cssclasses:
- soft-embed
permalink: teams/securityOur Security page compiles information about how Obsidian approaches protecting your data. It is also the home for security audits completed by third parties.
Obsidian is designed to function as an offline and standalone application. Obsidian also supports custom plugins and themes. Additionally, we provide both official and unofficial support for various file syncing services.
If you do not intend to use community plugins or themes, or Obsidian Sync or Obsidian Publish, your standard procedures for securing applications will apply. However, if you plan to use any of these features, we recommend thoroughly evaluating their suitability for your workplace.
Please review the Plugin security page in addition to this section.
The Obsidian teams reviews all community plugins and themes submitted to the official directory, via our releases repository. We do not review community items which have not been submitted to the official directory.
We do not have a community store for CSS snippets. These files are typically obtained from within our Obsidian Community or from public GitHub repositories.
We require bundling of assets in CSS snippets and themes. However, we have made an exception for Google Fonts to maintain performance on mobile devices, where the impact of bundling fonts is more noticeable.
While prioritizing the local-first approach of our application, Obsidian does make network calls based on the services and features you use. These network connections can be disabled via a domain firewall or application lockdown.
Obsidian makes these network connections on HTTPS port 443.
The following is a list of network connections Obsidian makes.
releases.obsidian.md.api.obsidian.md.sync-xx.obsidian.md, where xx is a number between 01-100.publish-main.obsidian.md and publish-xx.obsidian.md, where xx is a number.publish.obsidian.md.).Does Obsidian support Single Sign-On (SSO)?
Obsidian does not support SSO. In most use cases, Obsidian does not require an account or sign-on in your workplace, unless you are using Obsidian Publish or Obsidian Sync.
Does Obsidian support Multi-Factor Authentication (MFA)?
Obsidian supports 2-factor authentication (2FA) for Obsidian accounts, but it does not support 2FA for opening and using the base application. Users of Obsidian Sync and Obsidian Publish who have 2FA enabled will be required to confirm their 2FA key when they first log into the application.
Will you accept security assessments from our company?
We require a minimum quoted purchase order amount before considering completing a security assessment. These assessments are often time-consuming and may not be applicable to offline applications like Obsidian, as they are typically geared towards cloud-based services.
However, you can waive this quoted purchase order amount by agreeing to pay a retainer fee. Please contact Obsidian support to inquire about this option.
Do you have any recognized certifications related to Information Security or quality standards, such as ISO27001, NIST, COBIT, or other ISO or CSA certifications?
Not at this time. It may be something we explore in the future, but for now, our focus is on our security audits.