At Spectacles, we recognize the trust you put in us when you give us access to your Looker instance. The security of our application and organization is of utmost importance to us because we’re committed to protecting your most sensitive data.
If you can’t find an answer to your question below, please contact us by sending an email to firstname.lastname@example.org.
Our security model
We don't connect directly to your database
Spectacles requires a Looker service account with a Looker API key to interact with your Looker instance and query your database. This means you can leverage Looker’s flexible and robust security model to restrict that service account’s access to functionality or data as needed.
You can enable permission sets (which limit functionality) and model sets or access grants (which limit available data) to specify what the Spectacles service account can access. You can read more about our recommendations in our documentation.
We also support Looker’s IP Allowlist for customers who want to restrict inbound traffic to trusted IP address ranges.
We never access or store your company's data
When Spectacles runs SQL queries via Looker to test your LookML, we mandate a LIMIT 0 clause on all queries so data is never retrieved. Spectacles only stores metadata (like the error messages we uncover, or the query runtime), not queried data.
Transparent, open core
Our core functionality exists as an open source command line interface (CLI) with source code available for review on GitHub. We review changes and contributions to our open source codebase with the same scrutiny and secure development controls that we employ for our proprietary application codebase.
Serverless cloud infrastructure
We do not maintain any of our own physical infrastructure and rely on Google Cloud Platform, our cloud provider, to host Spectacles. We make use of serverless infrastructure wherever possible to ensure systems are automatically and regularly updated, continually monitored, and assessed for vulnerabilities. Google Cloud provides an extensive list of compliance assurances, including SOC 1/2-3, PCI, and ISO 27001.
All application web traffic (in transit) uses HTTPS encryption and data stored (at rest) is encrypted by Google Cloud Platform with AES-256 encryption. We make full use of Google's secret management portfolio to store sensitive data like API keys.
Enterprise customers have access to role-based access (RBAC) in Spectacles. Administrators can assign Owner, Manager, or User roles to users which allow varying levels of configuration edit access, particularly when it comes to inviting new users.
Organizational security policies
All Spectacles employees participate in mandatory security awareness training and are required to agree to and comply with our security policies. These policies are regularly reviewed and updated.
Compliance and audits
We work with a highly regarded audit partner to conduct annual audits of Spectacles. We also leverage Vanta’s monitoring product to automatically monitor SOC 2 and HIPAA controls for ongoing compliance.
We have obtained the following compliance certifications:
- SOC 2 Type I
- SOC 2 Type II (In Progress)
- HIPAA Attestation
Enterprise customers are welcome to request our SOC 2 report and we are willing to sign a Business Associate Agreement (BAA) with customers subject to HIPAA mandates.
We have also internally complied with the Center for Internet Security’s (CIS) Level 1 benchmarks for Google Cloud Platform, which provide tests and recommendations for securing our cloud infrastructure. CIS creates these benchmarks through a consensus review process of subject-matter experts.
Each year, we undergo a penetration test which is conducted by a trusted, independent firm and remediate and mitigate any findings. Enterprise customers may request a summary of penetration test findings.
Spectacles processes very little personal data. Protections and rights are outlined in our European Privacy Notice.
If you identify a security concern with Spectacles, please contact email@example.com. We will review your disclosure, respond to you within five business days of receipt, and take the necessary steps to remediate.
Please make a good faith effort to avoid privacy violations as well as destruction, interruption or segregation of services and/or data.