Blog

The Ultimate Manual to Airtable Security

Marie ProkopetsMarie Prokopets,Co-founder of Nira

Airtable is a low-code platform for custom applications, collaboration, and business workflows. It’s trusted by 200,000+ organizations worldwide, including Netflix, Expedia, Time Magazine, and Shopify.

If you’re an existing Airtable user or considering it for your business, you need to prioritize security—and this guide will teach you how.

What is Airtable Security Anyway?

Airtable is an extremely flexible solution that allows users to build custom apps for a wide range of use cases. Many of these applications are used for mission-critical purposes and contain sensitive data.

You might be using Airtable for marketing data, employee data, customer data, and more. In many cases, the applications will be pulling sensitive data from many sources.

Every Airtable plan comes with a certain amount of “records per base.” This is the equivalent of rows in a spreadsheet or items on a list. It starts at 1,200 records per base with the free plan and goes all the way up to 100,000 records per base at the enterprise level. In short, this means Airtable is encouraging you to use the platform for data.

Airtable also lets you onboard different types of users to your team. You can use the platform to sync data across departments and even with external users. So in addition to ensuring the data is safe when it’s stored and being used for various workflows, you also need to make sure the platform is protected from human error or people with malicious intent.

The great part about Airtable is that the platform has built-in security practices to address these concerns. All of the data that gets entered into Airtable remains yours, and the platform ensures that any unwanted eyes won’t have access to your data.

All data is automatically encrypted when it’s sent to and from Airtable’s servers. The data is also encrypted when it’s at rest in storage. Airtable uses 256-bit SSL/TLS encryption when the data is in motion and protects data using 256-bit AES encryption for data at rest.

How Airtable Security Works

Let’s take a closer look at all of Airtable’s built-in security parameters and ways they keep data safe:

ISO/IEC 27001 Certified

Airtable has an ISO/IEC 27001 certification. This is a specification for ISMS (information security management systems). It covers the framework in which an organization handles information risk management. You can view Airtable’s certificate here.

SOC 2 Compliance

SOC 2 is an audit developed by the American Institute of CPAs (AIPCA). This rigorous technical audit looks at the data security standards of tech companies that store client data in the cloud.

The audit also measures the company’s overall data management and security practices. A certification shows that the data is being handled, stored, managed, processed, and controlled in a secure environment.

Airtable has undergone this audit and was found to be compliant. You can contact your Airtable account manager to request a full copy of the most recent report.

Network Security and System Security

Whenever you’re using an Airtable app or visiting the Airtable website, all information transmitted between your device and the Airtable servers is encrypted. The data is protected by 256-bit TLS encryption when it’s in motion, and it’s encrypted using AES-256 when it’s at rest.

All of Airtable’s servers are located within the United States. These data centers are SOC 1 certified, SOC 2 certified, and ISO 27001 certified as well. The data centers have 24/7 security, redundant power systems, strict physical access control, automatic fire detection and suppression, and more.

Airtable also installs updates and patches to the servers to ensure all of the security is up to date. Each server is segmented by role and secured with restricted firewalls.

Application Security

Automatic application-level security scans are run on a daily basis at Airtable. They also handle weekly dependency and security advisory scans as well as monthly endpoint scans.

Beyond these internal application security scans, Airtable leverages penetration testing to ensure the platform stays air-tight.

Before any app is deployed, all of the coding and configurations are thoroughly analyzed. This quality assurance step in the development process helps ensure a pleasant experience and security across all platforms, devices, and browsers supported by Airtable’s platform.

Information Security and Organizational Security

Airtable runs employee background checks and goes through a thorough vetting process to ensure their security staff is qualified. The employees must also complete annual security training sessions, covering a wide range of topics like password security, data privacy, and information security.

All of the workstations at Airtable have been configured with automatic locking, full-disk encryption, and robust password standards. Employees are not allowed to install any unauthorized software on workstations or use portable media devices.

It’s also worth noting that Airtable has separate environments for production and testing. They even work with people within the data security community to help identify potential security vulnerabilities through a bug bounty program.

Product Security

Within Airtable, you have the ability to manage user permissions at the base level or workspace level. These permissions give you the option to control who has access to bases or workspaces.

You can also restrict access to “base” and “view” share links using passwords or email domains. This helps ensure that someone with an access link can’t be added to your platform if they received the link in error.

The platform supports SAML-based SSO and extra administrative features for users on Airtable’s enterprise plan. You can also add two-factor authentication to the account if your team uses password-based authentication.

Here are some real-life examples showing how Airtable meets various security standards:

Example 1: FERPA Compliance

The Family Educational Rights and Privacy Act, better known as FERPA, is a US federal law enacted to protect student privacy. FERPA is designed to protect students’ educational records that are held by academic institutions, educational agencies, or any third party acting on behalf of an educational institution.

Any academic institution receiving funds from a US Department of Education program must comply with FERPA standards.

The privacy rights under FERPA are transferred from parents to students when that student turns 18 years old or continues education beyond high school.

It’s up to these academic institutions to assess FERPA compliance. Airtable supports this by offering SOC2 Type II and ISO27001 certifications.

Example 2: GDPR Compliance

The GDPR (General Data Protection Regulation) in the European Union was enacted to protect user privacy rights and give individuals control over their own data. If a company processes data for users in Europe, it must comply with GDPR security standards.

Airtable supports GDPR requirements by giving companies the tools required for data portability. It’s easy for you to permanently delete sensitive data or export the data from your bases to another location.

You can also request a DPA (Data Processing Agreement) from Airtable, which includes contractual clauses for GDPR-compliant data transfers. The DPAs are boilerplate, but Airtable users on an Enterprise account can request changes to the language and wording of the agreement.

Example 3: HIPAA Compliance (Not Compatible)

While Airtable has tons of great security measures built into the platform, I just want to quickly note that the software is not HIPAA compliant.

Lots of organizations in the healthcare field and medical industry use Airtable to manage business processes, workflows, research, and more. However, those users do not use the platform to store Personal Health Information (PHI) from patients. Airtable does not sign HIPAA business associate agreements (BAA) either.

How to Get Started With Airtable Security

If you’re using Airtable for the first time and want to make sure your use case is secure, just follow the tactical steps outlined below. These steps are also relevant for existing Airtable users who want to beef up their security.

Step 1: Manage User Permissions

As you’ve seen so far, Airtable already has tons of built-in security measures to keep your applications and data safe. But each time you onboard a user, you can control your security at a higher level by customizing their permissions.

This ensures that only certain people have access to information, and only certain users can edit or change information within your bases.

Whenever you add a collaborator, you’ll have the option to add them on a workspace level or a base level. If they’re a workspace collaborator, they have access to everything within that workspace within the permission level that they’ve been assigned. Base collaborators only have access to the specific base, but are still within their assigned permission levels.

There are four main types of users within Airtable—read-only, commenters, editors, and owners/creators. These are listed in order from most restrictive to least restrictive.

Here’s a more in-depth overview of the user types in base-level collaboration and the base actions they’re allowed to complete:

Read-Only Users

  • Access and ability to view the entire base
  • View automation configuration
  • Copy automation URL

Commenters

  • All Read-Only permissions
  • Ability to comment on records
  • Add, delete, and modify personal views

Editors

  • All Commenter permissions
  • Ability to add, delete, and modify records
  • Ability to add, delete, and modify all views
  • Create or remove view share links
  • Ability to create or remove a sync view share links
  • Manual sync permissions (sync now)
  • Ability to configure settings within an app

Owners and Creators

  • All Editor permissions
  • Lock and unlock views
  • Delete personal views of other collaborators
  • Add, delete, and rename custom fields
  • Add, delete, and rename tables
  • Ability to rename the base
  • Ability to create or remove a base collaborator invitation link
  • Create, delete or duplicate automations
  • Configure automations (enable, edit actions, edit triggers, add action types, etc.)
  • Ability to rename automations
  • Edit automation description permissions
  • Ability to create or delete synced tables
  • Ability to update synced configurations
  • Ability to create an app
  • Ability to rename an app, edit an app description, or move apps to different dashboards
  • Delete, disable, duplicate, and share apps,
  • Add, delete, and rename app dashboards

For workspace-level collaboration, there are only two types of users—owners and creators.

Creators can rename the workspace, add and delete bases, rearrange bases, and move a base from one workspace to another. Owners have all creator action permissions. But owners have access to the billing settings, including the ability to upgrade a workspace. An owner can also grant owner permissions to another user, meaning workspaces can have multiple owners.

Step 2: Run Internal Security Audits

It’s in your best interest to audit your data security practices within Airtable. This audit will go beyond Airtable’s existing security settings and focus more on your own organizational-level controls.

An audit forces you to look for potential vulnerabilities and security leaks. Maybe you’ve discovered that external users have access to data or workspaces in Airtable that go beyond their required use case. Or maybe you’ll find gaps in your password management practices for employees.

Once you’ve completed the audit, you need to prioritize which concerns need to be addressed first. Then it’s just a matter of making the necessary adjustments to patch up any leaks.

If your internal audit discovers any security-related issues with Airtable itself, you can report the problem through Airtable’s HackerOne Bug Bounty Program. Here’s an overview of the rewards for each bounty level:

  • Low — $200
  • Medium — $400
  • High — $750
  • Critical — $3,500

To date, the program has paid over $78,600+ in total bounties. Obviously, your security is more important than getting extra cash. But this is still a nice incentive for you to consider.

Step 3: Backup Your Airtable Bases

In the event of a data breach or leak, you’ll want to make sure that your data is fully backed up. There are several ways to do this within Airtable.

First, you can create manual backups for your bases in Airtable. Just save a copy of the tables in your bases and manually export them as a CSV file. From here, you can move them to a cloud storage system, local server, or third-party database for backups.

You can also sync your Airtable data with a third-party backup system. This allows you to create automated backup schedules for your tables and bases. Once this connection has been established, you won’t have to worry about manual backups or exports.

Incredible companies use Nira

Every company that uses Google Workspace should be using Nira.
Bryan Wise
Bryan Wise,
Former VP of IT at GitLab

Incredible companies use Nira