Security
At Spectacles, we recognize the trust you put in us when you give us access to your Looker instance. The security of our application and organization is of utmost importance to us because we’re committed to protecting your most sensitive data.
If you can’t find an answer to your question below, please contact us by sending an email to security@spectacles.dev.
Our security model
We don't connect directly to your database
Spectacles requires a Looker service account with a Looker API key to interact with your Looker instance and query your database. This means you can leverage Looker’s flexible and robust security model to restrict that service account’s access to functionality or data as needed.
You can enable permission sets (which limit functionality) and model sets or access grants (which limit available data) to specify what the Spectacles service account can access. You can read more about our recommendations in our documentation.
We also support Looker’s IP Allowlist for customers who want to restrict inbound traffic to trusted IP address ranges.
We never access or store your business data
When Spectacles runs SQL queries via Looker to test your LookML, we mandate a LIMIT 0 clause on all queries so your private business data is never retrieved.
Spectacles only stores metadata (like the error messages we uncover, the query runtime, or usage data about content in your Looker instance), not queried data.
Transparent, open core
Our core functionality exists as an open source command line interface (CLI) with source code available for review on GitHub. We review changes and contributions to our open source codebase with the same scrutiny and secure development controls that we employ for our proprietary application codebase.
GCP-hosted cloud infrastructure
Spectacles and relevant data are hosted on GCP. Our GCP-hosted systems are automatically and regularly updated, continually monitored, and assessed for vulnerabilities, in accordance with Google Cloud policies including an extensive list of compliance assurances, including SOC 1/2-3, PCI, and ISO 27001.
Encryption
All application web traffic (in transit) uses HTTPS encryption and data stored (at rest) is encrypted by Google Cloud Platform with AES-256 encryption. We make full use of Google's secret management portfolio to store sensitive data like API keys.
Role-based access
Enterprise customers have access to role-based access (RBAC) in Spectacles. Administrators can assign Owner, Manager, or User roles to users which allow varying levels of configuration edit access, particularly when it comes to inviting new users.
Organizational security policies
All Spectacles employees participate in mandatory security awareness training and are required to agree to and comply with our security policies. These policies are regularly reviewed and updated.
Compliance and audits
Third-party audit
We work with a highly regarded audit partner to conduct annual audits of Spectacles. We also leverage Vanta’s monitoring product to automatically monitor SOC 2 and HIPAA controls for ongoing compliance.
We have obtained the following compliance certifications:
- SOC 2 Type I
- SOC 2 Type II
- HIPAA Attestation
You are welcome to request our SOC 2 report and we are willing to sign a Business Associate Agreement (BAA) with enterprise customers subject to HIPAA mandates.
Penetration testing
Each year, we undergo a penetration test which is conducted by a trusted, independent firm and remediate and mitigate any findings. Enterprise customers may request a summary of penetration test findings.
GDPR
Spectacles processes very little personal data. Protections and rights are outlined in our European Privacy Notice.
Vulnerability disclosure
If you identify a security concern with Spectacles, please contact security@spectacles.dev. We will review your disclosure, respond to you within five business days of receipt, and take the necessary steps to remediate.
Please make a good faith effort to avoid privacy violations as well as destruction, interruption or segregation of services and/or data.
