Row Zero is a modern spreadsheet built for enterprises. It’s fast, secure, and connects directly to your data. Unlike Excel and Google Sheets, Row Zero runs in the cloud instead of on employee laptops. This has two advantages:
- Compute can be scaled up to handle large data sets.
- Sensitive data is trapped securely in the cloud
Product overview
Row Zero is structured around a few key entities that define how data is organized and shared.
Workbooks are spreadsheets that contain data, formulas, and/or visualizations.
- All workbooks are private by default, but can be shared according to your organization's policies.
- Workbooks import live data from your Connections via Connected Tables, which query your databases.
Connections are integrations with external data sources or databases.
- Row Zero supports authentication via OAuth, password, and key pair.
- All connections inherit the permissions (including RLS) of the credentials they use to connect.
Data Sources are published queries using a specific Connection that can be shared with other users within Row Zero.
Connected Tables are data tables that may be embedded in a workbook and refreshed, either manually or on a schedule. Connected tables are always backed by a Connection and can only be run by users with access to that Connection.
Architecture overview
Dedicated Data Plane
Every workbook runs on a dedicated server (e.g. AWS EC2 instance, Azure VM, etc.). Data for user A is never commingled with data for user B, even if both users work at the same company.
Private Storage (“Bring your own object storage”)
Row Zero is a stateful service. Unlike BI tools that issue queries to your data warehouse and present the results, Row Zero workbooks allow users to perform data entry, upload files, and import data from databases and APIs. Workbook data is encrypted and saved in object storage (e.g. S3 buckets, Azure Blob Storage containers, etc.).
Enterprise customers may elect to use their own object storage in their VPC to satisfy security requirements. In this mode, customer data exists in memory on Row Zero servers when a workbook is active, but it’s only persisted to your own managed object storage in your VPC. For optimal performance, it is important to set up object storage in every region where your users are located (e.g. US West, US East, and Europe). At minimum, you should set up storage in at least two regions for redundancy.
Customers choosing to store data in their own object storage must create 2 buckets/containers in each region their workbooks will run. One of these is for durable storage, and the other is used for temporary staging. For example, AWS customers will create an IAM role that grants Row Zero permission to administer these buckets. Data is encrypted at rest in each bucket using either S3 SSE or the KMS key you specified when the bucket was created. Files are encrypted in transit between your object storage and Row Zero’s servers by TLS.
Data Connections
Row Zero has data connectors for all major data warehouses, including Databricks, Snowflake, Redshift, BigQuery, and more. Row Zero supports authentication via OAuth, username/password, and key pair. Explore our documentation pages for more detailed information on each connector (e.g. Snowflake, Databricks, Redshift, BigQuery).
To write or run a query from Row Zero, users must both have access to a Connection in Row Zero, and the database user associated with that Connection must also have the appropriate access.
Private Link
To prevent data from transiting the Internet, Row Zero supports Private Link (e.g. AWS PrivateLink, Azure Private Link, etc.) for inbound connections from customer laptops and outbound connections to cloud-hosted sources. Additional fees apply.
User Provisioning, SSO, & SCIM
Row Zero uses just-in-time account provisioning for Business and Enterprise accounts. Users are automatically created when they log in for the first time, usually via SSO. If your organization syncs groups with SCIM, new users automatically inherit access to any workbooks, connections, or data sources shared with their assigned groups within Row Zero.
Row Zero supports SSO via OpenID Connect (OIDC) and SAML 2.0. View SSO documentation.
AI Assistant
Row Zero’s AI Assistant uses a “bring-your-own-key” approach. This approach allows your organization to retain control over access to the inference provider and run in your organization’s approved cloud services.
Row Zero's architecture makes it impossible for an AI (even one with malicious instructions) to disclose sensitive data because AI-enabled workbooks are network isolated. The only communication allowed is between the workbook itself and Row Zero’s internal services. Our internal services are responsible for processing tool requests from the AI inference provider and sending the results back. View more information in our AI documentation.
Subprocessors
View a list of the subprocessors Row Zero engages with and for what purpose.
Additional security features and settings
Configure Security and Sharing Policies
The following policies can be configured for every organization:
- Sharing policies for connections, data sources, and workbooks
- Policies for who can create connections
- Export policies for downloads and copy/paste
- Workbook lifecycle policies
- Network isolation policy
- Region lock to satisfy data residency requirements
Workspaces
Workspaces enable customers to organize data or projects into secure, isolated environments. Each workspace has its own membership, security settings, and data connections that are isolated from other workspaces in an organization. Every workbook belongs to a single workspace, but users can belong to multiple.
Common use cases:
- Workspaces for different business units in a large company
- Workspaces with different security settings (like share settings, export restrictions, region lock, or data retention)
- Client-specific workspaces when collaborating with external partners