Enterprise Data Policies: Help? 😩

Hello, everyone!

Our organization has been using Airtable for a while, but it has recently spread like wildfire to all departments and teams. Now everyone is using it! :partying_face:

With that though comes the fear of what data is being shared and what policies should be put into place to protect any sensitive information without removing the option for people to share views publicly (which is why it’s so popular with us). We are working backwards and we are trying to implement security measures when originally there wasn’t much of a need.

We have our SSO policies in place and have set domain restrictions for a few things. What other ways can we prevent sensitive information from being shared? Does anyone have any policies or policy examples that they are willing to share?

Hi Reagan,

This is a great question/topic! Happy to share insights if you’re able/willing to share a bit more context to inform my response and others in this forum:

  • Which Airtable price plan/subscription does your organization use?
  • How many users?
  • Are there multiple instances or just one for all users?
  • Are you using user groups?
  • Have you done any auditing of workspaces/bases to determine who needs access to what?
  • Are you taking advantage of the workspace sharing restrictions?
1 Like

At a certain point, if people have the ability to share views publicly, you will have to educate and trust your people. Having to trust people is inherent in giving them access to the data. If someone has access to the data at all, that person can use non-Airtable features to send the data to unauthorized people.

However, even trusted people can accidentally share sensitive data because they don’t realize that the data contains sensitive information, they don’t realize that they shared the data with unintended people, or both.

So, you need to educate people and make it really easy for them to access data that they should have access to.

Here are some ideas

  • For shared views, restrict access to the organization domain
  • Using data sets and verified data
  • Encouraging the use of shared interfaces instead of shared views
  • Have a specific person or team that knows Airtable really well as a resource, and having people use that person/team whenever creating new builds or shares.
  • Generic training on what is and is not considered sensitive information and what types of information may and may not be shared across departments, across the company as a whole, and publicly.
2 Likes

I’m sorry for the delay! All the notifications went to my junk inbox. :weary: Give me a second to type all of that out.

  • Which Airtable price plan/subscription does your organization use?
    We have an enterprise plan.

  • How many users?
    We have 403 active users.

  • Are there multiple instances or just one for all users?
    One for all users, if I understand your question.

  • Are you using user groups?
    Somewhat, but not appropriately. We have the feature turned on for anyone to create a user group, but only a couple of us know what a user group is.

  • Have you done any auditing of workspaces/bases to determine who needs access to what?
    No and I wouldn’t even know where to begin.

  • Are you taking advantage of the workspace sharing restrictions?
    Yes. This is something that we understand very well.