// Trust & Security Report
Observable, Inc.
Reactive JavaScript notebook platform for data visualization/exploration (Observable Notebooks, Free/Pro/Enterprise), plus the open-source, self-hostable Observable Framework static-site generator for data apps. Observable Cloud (hosted deployment for Framework apps) was deprecated April 2025 and discontinued October 2025.
Certifications held
1
Maturity
Growth
Trains on your data
Unknown
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on observablehq.com“Yes, we are SOC 2 Type 2 compliant, and have been audited by Insight Assurance.”
> Show 8 unconfirmed / not-held certifications
source: observablehq.comNo public evidence. Observable's FAQ has a dedicated 'Do you conduct external audits? Are you SOC 2 certified?' Q&A confirming SOC 2 only; no ISO 27001 mention anywhere on observablehq.com documentation, FAQ, or privacy policy.
source: observablehq.comNo public evidence of HIPAA compliance or BAA availability. Privacy policy explicitly states Observable's system 'is designed to avoid collecting User Personal Information that is stored in your notebooks' and does not address protected health information handling.
source: observablehq.comNo public evidence of an explicit GDPR compliance statement, EU legal-basis framework, or data subject rights disclosure. The privacy policy does not mention GDPR, CCPA, or similar regulations by name anywhere in the document.
source: observablehq.comNo public evidence. Payment handling is not described in detail on the vendor domain beyond listing 'payment processors' as a data recipient; no standalone Observable PCI DSS attestation found.
source: observablehq.comNo public evidence found on observablehq.com documentation or privacy policy pages.
source: observablehq.comNo public evidence of an AI-governance certification, despite Observable offering AI Assist (Claude-powered) functionality.
source: observablehq.comNo public evidence found on observablehq.com documentation or privacy policy pages.
source: observablehq.comNo public evidence found; Observable is hosted on Heroku (US) with no government-cloud or FedRAMP claims on the vendor domain.
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Not offered
Data region
User-Generated Content is stored in internal databases 'hosted in the United States by third-party providers administered by Observable.' Production infrastructure runs on Heroku. No multi-region or EU-residency option is documented.
When users opt in to Observable's AI Assist functionality, 'some or all of the data related to your usage or query will be shared with Claude,' Anthropic's AI product. The privacy policy does not state whether Observable itself trains any model on notebook/user content, nor does it document retention or opt-out mechanics beyond 'not using Observable AI functionality.' No AI-training clause equivalent to a no-training-without-consent guarantee was found on the vendor domain.
// Security controls
Encryption in transit
"Observable is only accessible over HTTPS and only encrypted HTTPS and websockets (WSS) are used for data transmission."
observablehq.comEncryption at rest
"All user data, including cached data from data apps, stored notebook secrets, data connectors, and authentication tokens for Cloud File Attachments, are encrypted at rest."
observablehq.comAuthentication / SSO
Sign-in via third-party providers (Microsoft, GitHub, Google, Twitter) or email one-time-password. OpenID Connect supported with Microsoft/Google; custom SSO available on Enterprise. SAML is not supported at any tier.
observablehq.comVulnerability management
Production infrastructure hosted by Heroku with regular penetration tests; codebase/dependencies monitored via GitHub Enterprise's advanced vulnerability scanning.
observablehq.comApplication sandboxing
Notebook code executes in a per-user/team sandboxed domain (observableusercontent.com) with static-analysis-gated access to secrets and private resources, and short-lived tokens for database/data-connector access.
observablehq.comVulnerability disclosure / VDP
Public responsible-disclosure policy covering api.observablehq.com, app.observablehq.com, authenticated areas of observablehq.com, and public GitHub repos; reports to a dedicated security email, 10-business-day acknowledgement, no paid bounty currently offered.
observablehq.comPersonnel security
Least-privilege access to user data; all personnel sign confidentiality agreements and train on a Work Computer Policy, Secure Software Development Process, and Security Incident Management Process.
observablehq.com// Products & data scope
data: Public or private notebooks, secrets, and any data users choose to load, stored on Observable-managed US infrastructure.
Self-serve individual tier; includes AI Assist opt-in.
data: Same data classes as Free, plus team/workspace membership data, scheduled-notebook run logs, and database/data-connector credentials (short-lived tokens).
Adds multiplayer editing, scheduled runs, guest/viewer roles, watermark removal.
data: Same as Pro, plus organization-managed S3 bucket option for file attachments (customer-controlled storage) and domain-restricted authentication.
Adds custom SSO (OIDC, no SAML), publish-restriction controls, and required domain-based authentication for departing-employee protection.
data: None held by Observable when self-hosted; build and hosting are entirely under customer control, including on-premises builders/servers that never send data to Observable's infrastructure.
Free and open source; recommended path since Observable Cloud's deprecation.
data: N/A - deprecated April 15, 2025; new instance creation stopped, builds/deploys discontinued October 15, 2025.
Existing instances continued to run at deprecation but Observable directed customers to migrate to a preferred static-site host. Any current AIFOXX listing referencing Observable Cloud as an active hosting product should be corrected.
// What to watch
- Contradiction: the FAQ states 'Do you use any sub-processors for data processing purposes? No,' yet the privacy policy separately discloses production hosting via a third-party (Heroku) and lists 'payment processors, marketing vendors, email services, CRM providers, content delivery networks, and error log analysis services' as third-party data recipients. These two vendor-domain statements are inconsistent and should be reconciled before treating 'no sub-processors' as reliable.
- No SAML support at any tier, including Enterprise (only OpenID Connect with Microsoft/Google, or custom SSO). Enterprise buyers requiring SAML-based IdPs should confirm compatibility directly.
- No public DPA, GDPR-specific language, or EU data-transfer mechanism (e.g. SCCs) found on the vendor domain; enterprise/EU customers should request a DPA directly from Observable rather than assume one is standard.
- Observable Cloud, a previously marketed hosting product, was deprecated April 2025 and fully discontinued October 2025 - do not list it as a currently available offering.
- AI Assist shares usage/query data with Anthropic's Claude when enabled, but no explicit training-opt-out or retention terms are published beyond 'don't use the AI features' - treat trains_on_customer_data as unresolved (null), not as a green flag.
- Identity-conflation risk during research: raw web search results surfaced SOC 2 / GDPR claims belonging to similarly-named but unrelated companies (Observe.ai, ObservePoint, Observe Inc., OpenObserve). All certifications and quotes in this assessment were verified directly on the observablehq.com domain to avoid misattribution; downstream reviewers should not merge those other companies' postures into this listing.
// At a glance
Pricing model
Freemium + per-editor SaaS subscription for Notebooks (Free / Pro $22 per editor per month / custom Enterprise); Observable Framework is free and open source
Self-hostable
Yes
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Observable, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-08. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
observablehq.com