We've been in enough security review calls to spot a pattern. When engineering leads evaluate embedded analytics platforms, they're not asking for a compliance checklist. They're asking: "What happens when something goes wrong?"
The real security conversation isn't about which standards you support. It's about whether your platform's security architecture will hold up when you're serving 10,000 customers with different data access requirements, when a developer accidentally exposes sensitive data, or when a compliance audit catches you off guard.
Security is the foundation. Everything else (speed, features, cost savings) means nothing if your customers' data isn't protected.
The Security Questions Engineering Teams Actually Ask
The first question in most security reviews isn't technical. It's practical: "How do we prevent Customer A from seeing Customer B's data?"
This is the multi-tenancy problem. Your SaaS platform serves multiple customers, each with their own data, their own users, their own access requirements. One misconfigured query, one missing WHERE clause, and you've created a data breach. That single missing filter is exactly the kind of broken access control the OWASP Top 10 ranks as the number-one web application risk.
The stakes are real. GDPR fines can reach €20M or 4% of annual revenue. A single data breach destroys customer trust that took years to build. Your engineering team knows this. That's why security reviews happen before feature discussions.
The second question is about authentication: "Do we have to change how our users authenticate?" Good platforms work with your existing authentication system through secure token exchange. Complex platforms force you into proprietary authentication flows that create deployment delays and vendor lock-in.
The third question cuts to implementation: "How complex is the setup?" Security that requires weeks of configuration and custom code introduces human error. The best security is security that's built-in, not bolted on.
Multi-Tenant Isolation: The Foundation Layer
Multi-tenant architecture isn't just about data separation. It's about ensuring that no matter how your developers write queries, no matter how users interact with dashboards, the platform enforces data boundaries automatically.
Token-based authentication is the first layer. Every embedded dashboard request includes a secure token that identifies which customer's data to access. The platform validates this token before executing any query, before rendering any chart, before returning any data. This maps directly to the OWASP API Security Top 10 guidance on broken authentication and broken object-level authorization.
But tokens alone aren't enough. The platform needs architectural isolation: separate data contexts, query execution sandboxes, and row-level security enforcement through query filtering.
Common pitfalls happen when platforms rely solely on application-level checks. A developer writes a dashboard query that accidentally omits the customer filter. Without automatic enforcement, that query returns data for all customers. Multi-tenant isolation prevents this at the architecture level.
The question to ask vendors: "If a developer forgets to add a customer filter in their query, what happens?" The right answer is: "The platform enforces it anyway through token-based data context."
Authentication Without Complexity
How the analytics integrate with your application matters for security. The key is how authentication tokens are managed and validated.
Token-based integration works with your existing authentication. Your application generates a secure token identifying the authenticated user and their data access scope. The analytics platform validates this token and enforces the corresponding security context. Your existing authentication system handles user identity. Your existing authorization rules control data access.
This approach avoids forcing you into a new authentication system. The platform receives signed tokens from your backend, validates them cryptographically, and applies the appropriate data filters automatically. Standard token validation means your security team already understands how it works.
The critical security boundary is data sovereignty. Your customer data never leaves your infrastructure. The platform queries your database directly using the security context from your tokens, but the data itself stays in your systems. This architecture matters for compliance reviews. Auditors can verify that customer data remains under your control.
When compliance requirements prohibit any external processing, this architecture provides proof that sensitive data never transits through third-party systems. The analytics run in-browser, the queries execute against your database, and the data flow stays within your security perimeter.
Row-Level Security That Actually Works
Row-level security (RLS) sounds simple: users only see data they're authorized to access. Implementation complexity is where most platforms fail.
Here's what RLS actually means in practice. Your SaaS serves a marketing automation platform. Customer A should only see their campaign data, their email lists, their conversion metrics. Customer B should only see theirs. Within Customer A, the account owner sees everything, but team members see only their assigned campaigns.
Some platforms require you to write custom security logic for every query, every dashboard, every chart. Others require learning proprietary security languages that only work within their ecosystem. Both approaches create maintenance burden and increase error risk.
The right approach: security rules defined once, enforced automatically across all analytics. The platform intercepts every query, applies the appropriate security context based on the authenticated user's token, and filters data through query-level enforcement before returning results. The same principle is covered in the iframe vs SDK trade-offs when you weigh same-origin against isolated rendering.
The Embedded Analytics Security Checklist
Use this as the evaluation checklist in your next vendor security review. Each control maps to a recognized risk category from the OWASP Top 10 or OWASP API Security Top 10.
| # | Security control | What it prevents | Risk category |
|---|---|---|---|
| 1 | Multi-tenant isolation enforced at the architecture level | Cross-tenant data leakage | OWASP A01 Broken Access Control |
| 2 | Token-based auth with cryptographic signature validation | Authentication bypass | OWASP API2 Broken Authentication |
| 3 | Row-level security via query filtering (not app code) | Missing-filter data exposure | OWASP A01 |
| 4 | Mandatory customer-scope filter injected by the platform | Developer error exposing all tenants | OWASP A04 Insecure Design |
| 5 | Encryption in transit (TLS 1.2+) | Traffic interception | OWASP A02 Cryptographic Failures |
| 6 | Encryption at rest | Storage-compromise exposure | OWASP A02 |
| 7 | Read-only database connections | Data modification or exfiltration | OWASP A04 |
| 8 | Audit logging of every query and data access | Undetected breach / failed audit | OWASP A09 Logging Failures |
| 9 | CSP frame-ancestors + X-Frame-Options on embeds | Clickjacking and XSS | OWASP A03 Injection |
| 10 | No customer data stored in third-party systems | GDPR data-residency violations | OWASP A08 Data Integrity |
| 11 | Automated patching of platform dependencies | Known-CVE exploitation | OWASP A06 Vulnerable Components |
| 12 | SOC 2 Type II + GDPR readiness as built-in outcomes | Repeated re-reviews and audit delays | Compliance baseline |
Compliance: Built-In, Not Bolted On
SOC 2 Type II compliance matters. GDPR readiness matters. But these aren't checkboxes you add after building your security architecture. They're outcomes of building security correctly from the start.
Platforms with security built in from the start typically include:
- Multi-tenant isolation by default (not as an add-on feature)
- Automated security updates without manual patching
- Audit logs covering every data access for compliance review
- Data encryption at rest and in transit as standard
The data sovereignty model becomes critical during compliance audits. When customer data never leaves your infrastructure (queries execute against your database, results render in-browser, and no third-party storage occurs), you can prove to auditors that sensitive information remains under your control.
Security built-in means your compliance team reviews the platform once, approves it once, and trusts it across all deployments. Security bolted on means constant re-reviews, edge case discoveries, and deployment delays when new requirements emerge.
Security determines whether your embedded analytics succeed or fail. Fast deployment, beautiful dashboards, and cost savings all depend on a foundation of strong security that works automatically, integrates cleanly with your existing systems, and scales without introducing complexity.
Ready to launch customer-facing analytics?
Stop losing customers to competitors with better analytics. Sumboard's customer-facing analytics platform lets you launch self-service dashboards in days, not months.
