Airtable processed a data exposure in December 2022 when a third-party analytics vendor leaked customer email addresses. Airtable itself was not breached, but the incident highlighted what many teams building on Airtable miss: the platform's security is solid at the infrastructure level, but the access model has sharp edges that require active configuration.
This review covers what Airtable does well, where it falls short, and the specific settings you need to check before storing anything beyond spreadsheet-equivalent data.
TL;DR
Airtable is safe for non-sensitive data on any plan. For PII, financial records, or health data: HIPAA requires Enterprise Scale with a signed BAA; PATs must be scoped and stored server-side; share links to sensitive views must stay private. The biggest real-world risks are leaked API tokens in code repos and overly permissive share links sent in Slack.
What Is Airtable?
Airtable is a cloud database platform used by teams to manage records, workflows, and data pipelines. Builders increasingly use it as a backend for internal tools and Softr apps, via its REST API. It is SOC 2 Type II certified and runs on AWS with encryption at rest (AES-256) and in transit (TLS 1.2+).
Our Verdict
What Airtable Gets Right
- SOC 2 Type II certified
- AES-256 encryption at rest, TLS in transit
- Personal Access Tokens with granular scope controls
- SSO and SCIM on Business and Enterprise plans
- Audit logs on Enterprise plans
- Two-factor authentication available on all plans
Where Things Go Wrong
- Share links are public with no password protection below Enterprise
- Legacy API keys (now deprecated) were base-wide and non-revokable per-base
- HIPAA compliance locked to Enterprise Scale only
- No row-level access control inside a base (you can't say "user A sees rows 1-10, user B sees rows 11-20")
- Automation scripts run with the permissions of the creator, not the invoking user
The Share Link Problem
Airtable's most common security failure has nothing to do with infrastructure. It's the share link sent in a Slack message.
When you share a View, Airtable generates a URL like https://airtable.com/shrXXXXXXXXXXXXXX. Anyone with that URL can see every record in that view. There is no login prompt, no expiry, and no revocation notification if the link gets forwarded. The only way to stop access is to delete the link.
If your view contains customer names, emails, phone numbers, or financial data, that share link is a data breach waiting to happen.
Never send share links to views or bases containing PII, financial data, or anything you would not want publicly indexed. Google has indexed Airtable share links in the past when they were embedded in public pages.
API Key Exposure: Airtable's Most Common Real-World Incident
Airtable deprecated legacy API keys in February 2024 and migrated users to Personal Access Tokens (PATs). The reason: legacy keys were base-wide credentials with no scope controls. A leaked key gave full read-write access to every base the workspace owner could see.
PATs are a meaningful improvement. You choose which bases the token can access and what permission level it has (commenter, editor, creator). A leaked read-only PAT scoped to one base limits the blast radius significantly.
But PATs are still commonly mishandled:
- Hardcoded in frontend JavaScript (visible in browser DevTools)
- Committed to public GitHub repos (GitHub's secret scanning catches this, but only after the push)
- Stored as plain text in
.envfiles that get committed when.gitignoreis misconfigured
// DO NOT DO THIS
const AIRTABLE_PAT = 'patXXXXXXXXXXXXXX.XXXXXXX';
const response = await fetch(`https://api.airtable.com/v0/${BASE_ID}/${TABLE}`, {
headers: { Authorization: `Bearer ${AIRTABLE_PAT}` }
});
// server-side only (e.g., Vercel serverless function, Node.js backend)
const AIRTABLE_PAT = process.env.AIRTABLE_PAT; // set in your hosting env vars
const response = await fetch(`https://api.airtable.com/v0/${BASE_ID}/${TABLE}`, {
headers: { Authorization: `Bearer ${AIRTABLE_PAT}` }
});
Create one PAT per integration, scoped to the minimum bases and permission level it needs. If a PAT leaks, you revoke just that token without touching other integrations.
HIPAA and Compliance Limits
Airtable's compliance coverage by plan:
| Plan | SOC 2 Type II | HIPAA BAA | SSO/SCIM | Audit Logs |
|---|---|---|---|---|
| Free | Yes | No | No | No |
| Plus / Pro | Yes | No | No | No |
| Business | Yes | No | Yes | Limited |
| Enterprise Scale | Yes | Yes | Yes | Full |
HIPAA requires a signed Business Associate Agreement (BAA). Airtable only signs BAAs with Enterprise Scale customers. If you are building for healthcare, do not store Protected Health Information (PHI) in Airtable unless you are on Enterprise Scale with a signed BAA.
The same applies to financial data subject to PCI DSS: Airtable is not a PCI-compliant datastore and should not be used to store raw card numbers or sensitive cardholder data on any plan.
No Row-Level Access Control
This is the structural limitation that surprises most builders: Airtable has no native row-level access control inside a base.
If you give User A "Editor" access to a base, User A can see and edit every record in every table. You cannot configure policies like "user sees only records where email = their email." The only workaround is:
- Separate bases per user or per data segment (operationally painful)
- Build your own API proxy that filters records before returning them (requires backend development)
- Use a platform like Softr that adds a user-context layer on top of Airtable (but Softr's security depends on correct configuration there)
If your use case requires per-user data isolation, Airtable's native sharing model is not the right tool. Consider Supabase (which has Row Level Security) or a traditional database.
Airtable Automations and Script Security
Airtable automations can run custom JavaScript via the "Run a script" action. These scripts execute on Airtable's infrastructure and can access base records, call external APIs, and send HTTP requests.
Key security considerations:
- Scripts run with the permissions of the user who created the automation, not the user who triggered it
- External API calls from scripts can embed secrets in the script code itself (visible to any base collaborator with creator access)
- There is no secrets manager built into Airtable automations; secrets in script code are stored as plain text in the automation config
If your automations call external services, avoid embedding API keys directly. Use a serverless function or proxy as the intermediary, and pass only non-sensitive identifiers from the automation.
Is Airtable safe for sensitive data?
It depends on the data type and your plan. Airtable is SOC 2 Type II certified and encrypts data at rest and in transit. HIPAA compliance is only available on Enterprise Scale plans with a signed BAA. For PII or financial data on lower plans, Airtable is usable but requires strict access controls, scoped PATs, and no public share links on sensitive bases.
Is Airtable HIPAA compliant?
Only on the Enterprise Scale plan with a signed BAA. Free, Plus, Pro, and Business plans are not HIPAA compliant. Do not store PHI in Airtable unless you are on Enterprise Scale with a signed BAA in place.
What is an Airtable Personal Access Token and is it safe?
A Personal Access Token (PAT) replaced legacy API keys in February 2024. PATs are safer because you can scope them to specific bases and permission levels (commenter, editor, creator). A leaked PAT only exposes what it was scoped to. Store PATs in server-side environment variables, never in client-side code or public repos.
Can anyone access my Airtable data through a share link?
If you share a View link, anyone with the link can see all data in that view with no login required. Airtable does not offer password protection on share links below Enterprise. Never share links to views or bases containing sensitive data.
Was Airtable ever hacked?
In December 2022, Airtable disclosed that some customer account data (primarily email addresses) was exposed through a third-party analytics vendor. Airtable itself was not breached directly. The company notified affected users and rotated credentials. No base record data was reported as exposed in that incident.
Building on Airtable? Scan your connected backend for exposed API keys, misconfigured CORS, and other vulnerabilities.