Customer data stays in your infrastructure
Emban runs three kinds of request through three different auth paths, and applies tenant scoping at the storage engine level so a bug in application code can't leak another customer's data. This page is the buyer-facing summary; full implementation details live in the docs.
Six load-bearing security primitives
These are what evaluators usually want to confirm before shipping Emban to production customers.
Tenant isolation enforced at the storage layer
Every row carries an org_id and every query runs with ClickHouse additional_table_filters pinning the caller's org and environment. The filter applies inside subqueries, UNIONs, and CTEs — there is no SQL a user can write to bypass it. A missing WHERE clause in application code cannot leak data.
Signed embed sessions, not shared secrets
Customer-facing embeds authenticate via HS256-signed JWTs minted server-side from your admin API key. The token encodes the org, tenant, dashboard, and any locked filters; TTL is 1–24 hours (1h default). Expired tokens are rejected at the edge. Browsers cannot pick another tenant — the token carries the scope.
Locked filters and hidden widgets per session
Embed permissions let you publish a single dashboard with different views per customer cohort. Lock dimensions, restrict periods, hide widgets, or disable drill-down — all enforced server-side from the JWT, not from client code.
Full audit log of every action
Logins, dashboard publishes, widget edits, embed session creation, adhoc SQL, key issuance — all recorded with the actor identity, target entity, and metadata. The audit log is exported on demand and retained for the lifetime of the org.
Self-hosted boundary
Emban is a single Go binary that runs next to your ClickHouse — same VPC, same VPN, same bare-metal host if you like. Customer event data never leaves your infrastructure. We don't operate a hosted plane that proxies your queries.
No per-viewer licensing — no usage backdoor
Pricing is on tenants and events, not viewers. There is no telemetry channel that counts your end-users back to us, no impression beacon, no shadow analytics. Your customer activity is yours.
Where we stand on certifications
Honest snapshot. We tell you what's done, what's planned, and what we expect you to bring.
Targeting Q3 2026. Available earlier under Enterprise contract on request.
Self-hosted means your data never leaves your jurisdiction. Acts as data processor for telemetry only; you remain controller of customer data.
All API and embed traffic is HTTPS. At-rest encryption is whatever your ClickHouse / Postgres deployment provides — disk-level for managed services, configurable for self-managed.
Admin console passwords are bcrypt-hashed at default cost. Raw passwords are never logged or stored. API keys are SHA-256 hashed at rest with an 8-char prefix retained for identification.
Found something? Tell us privately.
We'd rather hear about a vulnerability from you than from a customer. Email security@sidelabs.dev with the details. We'll acknowledge within one business day and keep you looped in until it's resolved.