// Trust & Security Report
The Apache Software Foundation
Apache Superset: open-source data visualization and exploration platform (self-hosted); related managed offering Preset is a separate commercial entity
Certifications held
0
Maturity
Enterprise
Trains on your data
Unknown
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
> Show 8 unconfirmed / not-held certifications
source: superset.apache.orgApache Superset is open-source self-hosted software maintained by a nonprofit foundation. No managed SaaS exists under the ASF umbrella; SOC 2 audits are not applicable to OSS projects. No public evidence found on superset.apache.org or apache.org.
source: privacy.apache.orgASF uses AWS (DNS) and Azure (servers) which hold ISO 27001 - those are host-level certs, not ASF/Superset certs. No evidence the Apache Software Foundation itself holds ISO 27001 certification.
source: privacy.apache.orgASF's own websites follow a GDPR-aligned privacy policy referencing GDPR Articles 15-21. However, Apache Superset as self-hosted software carries no GDPR certification; the deploying organization bears full GDPR responsibility for data in their Superset instance.
source: superset.apache.orgNo public evidence on superset.apache.org or apache.org. Not applicable to open-source self-hosted software; operators must configure their own HIPAA-compliant deployment.
source: superset.apache.orgNo public evidence on superset.apache.org or apache.org. PCI DSS responsibility lies with the deploying organization, not the OSS project.
source: superset.apache.orgNo public evidence. Not applicable to open-source self-hosted software.
source: superset.apache.orgNo public evidence. Apache Superset does not include AI model training features; no AI governance certification found.
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Not offered
Data region
Fully operator-determined; ASF has no data residency obligations since it does not host end-user Superset instances.
Not applicable. Apache Superset is self-hosted software; all data stays within the deploying organization's own infrastructure. No data is transmitted to the Apache Software Foundation. The software has no built-in AI model that trains on customer query or dashboard data.
// Security controls
Encryption in transit
TLS 1.2+ required for production; operators must configure a reverse proxy (Nginx, Traefik, or load balancer). Superset documentation explicitly states running without HTTPS is insecure.
superset.apache.orgEncryption at rest
SUPERSET_SECRET_KEY encrypts session cookies and metadata DB credentials (database connection strings). Application data encryption at rest is the operator's responsibility at the database and storage layer.
superset.apache.orgAuthentication
Flask AppBuilder (FAB) handles auth; supports built-in DB auth, OAuth, LDAP, and SAML/SSO integration with Azure AD, Google, Okta. API key authentication available for service accounts.
superset.apache.orgAuthorization / RBAC
Five built-in roles: Admin (full control), Alpha (all data sources), Gamma (assigned data sources only), sql_lab, Public. Dashboard-level RBAC via DASHBOARD_RBAC feature flag. Row Level Security (RLS) via SQL WHERE clauses with Jinja templating.
superset.apache.orgSession security
Server-side sessions recommended for production (Redis/Memcached). Cookie flags: SESSION_COOKIE_SECURE=True, SESSION_COOKIE_HTTPONLY=True, SESSION_COOKIE_SAMESITE='Lax'. Configurable session lifetime.
superset.apache.orgContent Security Policy
Via Talisman extension. Disabled by default; operators must explicitly enable for security headers. Nonce-based script execution supported.
superset.apache.orgVulnerability disclosure
Reports to security@superset.apache.org (private). ASF acts as a CVE Numbering Authority (CNA). CVE list published at superset.apache.org/docs/security/cves.
github.comSecrets management
SUPERSET_SECRET_KEY, GUEST_TOKEN_JWT_SECRET, GLOBAL_ASYNC_QUERIES_JWT_SECRET must be stored in environment variables or secrets managers, never hardcoded. Quarterly rotation recommended.
superset.apache.org// Products & data scope
data: Connects to operator-managed databases; metadata stored in operator-managed metadata DB. No data sent to ASF.
Self-hosted only. Apache License 2.0. Free with no per-user licensing cost. Deploying organization is solely responsible for all compliance certifications.
data: Multi-tenant SaaS on AWS; workspace-isolated query caching; database credentials encrypted at rest with AES-256.
Preset Inc. is a separate commercial company, not Apache Software Foundation. Preset holds SOC 2 Type 2, PCI-DSS Level 2, and HIPAA compliance. These certifications belong to Preset Inc., NOT to Apache Superset or ASF. Do not conflate.
// What to watch
- IDENTITY CONFLATION RISK (critical): trust.superset.sh is operated by Superset (superset.sh), a YC-backed AI coding-agent IDE company - completely unrelated to Apache Superset data platform. Any search returning trust.superset.sh as Apache Superset's trust center is incorrect and misleading.
- HOST-VS-VENDOR CERT AMBIGUITY: ASF uses AWS (ISO 27001, PCI DSS Level 1) and Azure for infrastructure. These are the cloud providers' certifications, NOT ASF's or Apache Superset's.
- PRESET CONFLATION: Preset Inc. (preset.io) holds SOC 2 Type 2, PCI-DSS Level 2, and HIPAA. Preset is a separate commercial company offering managed Apache Superset. These certs do NOT apply to the open-source Apache Superset project.
- OPEN-SOURCE MODEL: Standard SaaS compliance certs (SOC 2, ISO 27001, HIPAA) are not applicable to self-hosted OSS. Marking certs absent is the correct posture, not a negative signal about the software's quality.
- SECURITY DEFAULTS: Talisman (Content Security Policy) is disabled by default; operators must explicitly enable. HTTPS is not enforced at the application layer; requires operator-configured reverse proxy.
- NO DPA AVAILABLE: The ASF does not offer a Data Processing Agreement for Superset deployers. Organizations with GDPR/data processor requirements must manage this at their infrastructure layer.
- G-CLOUD LISTING (629273458006122) is from Millersoft Limited, a third-party UK reseller. Their Cyber Essentials certification is theirs, not ASF's or Apache Superset's.
// At a glance
Pricing model
Free and open-source (Apache License 2.0); infrastructure costs borne by operator
Self-hostable
Yes
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on The Apache Software Foundation's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
privacy.apache.org