// Trust & Security Report

    Observable, Inc. logo

    Observable, Inc.

    Reactive JavaScript notebook platform for data visualization/exploration (Observable Notebooks, Free/Pro/Enterprise), plus the open-source, self-hostable Observable Framework static-site generator for data apps. Observable Cloud (hosted deployment for Framework apps) was deprecated April 2025 and discontinued October 2025.

    Certifications held

    1

    Maturity

    Growth

    Trains on your data

    Unknown

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type 2
    HELD

    Yes, we are SOC 2 Type 2 compliant, and have been audited by Insight Assurance.

    Verify on observablehq.com
    > Show 8 unconfirmed / not-held certifications
    ISO/IEC 27001
    NOT CONFIRMED

    No public evidence. Observable's FAQ has a dedicated 'Do you conduct external audits? Are you SOC 2 certified?' Q&A confirming SOC 2 only; no ISO 27001 mention anywhere on observablehq.com documentation, FAQ, or privacy policy.

    source: observablehq.com
    HIPAA
    NOT CONFIRMED

    No public evidence of HIPAA compliance or BAA availability. Privacy policy explicitly states Observable's system 'is designed to avoid collecting User Personal Information that is stored in your notebooks' and does not address protected health information handling.

    source: observablehq.com
    GDPR (posture)
    NOT CONFIRMED

    No public evidence of an explicit GDPR compliance statement, EU legal-basis framework, or data subject rights disclosure. The privacy policy does not mention GDPR, CCPA, or similar regulations by name anywhere in the document.

    source: observablehq.com
    PCI DSS
    NOT CONFIRMED

    No public evidence. Payment handling is not described in detail on the vendor domain beyond listing 'payment processors' as a data recipient; no standalone Observable PCI DSS attestation found.

    source: observablehq.com
    ISO 27017 / 27018 / 27701
    NOT CONFIRMED

    No public evidence found on observablehq.com documentation or privacy policy pages.

    source: observablehq.com
    ISO/IEC 42001 (AI management system)
    NOT CONFIRMED

    No public evidence of an AI-governance certification, despite Observable offering AI Assist (Claude-powered) functionality.

    source: observablehq.com
    CSA STAR
    NOT CONFIRMED

    No public evidence found on observablehq.com documentation or privacy policy pages.

    source: observablehq.com
    FedRAMP
    NOT CONFIRMED

    No public evidence found; Observable is hosted on Heroku (US) with no government-cloud or FedRAMP claims on the vendor domain.

    source: observablehq.com

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Not offered

    Data region

    User-Generated Content is stored in internal databases 'hosted in the United States by third-party providers administered by Observable.' Production infrastructure runs on Heroku. No multi-region or EU-residency option is documented.

    When users opt in to Observable's AI Assist functionality, 'some or all of the data related to your usage or query will be shared with Claude,' Anthropic's AI product. The privacy policy does not state whether Observable itself trains any model on notebook/user content, nor does it document retention or opt-out mechanics beyond 'not using Observable AI functionality.' No AI-training clause equivalent to a no-training-without-consent guarantee was found on the vendor domain.

    // Security controls

    Encryption in transit

    "Observable is only accessible over HTTPS and only encrypted HTTPS and websockets (WSS) are used for data transmission."

    observablehq.com

    Encryption at rest

    "All user data, including cached data from data apps, stored notebook secrets, data connectors, and authentication tokens for Cloud File Attachments, are encrypted at rest."

    observablehq.com

    Authentication / SSO

    Sign-in via third-party providers (Microsoft, GitHub, Google, Twitter) or email one-time-password. OpenID Connect supported with Microsoft/Google; custom SSO available on Enterprise. SAML is not supported at any tier.

    observablehq.com

    Vulnerability management

    Production infrastructure hosted by Heroku with regular penetration tests; codebase/dependencies monitored via GitHub Enterprise's advanced vulnerability scanning.

    observablehq.com

    Application sandboxing

    Notebook code executes in a per-user/team sandboxed domain (observableusercontent.com) with static-analysis-gated access to secrets and private resources, and short-lived tokens for database/data-connector access.

    observablehq.com

    Vulnerability disclosure / VDP

    Public responsible-disclosure policy covering api.observablehq.com, app.observablehq.com, authenticated areas of observablehq.com, and public GitHub repos; reports to a dedicated security email, 10-business-day acknowledgement, no paid bounty currently offered.

    observablehq.com

    Personnel security

    Least-privilege access to user data; all personnel sign confidentiality agreements and train on a Work Computer Policy, Secure Software Development Process, and Security Incident Management Process.

    observablehq.com

    // Products & data scope

    Observable Notebooks (Free)Cloud notebook / data-visualization tool (individual)

    data: Public or private notebooks, secrets, and any data users choose to load, stored on Observable-managed US infrastructure.

    Self-serve individual tier; includes AI Assist opt-in.

    Observable Notebooks Pro ($22/mo per editor)Cloud notebook / data-visualization tool (team)

    data: Same data classes as Free, plus team/workspace membership data, scheduled-notebook run logs, and database/data-connector credentials (short-lived tokens).

    Adds multiplayer editing, scheduled runs, guest/viewer roles, watermark removal.

    Observable Notebooks EnterpriseCloud notebook / data-visualization tool (enterprise)

    data: Same as Pro, plus organization-managed S3 bucket option for file attachments (customer-controlled storage) and domain-restricted authentication.

    Adds custom SSO (OIDC, no SAML), publish-restriction controls, and required domain-based authentication for departing-employee protection.

    Observable FrameworkOpen-source static-site generator (self-hostable)

    data: None held by Observable when self-hosted; build and hosting are entirely under customer control, including on-premises builders/servers that never send data to Observable's infrastructure.

    Free and open source; recommended path since Observable Cloud's deprecation.

    Observable Cloud (deprecated)Hosting for Framework data apps

    data: N/A - deprecated April 15, 2025; new instance creation stopped, builds/deploys discontinued October 15, 2025.

    Existing instances continued to run at deprecation but Observable directed customers to migrate to a preferred static-site host. Any current AIFOXX listing referencing Observable Cloud as an active hosting product should be corrected.

    // What to watch

    • Contradiction: the FAQ states 'Do you use any sub-processors for data processing purposes? No,' yet the privacy policy separately discloses production hosting via a third-party (Heroku) and lists 'payment processors, marketing vendors, email services, CRM providers, content delivery networks, and error log analysis services' as third-party data recipients. These two vendor-domain statements are inconsistent and should be reconciled before treating 'no sub-processors' as reliable.
    • No SAML support at any tier, including Enterprise (only OpenID Connect with Microsoft/Google, or custom SSO). Enterprise buyers requiring SAML-based IdPs should confirm compatibility directly.
    • No public DPA, GDPR-specific language, or EU data-transfer mechanism (e.g. SCCs) found on the vendor domain; enterprise/EU customers should request a DPA directly from Observable rather than assume one is standard.
    • Observable Cloud, a previously marketed hosting product, was deprecated April 2025 and fully discontinued October 2025 - do not list it as a currently available offering.
    • AI Assist shares usage/query data with Anthropic's Claude when enabled, but no explicit training-opt-out or retention terms are published beyond 'don't use the AI features' - treat trains_on_customer_data as unresolved (null), not as a green flag.
    • Identity-conflation risk during research: raw web search results surfaced SOC 2 / GDPR claims belonging to similarly-named but unrelated companies (Observe.ai, ObservePoint, Observe Inc., OpenObserve). All certifications and quotes in this assessment were verified directly on the observablehq.com domain to avoid misattribution; downstream reviewers should not merge those other companies' postures into this listing.

    // At a glance

    Pricing model

    Freemium + per-editor SaaS subscription for Notebooks (Free / Pro $22 per editor per month / custom Enterprise); Observable Framework is free and open source

    Self-hostable

    Yes

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Observable, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-08. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    observablehq.com

    > Browse all vendor trust reports