Row Zero is now in public beta
Row Zero is designed with security at its core. Our development process applies industry best practices like threat modeling, pen testing, code reviews, Principle of Least Privilege, Assume Compromise, Defense in Depth, and Pyramid of Pain. Secrets are short-lived. No engineer has API access to Prod. We patch regularly. We carefully consider our open source dependencies.
Row Zero is SOC2 Type II certified and makes the report available to pro tier customers. Outside of the report, additional information about Row Zero's security practices can be found below.
Case Study: Workbook Process Security Posture
It's easy to spout security buzzwords… which we just did. To give you a better sense of how we think about security in practice, next we review our security posture for customer data in an active workbook process:
For many apps, the goal of the attacker is to achieve arbitrary code execution. Row Zero workbooks allow users to run arbitrary Python code in every workbook, so our workbook process is already owned! In the face of malicious user code, we must keep data secure. To achieve that, we apply Defense in Depth.
Defense in Depth means that you assume that you screwed up a risk mitigation and that, in spite of the screw up, customer data is still secure. Here's what that looks like for workbooks:
- Account isolation: Workbooks execute in a different AWS account than the one that durably stores customer data and secrets. This makes it impossible to accidentally expose a database with sensitive data to a row zero user running malicious code in a workbook.
- Process isolation: Workbooks execute in a virtual machine. We don't use Docker or other containers because Docker is not a security boundary.
- Network isolation: Firewall rules ensure that only authorized packets may reach a workbook.
- In-process auth: Even if a malicious packet were to reach a workbook, every workbook process has ephemeral keys so that it can reject invalid requests.
Row Zero's development process is guided by our Engineering Tenets, which help us make tradeoffs during feature development. In priority order, our goal is to deliver a service that is:Secure
- Never leak dataDurable
- Never lose dataAvailable
- Never go downFast
- Never be slowAffordable
- Our customers care about price, so we care about the cost to operate the service.
Security comes first. In practice this means our engineers will never ship a feature that (e.g.) makes the app faster or cheaper to operate at the expense of security.Dependencies
Row Zero is built on AWS. Data is persisted in S3 and DynamoDB and encrypted natively. TLS certificates are managed by AWS Certificate Manager (ACM) and TLS termination is managed by AWS ALB.
We use Auth0 by Okta for user authentication. This means Auth0 is responsible for storing your salted password hash - it's not anywhere in our system.Outside support
We employ outside security consultants to review policies, procedures, and systems for any potential exposure. Penetration testing is performed by outside consultants annually and after any major feature update. Auditors are also used to assess overall compliance with SOC2 requirements on an annual basis.Customer Control
Row Zero gives customers control of their data which can be valuable when managing privacy considerations, permissions, and contractual obligations.
What data does Row Zero store?
- Data Deletion - all data associated with a Row Zero account can be deleted upon account closure and customer request.
- User Roles - Row Zero enables users to assign roles to every user of their workbook or organization, limiting what data can be accessed or actions permitted in each workbook.
- Data Access - Row Zero limits credential sharing to restrict access to databases and data lakes. Access to established data repository connections can be shared through workbooks while credentials remain tied to a user.
For customers using Row Zero's hosted solution, data loaded into a Row Zero workbook is stored within the Row Zero VPC. For customers using the on-prem enterprise product, all-data remains within their own network.Data use
- Row Zero does not use customer data for any purposes.
- Row Zero uses aggregate statistics on usage and performance to improve the product and services.
Row Zero uses RSA 2048 bit encryption to encrypt data in transit over public networks. At-rest data is stored in AWS S3 and Dynamo and encrypted natively.Support
We are committed to providing industry leading security to all customers. For any questions regarding our security practices or requests for additional certifications, please send an email to
or contact us