Introduction
The Exponam.Connect Excel Add-in product is an Excel Add-in installed on users’ desktops. The Add-in works with the Databricks platform's Unity Catalog and Delta Sharing REST service to retrieve data from your Databricks Lakehouse and return it to the user in Excel.
From a Cybersecurity perspective, there are a few important things to note:
- Data never leaves your environment
- No Data ever transits any non-client environment, server or machine
- Exponam never has any access to or possession of any client data or client credentials
- No Exponam service or server ever acts as an intermediary in any data flows
- The ONLY data Exponam will ever possess pertaining to client is contact information of client personnel involved in communication with Exponam (such as email)
Data Flow and Architecture
1. The Exponam.Connect Excel Add-in is a Databricks Delta Sharing Connector. We leverage the Databricks technology stack for not only Governance, Authentication, and Access/Security, but also for data flow. Everything is built on the Databricks platform - specifically Unity Catalog and Delta Sharing.
2. No data ever leaves the client’s Databricks platform and network.
3. When a user accesses the Exponam.Connect UI, a data request is made from the user's machine to the client’s Databricks Delta Sharing REST API. The request is validated in conjunction with the client’s Databricks Unity Catalog controls. A short-lived presigned set of URLs (pointers to requested parquet files within client’s Databricks Delta Lake) are returned to the user’s machine. Temporary direct access from the user’s machine to client’s parquet tables in object storage (AWS, GCP, ADLS, etc) is established. Data is downloaded to the user machine. All communication from user machine is end-to-end TLS encrypted.
4. No Exponam servers are ever accessed in the flow of data. No Exponam resources are, in any way, involved with or granted access to, any client information.
Authentication
The Exponam.Connect Excel Add-in product supports two authentication paradigms available within the Databricks Delta Sharing platform.
- The Databricks v1 authentication methodology relies upon “.share” files which contain embedded tokens that are distributed to users for authentication, access and security rights. These “.share" files may be defined within the Databricks platform for limited use by specific IP addresses/ranges; and for defined durations.
- The Databricks v2 authentication methodology relies upon authentication via OIDC federation with an idP (e.g. Entra, Okta). User identification is positively affirmed through standard OIDC/OAUTH2 flows.
Data Security
Data Security is managed entirely within the Databricks Unity Catalog / Delta Sharing administrative platform. Users, authenticated via one of the two authentication methods above, are associated with Recipient objects within Databricks. The Recipient object is, in turn, associated with one or more Data Share objects within Databricks. The Data Share objects are multi-tiered catalogs of data assets including tables, materialized views, dynamic views, and foreign tables.
In this way, user data access may be granularly limited for an individual user or for a group of users. Said access is granted to specific tables, views, columns and/or rows.
Governance and Logging
All governance and logging is managed within Databricks’ Unity Catalog. Comprehensive logs track every user’s request for data and every response.
Exponam Attestations, Development and Security Policies
As Exponam does not act as a service provider for or as a custodian of data, SOC 2, ISO27001, and PCI AOC - ROC attestations and assessments are not applicable.
As a privately held, self-funded software manufacturer, SOC 1 reviews have not been conducted. They may be conducted in the future.
Exponam adheres to NIST SP 800-218 guidelines for Secure Software Development to ensure that secure, up-to-date coding practices are followed. See our NIST 800-218 Attestation and associated policy documentation attached hereto.