Network & Security

OpenAnalyst is built with a security-first architecture. This page covers data encryption, compliance certifications, network requirements, firewall configuration, and IP whitelisting.

Security Architecture Overview

OpenAnalyst is designed on a zero-trust security model. The platform assumes that no network, user, or device is inherently trusted, and enforces authentication and authorization at every layer. All components run in isolated, single-tenant environments for Pro and above plans, and in a hardened multi-tenant environment for Free and Basic plans.

The security architecture is built around four pillars: encryption at every boundary, least-privilege access controls, continuous audit logging, and regular third-party penetration testing.

Data Encryption

In Transit

All data transmitted between your browser and OpenAnalyst's infrastructure is encrypted using TLS 1.3. Older TLS versions (1.0, 1.1, 1.2) are disabled on all endpoints. HTTP connections are automatically redirected to HTTPS. Certificate management uses automated rotation through a trusted certificate authority with HSTS (HTTP Strict Transport Security) headers enforced.

Connections from OpenAnalyst to your data sources also use TLS wherever supported. For database connectors, OpenAnalyst enforces sslmode=require or equivalent by default. You can optionally require SSL client certificates for additional mutual authentication.

At Rest

All data stored by OpenAnalyst — including connection credentials, query results in cache, uploaded files, dashboard configurations, and audit logs — is encrypted at rest using AES-256-GCM. Encryption keys are managed through a dedicated key management service (KMS) and are rotated automatically on a 90-day cycle.

Connection passwords and API credentials are stored in an encrypted vault using envelope encryption: a data encryption key (DEK) encrypts the credential, and a key encryption key (KEK) stored in KMS encrypts the DEK. The raw credential is never written to a general-purpose datastore.

Compliance

StandardStatusAvailability
SOC 2 Type IICertifiedAll plans (report available on request)
GDPRCompliantAll plans
CCPACompliantAll plans
HIPAA BAAAvailableEnterprise plan
ISO 27001In progressScheduled Q3 2026

Note: To request the SOC 2 Type II report or a Data Processing Agreement (DPA) for GDPR compliance, contact your account manager or email security@openanalyst.com.

SSO and SAML

OpenAnalyst supports Single Sign-On (SSO) via SAML 2.0, enabling enterprise customers to manage authentication through their existing identity provider (IdP). Supported providers include Okta, Azure Active Directory, Google Workspace, OneLogin, and any SAML 2.0-compliant IdP.

SSO configuration is available on the Pro plan and above. To configure SSO:

  1. Navigate to Settings > Security > SSO/SAML in your workspace.
  2. Copy the ACS URL and Entity ID values shown on the configuration page.
  3. In your identity provider, create a new SAML application using the ACS URL as the callback URL and the Entity ID as the audience URI.
  4. Map the following SAML attributes in your IdP:
    email         → user.email (required)
firstName     → user.firstName
lastName      → user.lastName
role          → openanalyst.role (optional: viewer | analyst | admin)
  5. Paste the IdP's Metadata XML or Metadata URL into the OpenAnalyst SSO configuration form and click Save and Test.

Tip: Enable Enforce SSO after confirming that SSO works correctly. This disables username/password login for all workspace members, requiring all access to go through your IdP. Workspace admins retain an emergency bypass code in case of IdP outage.

Network Requirements

OpenAnalyst is a SaaS product accessed entirely through the browser at app.openanalyst.com. There are no agent processes, desktop clients, or VPN requirements for end users. However, for OpenAnalyst to connect to your data sources, the following network conditions must be met:

  • Your data source must be reachable from OpenAnalyst's egress IP addresses (see below). This typically means either making the database publicly accessible with IP-based access control, or setting up a site-to-site VPN or private network peering.
  • For on-premise databases, the OpenAnalyst Network Bridge agent can be deployed inside your network. The bridge establishes an outbound-only, encrypted tunnel to OpenAnalyst — no inbound firewall rules required. Available on Pro and Enterprise plans.

Firewall Rules and IP Whitelisting

To allow OpenAnalyst to connect to your database, whitelist the following egress IP addresses in your firewall or security group:

# OpenAnalyst static egress IPs (add all to your allowlist)
52.14.88.201
52.14.88.202
52.14.88.203
52.14.88.204

# CIDR notation
52.14.88.200/29

Warning: IP addresses are subject to change with advance notice. Subscribe to the OpenAnalyst status page at status.openanalyst.com to receive notifications of infrastructure changes, including IP updates.

For cloud-hosted databases, the typical firewall configuration looks like this:

# AWS RDS Security Group - inbound rule example
Type:       PostgreSQL
Protocol:   TCP
Port:       5432
Source:     52.14.88.200/29
Description: OpenAnalyst connector

# Google Cloud SQL - Authorized Networks
Network:    52.14.88.200/29
Name:       openanalyst-connector

Data Residency

By default, OpenAnalyst processes and caches query results in the United States (AWS us-east-1). Enterprise customers can request data residency in the European Union (AWS eu-west-1) or other supported regions. Data residency configuration ensures that query result caches, audit logs, and workspace configuration data never leave the designated geographic region.