// Trust & Security Report

    The Apache Software Foundation logo

    The Apache Software Foundation

    Apache Superset: open-source data visualization and exploration platform (self-hosted); related managed offering Preset is a separate commercial entity

    Certifications held

    0

    Maturity

    Enterprise

    Trains on your data

    Unknown

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    > Show 8 unconfirmed / not-held certifications
    SOC 2 Type 2
    NOT CONFIRMED

    Apache Superset is open-source self-hosted software maintained by a nonprofit foundation. No managed SaaS exists under the ASF umbrella; SOC 2 audits are not applicable to OSS projects. No public evidence found on superset.apache.org or apache.org.

    source: superset.apache.org
    ISO 27001
    NOT CONFIRMED

    ASF uses AWS (DNS) and Azure (servers) which hold ISO 27001 - those are host-level certs, not ASF/Superset certs. No evidence the Apache Software Foundation itself holds ISO 27001 certification.

    source: privacy.apache.org
    GDPR (compliance posture)
    NOT CONFIRMED

    ASF's own websites follow a GDPR-aligned privacy policy referencing GDPR Articles 15-21. However, Apache Superset as self-hosted software carries no GDPR certification; the deploying organization bears full GDPR responsibility for data in their Superset instance.

    source: privacy.apache.org
    HIPAA
    NOT CONFIRMED

    No public evidence on superset.apache.org or apache.org. Not applicable to open-source self-hosted software; operators must configure their own HIPAA-compliant deployment.

    source: superset.apache.org
    PCI DSS
    NOT CONFIRMED

    No public evidence on superset.apache.org or apache.org. PCI DSS responsibility lies with the deploying organization, not the OSS project.

    source: superset.apache.org
    FedRAMP
    NOT CONFIRMED

    No public evidence. Not applicable to open-source self-hosted software.

    source: superset.apache.org
    CSA STAR
    NOT CONFIRMED

    No public evidence on superset.apache.org.

    source: superset.apache.org
    ISO/IEC 42001 (AI Governance)
    NOT CONFIRMED

    No public evidence. Apache Superset does not include AI model training features; no AI governance certification found.

    source: superset.apache.org

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Not offered

    Data region

    Fully operator-determined; ASF has no data residency obligations since it does not host end-user Superset instances.

    Not applicable. Apache Superset is self-hosted software; all data stays within the deploying organization's own infrastructure. No data is transmitted to the Apache Software Foundation. The software has no built-in AI model that trains on customer query or dashboard data.

    // Security controls

    Encryption in transit

    TLS 1.2+ required for production; operators must configure a reverse proxy (Nginx, Traefik, or load balancer). Superset documentation explicitly states running without HTTPS is insecure.

    superset.apache.org

    Encryption at rest

    SUPERSET_SECRET_KEY encrypts session cookies and metadata DB credentials (database connection strings). Application data encryption at rest is the operator's responsibility at the database and storage layer.

    superset.apache.org

    Authentication

    Flask AppBuilder (FAB) handles auth; supports built-in DB auth, OAuth, LDAP, and SAML/SSO integration with Azure AD, Google, Okta. API key authentication available for service accounts.

    superset.apache.org

    Authorization / RBAC

    Five built-in roles: Admin (full control), Alpha (all data sources), Gamma (assigned data sources only), sql_lab, Public. Dashboard-level RBAC via DASHBOARD_RBAC feature flag. Row Level Security (RLS) via SQL WHERE clauses with Jinja templating.

    superset.apache.org

    Session security

    Server-side sessions recommended for production (Redis/Memcached). Cookie flags: SESSION_COOKIE_SECURE=True, SESSION_COOKIE_HTTPONLY=True, SESSION_COOKIE_SAMESITE='Lax'. Configurable session lifetime.

    superset.apache.org

    Content Security Policy

    Via Talisman extension. Disabled by default; operators must explicitly enable for security headers. Nonce-based script execution supported.

    superset.apache.org

    Vulnerability disclosure

    Reports to security@superset.apache.org (private). ASF acts as a CVE Numbering Authority (CNA). CVE list published at superset.apache.org/docs/security/cves.

    github.com

    Secrets management

    SUPERSET_SECRET_KEY, GUEST_TOKEN_JWT_SECRET, GLOBAL_ASYNC_QUERIES_JWT_SECRET must be stored in environment variables or secrets managers, never hardcoded. Quarterly rotation recommended.

    superset.apache.org

    // Products & data scope

    Apache Superset (open-source)Data Visualization / Business Intelligence

    data: Connects to operator-managed databases; metadata stored in operator-managed metadata DB. No data sent to ASF.

    Self-hosted only. Apache License 2.0. Free with no per-user licensing cost. Deploying organization is solely responsible for all compliance certifications.

    Preset (managed cloud, separate vendor)Managed Apache Superset SaaS

    data: Multi-tenant SaaS on AWS; workspace-isolated query caching; database credentials encrypted at rest with AES-256.

    Preset Inc. is a separate commercial company, not Apache Software Foundation. Preset holds SOC 2 Type 2, PCI-DSS Level 2, and HIPAA compliance. These certifications belong to Preset Inc., NOT to Apache Superset or ASF. Do not conflate.

    // What to watch

    • IDENTITY CONFLATION RISK (critical): trust.superset.sh is operated by Superset (superset.sh), a YC-backed AI coding-agent IDE company - completely unrelated to Apache Superset data platform. Any search returning trust.superset.sh as Apache Superset's trust center is incorrect and misleading.
    • HOST-VS-VENDOR CERT AMBIGUITY: ASF uses AWS (ISO 27001, PCI DSS Level 1) and Azure for infrastructure. These are the cloud providers' certifications, NOT ASF's or Apache Superset's.
    • PRESET CONFLATION: Preset Inc. (preset.io) holds SOC 2 Type 2, PCI-DSS Level 2, and HIPAA. Preset is a separate commercial company offering managed Apache Superset. These certs do NOT apply to the open-source Apache Superset project.
    • OPEN-SOURCE MODEL: Standard SaaS compliance certs (SOC 2, ISO 27001, HIPAA) are not applicable to self-hosted OSS. Marking certs absent is the correct posture, not a negative signal about the software's quality.
    • SECURITY DEFAULTS: Talisman (Content Security Policy) is disabled by default; operators must explicitly enable. HTTPS is not enforced at the application layer; requires operator-configured reverse proxy.
    • NO DPA AVAILABLE: The ASF does not offer a Data Processing Agreement for Superset deployers. Organizations with GDPR/data processor requirements must manage this at their infrastructure layer.
    • G-CLOUD LISTING (629273458006122) is from Millersoft Limited, a third-party UK reseller. Their Cyber Essentials certification is theirs, not ASF's or Apache Superset's.

    // At a glance

    Pricing model

    Free and open-source (Apache License 2.0); infrastructure costs borne by operator

    Self-hostable

    Yes

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on The Apache Software Foundation's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    privacy.apache.org

    > Browse all vendor trust reports