Hi, It feels really strange that when a user uploads data to my platform, anything from passwords/bank details /insurance policies, I (and my team) can just view their data without any blockers.
Am I missing something?
Surely no client is going to want to input sensitive data if the people who run the platform can view it with ease?!
Any help would be appreciated
Thanks
+27Welcome to the Airtable community!
Nope. Airtable was designed to allow for easy collaboration and is based on the idea that all collaborators can be trusted to view all data in the base. This is slowly evolving, but Airtable still should not be used to store private or sensitive information that some collaborators should not have access to.
+16Hi @Jack_Sitwell,
You bring up some great points. If you grant access to your base that user has access to the base data. Even with permissions they can still download the data. That said you have to be careful about how you store sensitive data.
There are work arounds, like creating a sensitive base that only you can access, and syncing only pertinent records from that base.
Welcome to the Airtable community!
Nope. Airtable was designed to allow for easy collaboration and is based on the idea that all collaborators can be trusted to view all data in the base. This is slowly evolving, but Airtable still should not be used to store private or sensitive information that some collaborators should not have access to.
Thanks, is there a solution to this? a way to encrypt the data?
I’m looking to build a platform for users to upload specific sensitive data (like a niche password vault), i just don’t think anyone would trust a platform if the owner can view their data.
+20Along the same channel of @kuovonne’s response, the weakest part of your data security procedures are you, your team, and your users.
You have to remember that Airtable is first a collaboration platform that happens to be built on the structure of a database.
We all had a slightly similar conversation in this thread, where the sentiment is primarily the same.
I’m going to go on a bit of a brain dump since this has been on my mind lately, but I think it’s contextually applicable to the conversation of data security, and I think that there’s a good chance that people in the future will find these threads with similar concerns.
Thus I think they’re important for thinking about how we as users, consultants/freelancers, admins, and developers can ensure security and how Airtable as a platform and company handles our data.
More importantly, these conversations set a precedent in continuing to push for more powerful tools for managing user permissions and data security
As I’ve spent more time working with data and building solutions for a vast array of teams in unique industries, I’ve spent more and more time thinking about data security.
When working with larger teams and organizations, I now keep a list of things down when I “score” infosec.
Does this workspace/base store PII?
Does someone have an invite into or access to this base or workspace?
Are there any viewing links? Where are they? What are they for?
Who has developer & scripting permissions? Why?
What integrations are active? Who owns the API keys?
Many of these things aren’t available outside of enterprise accounts, which I view to be a huge failure in supporting small businesses or teams that cannot afford the $36,000 enterprise startup fee but still need to confidently manage access to sensitive d,ata not just defined as PII.
That being said, asking these questions keeps me (and, by extension, those I work with) aware of the potential risks of sending someone what seems like a harmless shared view.
We can often get so caught up in building and pushing the boundaries of what’s possible with platforms like Airtable that we can easily forget how to retain boundaries that keep us, our clients, and our teams safe.
Along the same channel of @kuovonne’s response, the weakest part of your data security procedures are you, your team, and your users.
You have to remember that Airtable is first a collaboration platform that happens to be built on the structure of a database.
We all had a slightly similar conversation in this thread, where the sentiment is primarily the same.
I’m going to go on a bit of a brain dump since this has been on my mind lately, but I think it’s contextually applicable to the conversation of data security, and I think that there’s a good chance that people in the future will find these threads with similar concerns.
Thus I think they’re important for thinking about how we as users, consultants/freelancers, admins, and developers can ensure security and how Airtable as a platform and company handles our data.
More importantly, these conversations set a precedent in continuing to push for more powerful tools for managing user permissions and data security
As I’ve spent more time working with data and building solutions for a vast array of teams in unique industries, I’ve spent more and more time thinking about data security.
When working with larger teams and organizations, I now keep a list of things down when I “score” infosec.
Does this workspace/base store PII?
Does someone have an invite into or access to this base or workspace?
Are there any viewing links? Where are they? What are they for?
Who has developer & scripting permissions? Why?
What integrations are active? Who owns the API keys?
Many of these things aren’t available outside of enterprise accounts, which I view to be a huge failure in supporting small businesses or teams that cannot afford the $36,000 enterprise startup fee but still need to confidently manage access to sensitive d,ata not just defined as PII.
That being said, asking these questions keeps me (and, by extension, those I work with) aware of the potential risks of sending someone what seems like a harmless shared view.
We can often get so caught up in building and pushing the boundaries of what’s possible with platforms like Airtable that we can easily forget how to retain boundaries that keep us, our clients, and our teams safe.
There’s this idea - Field-level Encryption: Does Anyone Care?
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.
