Looker embraces the security community and operates a responsible disclosure program to facilitate security vulnerability reporting.

SOC 2 Type 2 Compliant


Architected for data security from the start

Looker’s data platform sits on top of your existing database, using a secure connection to query your data warehouse directly. Looker writes a query to access the data needed to answer your question, returns the result, and the answer in a short-lived cache (which is cleared after 30 days, or when the amount of data in cache hits 2GB). If you prefer, you can also take additional steps to reduce the amount of time that query results are held in cache.

Because Looker provides a single point-of-access for your data, you can establish a robust data governance infrastructure, giving everyone within your company the ability to answer their own questions, while keeping data sprawl to a minimum and access to sensitive information restricted. Administrators can set granular permissions by user or group, and can restrict data access from the database level all the way down to the row or column level.

Administrators can build robust business intelligence data governance that results in a secure experience for their users.

Your data stays in your control

Looker is built to ensure that your data is safe and secure by limiting movement of data.

Leverage Your Database’s Security Protocols

Unlike other business intelligence platforms that encourage you to pull your data out to analyze it, Looker generates SQL that directly queries your database.

Data Availability, Not Data Storage

Looker uses a read-only connection to access the minimum amount of data needed to answer your questions and only returns the relevant result set. That means less data duplication, no long-term storage of sensitive data on local machines, while leveraging the full power of your existing database security model.

Data governance from the bottom up

Self-service shouldn’t come at the expense of data governance.

Secure User Access and Management

Looker makes it easy for administrators to control users’ access from the database level down to the field level.

Configuration Made Easy

Application permissions, data access, and content access can be set manually in the application, programmatically via Looker’s API, or can be inherited directly from your existing single sign-on authentication protocols.

Enterprise-grade feature set

Authenticate Your Way

Looker’s business intelligence platform comes standard with enterprise-grade features including two-factor authentication, SAML-based single sign-on (supporting SAML, OneLogin, and Google Apps), and team management to keep Looker access secure and up-to-date.

Industry-Standard Data Security Encryption

Looker uses industry-standard AES encryption to secure cached data stored at rest, and the TLS protocol to secure network traffic between users’ browsers and the platform.

Tools to Secure Your Database Connection

Looker offers many options for securing connections to your database, including IP Whitelisting, SSL, SSH, PKI, and Kerberos authentication.

SOC 2 Type 2 Compliant

Deployment options for every customer

Looker provides deployment options to fit every situation.

The Freedom to Own Your Instance

Looker can host your platform in our secure, single-tenant cloud; you can host Looker in your own Virtual Private Cloud; or you can host Looker on-premise.

Extensive Support for Database Connections

The Looker application securely connects to 34 (and counting) different SQL and SQL-on-Hadoop dialects and uses industry-standard git version control (that Looker can manage with for you, or you can manage with any Git server that can use SSH authentication).

Comprehensively monitored and fully auditable

Because Looker’s data platform provides a single point of contact for employees’ work with your enterprise’s data, it’s far easier to keep track of exactly who accessed what, when, and what they did with it.

Easily Monitor Usage and Track Development

Looker logs every interaction so administrators can audit usage and easily set up scheduled reports and alerts. And because Looker’s data model is version-controlled, you can also track when metric definitions have changed, who changed them and why.

Easy Configuration of Support Access

Looker monitors and regularly audits company support technicians’ access to your instance (and as of Looker release 4.22, you'll be able to easily turn that access on or off).

Our shared security partnership

Looker connects to your organization’s database, and is designed to leave your data in that database. Because Looker connects to technology that you are responsible for maintaining, security becomes a shared responsibility between Looker and you.

Application Data Collected by Looker

While there is no permanent storage of your data in the Looker application, by default, the application passes the following information back to us to perform license validation and enhance the service. For an on-premise deployment, these can be blocked as required to meet your specific security requirements.

License checks

License information, including the number of users, roles, and database connections

Basic usage

URLs accessed, time of access, and browser type


Encrypted backups of the Looker instance’s database, which includes saved Looks, query history, and user settings

Error emails

Errors from Looker servers are generated for Engineering’s use to diagnose and improve the product (note that passwords and other private information is filtered out)

User admin emails

Mail generated from looker@looker.com provides new account welcome emails, forgotten password reset links, and scheduled data delivery. If preferred, you can configure these emails to use your own SMTP service instead

Support tickets

Support is provided on demand via an embedded chat client service through Zendesk

NOTE: By default, Looker stores models in a secured GitHub repository.

Looker’s Responsibilities

Cloud Security Looker uses Amazon EC2 and other hosting providers to offer industry-standard security, availability and durability of hosted Looker implementations.
Product Security Looker is responsible for ensuring that the code quality for the Looker application is developed according to industry-wide best practices for software development, and is regularly tested for vulnerabilities.
Corporate Security Looker is responsible for educating and disseminating security best practices throughout its organization, and ensuring that Looker’s ancillary applications, systems, and networks are securely configured and monitored.
Physical Security Looker is responsible for monitoring the Looker corporate facilities, and ensuring that both offices and hardware are protected.

Your Responsibilities

Cloud Security

You are responsible for configuring secure access between the Looker application and your database. Looker provides extensive recommendations on how to do this, including:

  • Enabling secure database access using tools like IP whitelisting, SSL/TLS encryption, and SSH tunneling

  • Setting up the most locked-down database account permissions for Looker that still allow it to perform needed functions

Product Security

You are also responsible for controlling access and permissions for users of your Looker instance within your company. Looker recommends:

  • Setting up user authentication using either a native username/password option or, preferably, using a more robust authentication mechanism like 2FA, LDAP, Google OAuth, or SAML

  • Setting up the most restrictive user permissions and content access that still allow people to carry out their work, paying special attention to who has admin privileges

  • Setting up any API usage in a secure way

  • Regularly auditing any public access links your users create and restricting the permission to create them, as necessary

Cloud Security Architecture

Looker hosts its software on AWS Cloud Services, which means that as a Looker customer, you’ll inherit the robust standards of cloud security maintained by AWS, which Looker builds on top of for its own security best practices. Looker also uses industry best practices for the development and testing of the Looker application, ensuring that code quality meets our standards before becoming part of a Looker release.

Cloud Infrastructure
AWS facilities The Looker application is managed on AWS Facilities which comply with over 50 data security certifications, regulations, and frameworks. Physical security is managed by AWS, with facilities monitored by video surveillance, and intrusion detection systems.
Physical separation of data The Looker application is hosted in a single-tenant environment physically separating the instances of Looker customers from each other. The Looker application is hosted in a single tenant AWS Availability Zone (AZ) environment by default. If you have specific availability needs, you can contact your Account Manager to request implementing the application in a cluster configuration.
Data Security Architecture Looker follows AWS best practices for security architecture. Proxy servers secure access to the Looker application by providing a single point to filter attacks through IP blacklisting and connection rate limiting.
Redundancy Looker employs a Cloud-based distributed backup framework for Looker-hosted customer servers.
Availability and durability The Looker application can be hosted in a variety of different AWS data centers across the globe.
Monitoring & Authentication

Access to a customer’s back-end servers

Access to Looker-hosted back-end environment requires approval and multiple layers of authentication.

Access to a customer’s Looker application

Employee access to customer Looker instances is provided in order to support a customer's needs. Access requires approval and multiple layers of authentication. Additionally, customers can control all access from Looker to their application via a Support toggle.

Monitored user access

Access to your Looker environment is uniquely identified, logged, and monitored.

Network and application vulnerability scanning

Looker’s front-end application and back-end infrastructure is scanned for known security vulnerabilities at least monthly.

Centralized logging

Logs across the Looker production and corporate environments are collected and stored centrally for monitoring and alerting on possible security events.

Reputation monitoring/threat intelligence

Collected logs and network activity are checked against commercial threat intelligence feeds for potential risks.

Anomaly detection

Anomalous activity, like unexpected authentication activity, triggers alarms.
Data Security Encryption

AES encryption

Application sensitive data stored locally including database connection configurations and cached query data is encrypted and secured using AES encryption.

Secure credential storage & encryption

Native username and passwords are secured using a dedicated password-based key derivation function (bcrypt) with hashing and salting.

TLS encryption

Data in transit is encrypted and secured from the user's browser to the application via TLS.

SSL / SSH encryption

Looker enables you to configure your database connection via encrypted TLS or SSH.

Product Security


Code development

Code development is done through a documented SDLC process which includes guidance on how code is tested, reviewed, and promoted to production.

Peer review and unit testing of code

Code is peer reviewed before being committed to the master code branch of the Looker application. Functional and unit tests are performed using automated tools.

Routine developer training

Developers are regularly trained on secure coding practices.

Code quality tests

Looker utilizes automated tests specifically targeting injection flaws, input validation, and proper CSRF token usage.

Regular third-party penetration testing

Looker performs regular third-party penetration tests against the Looker application and hosted environment.

Single sign on

Looker provides SAML-based single sign on for users, offering support for SSO solutions from Google Apps, OneLogin, and SAML.

LDAP authentication

Looker provides the ability to authenticate users based on Lightweight Directory Access Protocol (LDAP), enabling administrators to link LDAP groups to Looker roles and permissions.

Two-Factor authentication

Looker provides the ability to use two-factor authentication via Google Authenticator.

Responsible disclosure

Looker embraces the security community and operates a responsible disclosure program to facilitate security vulnerability reporting.

Security due diligence of third-party service providers

All third-party service providers go through an annual security review. For in-app guides, Looker serves the third-party software (Pendo) Javascript. The individual guides are vetted and whitelisted by Looker. When fetching a guide from Pendo, Looker validates that the guide is unchanged using sha256 integrity hashes. If there are any changes to the guide after Looker’s review, Looker prevents use of the changed guide.

Corporate Security

Looker has robust security protocols that are meant to secure the Looker Office premises and materials that contain sensitive information. Looker also invests in properly vetting and training staff to ensure that there is an organization-wide appreciation for data security.

For more information about how we work with your data, see Looker's Privacy Policy.

Personnel & Third Parties

Security organization

Led by the Chief Security Officer (CSO), Looker has an established a dedicated information security function responsible for security and data compliance across the organization.

Policies and procedures

Looker maintains various security policies that are maintained, communicated, and approved by management to ensure everyone clearly knows their security responsibilities.

Background checks

New contractors and employees are required to pass a background check and sign confidentiality agreements.

Security awareness education

Looker new-hires complete security training as part of the entry into the organization. Employees receive routine security awareness training and confirm adherence to Company security policies. Looker employees are reminded of security best practices through informal and formal communications.

Vendor management

Looker maintains a vendor management program to ensure that third-parties comply with an expected level of security controls.

Risk management

Looker maintains a robust security risk management program. Our CSO chairs our internal quarterly Security Steering Committee.

Incident Response


Looker’s Security and Operations team is available 24/7 to respond to security alerts and events.

Policies and procedures

Looker maintains a documented incident response plan.

Incident response training

Employees are trained on security incident response processes, including communication channels and escalation paths.

Looker Premises and Hardware

Monitoring and secure access to looker offices

Looker offices are protected by security measures including badge access and security cameras. By policy, employees are required to escort guests inside the Looker offices.

Laptop protection

Looker uses a combination of endpoint management tools to monitor, patch, and protect its laptop population. Laptops have encrypted hard drives and are protected with sign-on password. Also, an AV/HIDs solution is installed on laptops to protect against malware and monitor for possible security events.

Data Security, Privacy & Compliance

One of the priorities of Looker’s security practices is to ensure that use of your data is transparent, safe, and respectful. To that end, Looker maintains a Compliance team to perform regular assessments and ensure that risks are appropriately being mitigated and that controls are designed and operating correctly.

Please consult Looker’s Privacy Policy if you don't see your question answered here.

Data Security & Compliance

Healthcare data security compliance

Looker customers include HIPAA Covered Entities and Business Associates. Since Looker doesn’t extract your data, we don’t categorize data as sensitive, personal health information or according to other schemas. Instead, we handle all data according to the same security standards. Looker will assist you to carry out HIPAA-related security obligations & compliance, which can include executing Business Associate Agreements as needed.

SOC 2 Type 2 and other compliance

Looker’s SOC 2 Type 2 report is available, upon request, for review by existing customers. As the information is confidential, we require an NDA for prospective customers and other entities to review the report. Looker is also directing its attention to PCI, HIPAA, ISO, and other compliance efforts.

Cloud Security Alliance (CSA) STAR Assessment

Looker has completed the CSA's "Consensus Assessments Initiative Questionnaire (CAIQ)", which provides a set of questions a cloud consumer may wish to ask of Looker to ascertain their compliance to the Cloud Controls Matrix and CSA best practices. It is available for download here and will be updated periodically.

Data Privacy

EU Compliance & GDPR Compliance

Looker has many customers in the European Economic Area and will work with you to assure database compliance with Personal Data handling requirements and cross-border transfer requirements under the EU Privacy Directive, and the new (General Data Protection Regulation GDPR), effective beginning May, 2018.

Determine where Looker is hosted

Looker lets you determine where your Looker is to be hosted. Currently your Looker hosted instance can reside in the US, Japan, Ireland, Australia, or Brazil. If our hosted environment does not meet your specific needs, our software can be implemented on-premises.

Love your analytics

Business intelligence, big data analytics, or a 360° view of your customers. Whatever you need, Looker can help. Talk to our data experts.

Request a Demo