Security

Updated 29th December 2021

At Spectacles, we recognize the trust you put in us when you give us access to your Looker instance. The security of our application and organization is of utmost importance to us because we’re committed to protecting your most sensitive data.

If you can’t find an answer to your question below, please contact us by sending an email to security@spectacles.dev.

Our security model

We don't connect directly to your database

Spectacles requires a Looker service account with a Looker API key to interact with your Looker instance and query your database. This means you can leverage Looker’s flexible and robust security model to restrict that service account’s access to functionality or data as needed.

You can enable permission sets (which limit functionality) and model sets or access grants (which limit available data) to specify what the Spectacles service account can access. You can read more about our recommendations in our documentation.

We also support Looker’s IP Allowlist for customers who want to restrict inbound traffic to trusted IP address ranges.

We never access or store your company's data

When Spectacles runs SQL queries via Looker to test your LookML, we mandate a LIMIT 0 clause on all queries so data is never retrieved. Spectacles only stores metadata (like the error messages we uncover, or the query runtime), not queried data.

Transparent, open core

Our core functionality exists as an open source command line interface (CLI) with source code available for review on GitHub. We review changes and contributions to our open source codebase with the same scrutiny and secure development controls that we employ for our proprietary application codebase.

Serverless cloud infrastructure

We do not maintain any of our own physical infrastructure and rely on Google Cloud Platform, our cloud provider, to host Spectacles. We make use of serverless infrastructure wherever possible to ensure systems are automatically and regularly updated, continually monitored, and assessed for vulnerabilities. Google Cloud provides an extensive list of compliance assurances, including SOC 1/2-3, PCI, and ISO 27001.

Encryption

All application web traffic (in transit) uses HTTPS encryption and data stored (at rest) is encrypted by Google Cloud Platform with AES-256 encryption. We make full use of Google's secret management portfolio to store sensitive data like API keys.

Role-based access

Enterprise customers have access to role-based access (RBAC) in Spectacles. Administrators can assign Owner, Manager, or User roles to users which allow varying levels of configuration edit access, particularly when it comes to inviting new users.

Organizational security policies

All Spectacles employees participate in mandatory security awareness training and are required to agree to and comply with our security policies. These policies are regularly reviewed and updated.

Compliance and audits

Third-party audit

We work with a highly regarded audit partner to conduct annual audits of Spectacles. We also leverage Vanta’s monitoring product to automatically monitor SOC 2 and HIPAA controls for ongoing compliance.

We have obtained the following compliance certifications:

  • SOC 2 Type I
  • SOC 2 Type II (In Progress)
  • HIPAA Attestation

Enterprise customers are welcome to request our SOC 2 report and we are willing to sign a Business Associate Agreement (BAA) with customers subject to HIPAA mandates.

We have also internally complied with the Center for Internet Security’s (CIS) Level 1 benchmarks for Google Cloud Platform, which provide tests and recommendations for securing our cloud infrastructure. CIS creates these benchmarks through a consensus review process of subject-matter experts.

Penetration testing

Each year, we undergo a penetration test which is conducted by a trusted, independent firm and remediate and mitigate any findings. Enterprise customers may request a summary of penetration test findings.

GDPR

Spectacles processes very little personal data. Protections and rights are outlined in our European Privacy Notice.

Vulnerability disclosure

If you identify a security concern with Spectacles, please contact security@spectacles.dev. We will review your disclosure, respond to you within five business days of receipt, and take the necessary steps to remediate.

Please make a good faith effort to avoid privacy violations as well as destruction, interruption or segregation of services and/or data.