
Is your network traffic handled through HTTPS?
Observable is only accessible over HTTPS and only encrypted HTTPS and websockets (WSS) are used for data transmission. Our commercial certificate is signed by Cloudflare, and we only allow TLS 1.2 and higher for HTTPS connections.
How do you monitor threats and vulnerabilities?
Our production infrastructure is hosted by Heroku, and is contained within Heroku’s secure network. Heroku regularly undergoes penetration tests and vulnerability assessments to ensure that the network remains secure. See: https://www.heroku.com/policy/security.
We also rely on GitHub Enterprise’s advanced vulnerability scanning and security alerts. They monitor our codebase and dependencies for vulnerabilities, and issue automated alerts when problems are found. See: https://github.com/features/security.
Data Security
How do you protect user data?
Observable protects user data by minimizing our data collection requirements and allowing users discretion over how to load data. For example in notebooks, when users access data from external data sources, it does not exist on our servers. The data flows from the data source directly to the user’s browser.
Please refer to this overview for more information about how our notebook architecture protects our users’ data, as well as this summary about the options for connecting to data. Data apps have a different security structure given they are created by Observable Framework, a static-site generator. Many security concerns are therefore addressed as Framework data apps connect to sensitive data sources, such as databases, on build rather than run-time, preventing any security leaks.
Are stored secrets, data connectors, and cloud file attachments secure?
All user data, including cached data from data apps, stored notebook secrets, data connectors, and authentication tokens for Cloud File Attachments, are encrypted at rest and entirely stored on our production systems. Our database is hosted by Heroku, and once an authentication token is set up into Observable, it cannot be re-downloaded or exported. Authentication tokens can be deleted at any time. Data accessed from a user’s cloud files or databases are not stored on the Observable platform. Only access tokens required to authenticate with the sources are stored, encrypted, on Observable’s servers.
Does your application enable granular permissions and roles to be created?
In Observable Pro workspaces, owners can assign roles of “owner”, “editor”, or “viewer” to team members. At the notebook level, team members can then control who within the team can view and edit the notebook. They can also share the notebook with the whole team as viewers or editors. Our Enterprise tier provides additional security and access controls. Enterprise workspace owners can configure limitations on who in the team can publish content and can require all team members to be authenticated against their domain(s), which protects their workspaces when members leave their organizations.
Do you offer an on-premises solution?
For data apps, we offer a complete on-premises solution that lets you develop, build, and serve Observable Framework data apps from your own infrastructure, without your code, data, or secrets ever touching Observable servers. And since Framework is open-source, it’s local-first: you can use your own editor and source control and integrate with whatever private data is on your computer or network. Learn more about on-premises environments or the general data app security model.
For notebooks, we do not offer an on-premises solution; you can only edit notebooks on our website. However, you can securely connect to data that cannot leave your private network by installing a proxy that sends the data directly to your browser without touching Observable; see our self-hosted database proxy repository and instructions. You can always export and download your notebook as a totally self-contained JavaScript module, or convert it to a page in your self-hosted Framework app.
Do you use any sub-processors for data processing purposes?
No.
Operational Security
Do all employees have access to user data?
No. It is our company policy to respect the principle of least privilege when designing access controls and administrative tools. For example: all employees have access to notebook metadata, but only support personnel have access to the content of the notebooks. In addition, all personnel are required to sign Confidentiality Agreements to protect customer information.
Describe your security awareness program for personnel
Our employees are currently required to train on our company policies, which include:
- Work Computer Policy: to properly secure employee endpoints
- Secure Software Development Process: which describes how we design, build and deploy our software with security taken into consideration on every level
- Security Incident Management Process: describing the steps and procedures that should be taken if an incident were to occur
Security Assessments and Compliance
Do you scan for security vulnerabilities?
Our production infrastructure is hosted by Heroku, and is contained within Heroku’s secure network. Heroku regularly undergoes penetration tests and vulnerability assessments to ensure that the network remains secure. See: https://www.heroku.com/policy/security
Our software development process involves code vulnerability reviews by our developers in addition to resolution of issues flagged via automated vulnerability scanning. We monitor our codebase and dependencies for vulnerabilities using GitHub Enterprise’s advanced vulnerability scanning and are issued automated alerts when problems are found. See: https://github.com/features/security
Do you conduct external (third-party) audits of the service? Are you SOC 2 certified?
Yes, we are SOC 2 Type 2 compliant, and have been audited by Insight Assurance.
How are Observable data apps different from notebooks?
Observable data apps are primarily focused on the presentation of data in dashboards, while notebooks are great for ephemeral, ad hoc data exploration. Projects are file-based while notebooks exist entirely on the Observable website.
Observable data apps consist of source files (Markdown, JavaScript, etc.) that go through a compilation step before being deployed to the server. This lets them perform time-consuming tasks like querying data or pre-computing models offline, so the experience for the final user is much snappier.
While the underlying code in Observable notebooks can always be inspected by the user, data apps give the author more control over what gets exposed and what is hidden. Authors have more control over the layout of their pages as well, which makes them more suitable for dashboards.
A few more differences:
- Notebooks use Observable JavaScript, while data apps use vanilla JavaScript
- Projects can also use other languages in data loaders, such as Python, R, Rust, etc., together with the rich libraries available in these languages
- Notebooks are created and edited in the browser, while data apps are created in your favorite programming environment using the open-source Observable Framework
- Notebooks have collaboration built in, while data apps can use git or other methods to collaborate
- Notebooks live on Observable, while data apps can be deployed anywhere–including on Observable, which was purpose-built for displays of data and includes SSO, workspace management, etc.
We see notebooks as a separate approach to analyzing and visualizing data, but also as a way of exploring data before building a data app.
What is the difference between data apps and Observable Framework? How are they related?
Observable Framework is the collection of tools that process your source files written in Markdown, JavaScript, Python, R, etc., into compressed and optimized HTML and JavaScript to be served to your users quickly and efficiently.
A project is a collection of such files, which can then be built into a data app, which can be deployed to a hosting service.
The Observable platform is our hosting service for data apps, which also provides access control, collaboration features, etc.
How is Observable related to D3?
D3 is an open-source JavaScript library for data visualization. Observable is an online platform for writing and publishing data work—including D3 data visualizations built with D3. You can also work with any JavaScript library that runs in the browser in an Observable notebooks.
User support and feedback
Where can I report bugs, request features, and ask for help using Observable?
We love hearing from users on any topic, whether you’re showing what you’ve built, helping each other learn, or reporting your frustrations when you hit bugs or the limits of our tools. Pick a discussion forum by topic:
We also have a community Slack workspace for general discussion — but, since the public can’t search it for answers to their questions after the fact, we ask you to direct questions and other issues to the appropriate pages above.
Can you help me understand if Observable meets my company’s needs?
We’d love to. Whether you’re already a user or have never touched our product, we’d love to chat about what features you need or what plan is right for you. Email sales@observablehq.com.
I need to delete my account. Can you help?
Learn more about how to delete your account and what gets deleted along with it. If you need help, please email support@observablehq.com.