Security Best Practices

This guide helps teams secure their Compass organization through proper configuration and operational practices.

Data Warehouse Security

Use Read-Only Service Accounts

Create a dedicated read-only service account for Compass with SELECT-only permissions.

1. Create a new service account in your data warehouse
2. Grant only SELECT permissions on tables Compass needs to access
3. Do not grant DDL permissions (CREATE, ALTER, DROP)
4. Do not grant DML permissions (INSERT, UPDATE, DELETE)

See Data Sources for warehouse-specific instructions.

Restrict Network Access

If your data warehouse supports network-level access controls, you can restrict access to known Compass IP addresses:

• 52.25.53.27
• 44.242.128.111
• 52.35.195.86

For Private Link/PrivateLink configuration on AWS/Azure/GCP, talk to an expert (opens in a new tab).

Slack Access Management

Compass runs in a dedicated Slack Connect workspace for your organization. Your workspace is not shared with other Compass customers—it's isolated to your organization only.

Channel-Based Data Access

Compass only has access to data that's connected to specific channels:

• The bot must be invited to a channel to access it
• Each channel can be configured with different warehouse connections
• Users only see data from channels they're members of

Best practices:

• Create separate channels for different teams or data domains
• Only invite users who need access to specific datasets
• Use private channels for sensitive data

See User Roles for details on role-based permissions.

Manage Admin Access

Organization Admins have full control over Compass configuration. Limit admin access to trusted users.

Recommendations:

• Have 2-3 admins for redundancy
• Review admin list quarterly
• Remove admin access when employees leave

See User Roles for managing admin status.

Context Management

Context documents contain business logic and terminology that Compass uses to answer questions. These documents are:

• Version controlled - Stored in GitHub repositories
• Organization-scoped - Completely isolated to your organization
• Admin accessible - Organization Admins have access to the GitHub repository

Best practices:

1. Review context documents in the Admin UI regularly
2. Remove outdated or incorrect context
3. Ensure context doesn't contain sensitive information

See Context Management for details.

Monitoring and Alerting

Coming Soon: Built-in monitoring and alerting capabilities for Compass usage and query patterns.

In the meantime, you can monitor Compass activity through:

• Your data warehouse audit logs (queries from the Compass service account)
• Compass Admin UI (user activity and channel configuration)

Compliance

Data Residency

Compass infrastructure runs in US regions. If you have data residency requirements, talk to an expert (opens in a new tab) to discuss options.

Custom Retention Policies

Custom retention policies are available on our Pro plan. Talk to an expert (opens in a new tab) to discuss your retention requirements.

Data Processing Agreements

If your organization requires a Data Processing Agreement (DPA) or Business Associate Agreement (BAA), talk to an expert (opens in a new tab).

Reporting Security Issues

If you discover a security vulnerability in Compass, please email vulnerability@dagsterlabs.com.

Additional Resources

• Security Overview - Technical security details
• User Roles - Role-based access control
• Admin UI - Managing your Compass organization
• Data Sources - Warehouse connection guides

Need Help?

• Security Questions: security@dagsterlabs.com
• General Questions: Talk to an expert (opens in a new tab)
• System Status: Compass Status Page (opens in a new tab)