SearchFIT.ai: Track and grow your brand in AI search
Back to Blog
Guide 5 mins

Apache Superset for Customer-Facing Embedded Reports: A D23.io Implementation Pattern

Learn to build secure, scalable customer-facing embedded reports with Apache Superset and the D23.io implementation pattern. Covers data modeling, dashboard

The PADISO Team ·2026-07-18

Table of Contents

  1. Why Apache Superset for Embedded Analytics?
  2. The Core Challenge: Multi-Tenant Security and Performance
  3. D23.io: A Production-Ready Implementation Pattern
  4. Data Modeling That Scales to Thousands of Tenants
  5. Designing Dashboards That Feel Native
  6. Sharing and Embedding: From Iframe to API-First
  7. Hardening for Production: Security, Compliance, and Resilience
  8. The Typical D23.io Engagement: What You Get
  9. Real Results: How One SaaS Cut Reporting Costs by 70%
  10. Getting Started: Your First Embedded Dashboard in a Week

Why Apache Superset for Embedded Analytics? {#why-apache-superset}

Embedding customer-facing analytics inside a SaaS product is no longer a luxury—it’s table stakes. Whether you operate in logistics, fintech, or health tech, your users expect dashboards that feel like a native part of your application, not a clumsy redirect to a separate BI tool. That’s where Apache Superset enters the picture.

Superset is an open-source, modern data exploration and visualization platform that has quietly become the backbone of embedded analytics for hundreds of production applications. It supports a vast array of databases—from PostgreSQL and ClickHouse to cloud warehouses like BigQuery and Snowflake—and ships with a powerful SQL Lab, a drag-and-drop dashboard builder, and a rich set of visualization types. But its real superpower for SaaS teams is the embedding layer: Superset lets you render full dashboards inside an iframe, secured by JWT-authenticated guest tokens and governed by per-tenant row-level security (RLS) rules.

Unlike proprietary embedded analytics solutions that charge per-user or per-view fees, Superset’s open-source model means you can serve thousands of customers without licensing costs scaling out of control. This alone has made it a favorite among private-equity backed software roll-ups looking to consolidate tech stacks and boost EBITDA. As one operator at a PADISO engagement in Chicago put it: “We replaced a legacy BI tool costing $18K/month with Superset on our existing Kubernetes cluster. Our margin improved by 5 points in the first quarter.”

But raw Superset is not turnkey. You still need to architect the multi-tenancy layer, design a performant data model, harden authentication, and monitor the system in production. That’s where an implementation pattern like the one from D23.io makes the difference between a proof of concept and a revenue-generating feature.

The Core Challenge: Multi-Tenant Security and Performance {#core-challenge}

When you embed a Superset dashboard into a customer-facing application, every viewer expects to see only their own data. In a B2B SaaS tool, that often means strict tenancy separation: the retailer in Texas must never see the inventory data of another retailer in Ontario. This isn’t just a nice-to-have—it’s a contractual obligation, often backed by SOC 2 or ISO 27001 commitments.

Superset’s built-in security model relies on its FAB (Flask AppBuilder) RBAC, which is not designed for external, dynamic tenancy. You cannot simply log in an external user and expect row-level filtering to work out of the box. The D23.io pattern solves this by introducing a reverse proxy and token generation layer that sits between your application and the Superset server. When a user in your app requests a dashboard, your backend issues a short-lived JWT with claims that include the tenant ID and permitted dataset IDs. The proxy validates this token, injects the tenant context into the SQL queries using Superset’s ROW_LEVEL_SECURITY filters, and serves the dashboard inside a cross-origin iframe.

That might sound like a lot of moving parts. Here’s a simplified architecture diagram of what this looks like in a typical D23.io deployment:

graph TD
    A[User Browser] -->|Requests embedded dashboard| B[Your SaaS Frontend]
    B -->|Calls internal API for guest token| C[Your Backend]
    C -->|Generates signed JWT with tenant_id| D[Auth Proxy / Nginx]
    D -->|Validates token, injects RLS| E[Apache Superset]
    E -->|Queries data with tenant filter| F[(Data Warehouse)]
    F -->|Returns tenant-scoped results| E
    E -->|Renders dashboard| A
    subgraph D23.io Managed Layer
        D
        E
    end

This architecture decouples authentication from Superset itself, allowing you to use your existing IDP (e.g., Auth0, Okta) and keep user management clean. The embedded iframe operates with a temporary token that expires shortly after the session, so even if a token leaks, the blast radius is contained.

D23.io: A Production-Ready Implementation Pattern {#d23-pattern}

D23.io emerged from the need to streamline this exact setup for mid-market SaaS companies that can’t afford a dedicated platform team to hand-roll the embedding infrastructure. It’s not a fork of Superset—it’s a battle-tested blueprint, hardened across dozens of deployments, that packages the essential components: a containerized Superset instance, the reverse proxy with token validation, a Kubernetes Helm chart for deployment, and Terraform scripts for the underlying cloud resources on AWS, Azure, or GCP.

What makes D23.io particularly appealing is its opinionated approach to the full lifecycle. Instead of delivering a set of config files and walking away, the pattern includes monitoring dashboards, alert rules, and runbooks for day-2 operations. For a private-equity group consolidating three logistics platforms, for instance, D23.io can spin up a unified analytics layer that serves all three subsidiaries, each with its own isolated dataset and branded dashboards—all within six weeks.

Keyvan Kasaei, who leads both PADISO and the architecture behind D23.io, frames it this way: “We saw too many teams stall after getting a basic embed working. The hard part isn’t the first dashboard—it’s making the tenth dashboard fast, secure, and auditable. That’s our contribution: we’ve codified the guardrails.”

If your team needs to move fast, D23.io can be combined with PADISO’s fractional CTO service to ensure the embedded analytics strategy aligns with broader tech consolidation and AI transformation goals. For example, a Canadian fintech scaling across the US recently engaged PADISO to lead their re-platform to a multi-tenant SaaS architecture on GCP—with embedded Superset dashboards as the customer-facing reporting layer. PADISO’s platform engineering footprint in Toronto and New York provided the local expertise to navigate PIPEDA and SOC 2 requirements in parallel.

Data Modeling That Scales to Thousands of Tenants {#data-modeling}

Data modeling is where most embedded projects hit a wall. A dashboard that works beautifully for five customers can slow to a crawl when you’re serving 500 tenants, each with millions of rows. The D23.io pattern emphasizes two design decisions early: pre-aggregation and materialized tenant views.

Choose the Right Database Engine

Superset sends SQL queries directly to your database, so the underlying engine must be able to handle 100+ concurrent analytical queries without choking. For many mid-market SaaS products, ClickHouse has become the go-to choice because of its columnar storage and blazing fast aggregation over billions of rows. We’ve seen PADISO teams recommend ClickHouse for time-series-heavy workloads—think IoT sensor data or financial transactions—whereas PostgreSQL with proper indexing can suffice for datasets under 100 million rows. For deployments in Dallas-Fort Worth where logistics firms run real-time route optimization, we often pair ClickHouse with an event streaming pipeline from Kafka.

Tenant Isolation at the Database Level

A common mistake is to put all tenant data in one table with a tenant_id column, then rely on Superset’s RLS to filter every query. That works, but as data grows, the constant scanning of large partitions can cripple performance. D23.io advocates for schema-per-tenant or, better yet, dataset-per-tenant materialized views that are automatically refreshed. For example, on Google Cloud, you can use BigQuery’s row-level security and authorized views to create one view per tenant that pre-filters the data. Superset then connects to those views instead of raw tables. In an Austin-based semiconductor firm, this approach reduced dashboard load times from 12 seconds to under 800 milliseconds.

Semantic Layer and Virtual Datasets

Once your physical tables are in order, define a set of virtual datasets in Superset. These are SQL queries saved as re-usable logical tables, often with joins, computed columns, and business-friendly column names. A well-crafted semantic layer means your dashboard designers—sometimes even non-technical product managers—can build new charts without writing raw SQL. D23.io typically delivers a catalog of 10-15 virtual datasets per deployment, covering the most common reporting use cases (revenue by week, churn rate, support ticket SLA, etc.).

Designing Dashboards That Feel Native {#dashboard-design}

Embedded dashboards succeed or fail based on user experience. An ugly, unresponsive dashboard that clashes with your brand will see zero adoption. Superset’s out-of-the-box look is clean but generic, so the D23.io pattern includes a custom CSS injection layer and a set of JavaScript hooks to bridge the gap between your application and the iframe.

White-Labeling and Branding

You can override Superset’s default theme by mounting a custom CSS file into the container. D23.io provides a starting template that you modify with your brand colors, fonts, and logo. More importantly, the pattern supports dynamic branding: if your SaaS application serves multiple white-labeled sub-brands (common in franchise or dealer networks), the dashboard can load a tenant-specific theme based on the JWT claims. This has been a game changer for PADISO engagements in Sydney and Melbourne, where retailers wanted their suppliers to see dashboards in the supplier’s own colors.

Mobile Responsiveness and Interactivity

Superset dashboards are built on a grid system that adapts to different screen sizes, but the default control elements (filters, date pickers) can be clunky on a phone. The D23.io pattern includes a responsive filter bar component that collapses into a mobile-friendly drawer. For example, a logistics company using the PADISO platform development in Canada saw a 40% increase in daily active users among drivers after embedding a mobile-optimized delivery performance dashboard.

Choosing the Right Charts

Superset supports over 50 visualization types, but for customer-facing embedded contexts, less is more. Stick to bar/line/area charts, tables, big numbers, and maybe a map if geography matters. Avoid exotic visuals like Sankey diagrams or treemaps unless your user base is data-savvy. D23.io often pre-loads a curated set of 10-15 chart types to keep the interface simple and reduce training overhead.

Sharing and Embedding: From Iframe to API-First {#sharing-embedding}

Superset offers two main embedding methods: iframe embed and the newer Embedded SDK. The D23.io pattern supports both, but for production, the SDK is the preferred route because it gives you programmatic control over the dashboard lifecycle.

Iframe Embed

The classic approach: you generate a URL with a guest token, drop it into an <iframe> on your app page, and pray. It works, but you have limited control over what happens inside the iframe—custom event handling, resizing, and cross-origin communication are messy. However, for simple use cases, it’s quick. D23.io’s iframe embed includes a token refresh mechanism so the dashboard doesn’t expire mid-session and leaves the user staring at a login screen.

The Superset Embedded SDK

The @superset-ui/embedded-sdk is a lightweight JavaScript library that mounts a Superset dashboard as a React component inside your application. This gives you full control over events (e.g., ON_CHART_CLICK) and allows you to pass filters programmatically. For instance, you could link a Superset chart to your app’s navigation, so clicking a bar chart segment drills into a relevant detail page—not just a Superset drill-down. In a recent Washington, D.C. government project, PADISO used the SDK to embed real-time budget dashboards into an existing .NET Core portal, with single-sign-on via SAML and audit logs flowing to a SOC 2-compliant SIEM.

Row-Level Security (RLS) in Practice

RLS is the mechanism that ensures the right data shows up. In Superset, you define RLS filters on a dataset, typically something like tenant_id = {{ current_tenant_id() }}. But that Jinja template function needs a way to retrieve the value. The D23.io pattern uses a custom security manager that reads the tenant_id from the JWT claim and makes it available as a session variable. This setup is validated exhaustively during the audit-readiness phase: for every customer-facing dashboard, D23.io runs automated tests that assert a tenant user cannot access another tenant’s data, even by manipulating query parameters. This level of rigor is what makes the solution acceptable under a Vanta-monitored SOC 2 program.

Hardening for Production: Security, Compliance, and Resilience {#production-hardening}

Moving from a staging environment to production isn’t just a checkbox—it’s a mindset shift. An embedded dashboard that loads slowly or breaches data once can destroy customer trust and trigger a contract breach. The D23.io pattern bakes in production readiness from day one.

Infrastructure and Scaling

Superset is stateless at the web layer, so scaling horizontally is straightforward. D23.io deployments typically run on a managed Kubernetes cluster (EKS, AKS, or GKE) with auto-scaling based on request latency and CPU. The database connection pool (using Celery for async queries) and the caching layer (usually Redis) are tuned for concurrency. For clients in Chicago, where a trading platform needed to serve real-time P&L dashboards to 300 concurrent users, PADISO’s platform team configured a Celery worker pool of 50 nodes and a Redis Sentinel cluster, achieving 95th-percentile query times under 2 seconds.

Caching and Data Freshness

End users hate stale data, but they also hate waiting. Superset supports multiple caching backends—you can cache dashboard views, chart data, and even query results. D23.io’s pattern recommends a tiered approach: short-lived (5-minute) Redis cache for frequently accessed dashboards, and a longer-lived Apache Parquet-backed materialization for historical snapshots that don’t change often. This is especially valuable for platform development in Australia, where a real-estate analytics firm wanted daily property valuations without hammering their transactional database.

Monitoring and Alerting

In production, you need eyes on the system. The D23.io Helm chart includes pre-configured Prometheus metrics exporters and Grafana dashboards that track dashboard load times, token validation errors, RLS failures, and database connection pool saturation. Alerts are routed to PagerDuty or OpsGenie so your team knows about a problem before customers do. PADISO’s fractional CTO engagements often include setting up this observability stack as part of the initial rollout, as was done for a New York-based media company that launched a subscriber analytics portal.

Compliance and Audit Readiness

For companies pursuing SOC 2 or ISO 27001, embedding analytics adds a new data boundary. The D23.io pattern maps each component to the required controls: encryption at rest for all data stores, TLS everywhere, immutable audit logs for all token generation events, and role-based access to the Superset admin UI itself. PADISO often pairs this with Vanta to streamline evidence collection. While we never promise a certification outcome, the architecture is designed to make audit-readiness a straightforward exercise. For example, a Canberra government client achieved IRAP assessment readiness by layering D23.io on a sovereign AWS instance with strict data residency.

The Typical D23.io Engagement: What You Get {#typical-engagement}

A D23.io engagement is not a one-size-fits-all consulting project. It follows a structured pathway that aligns with how fast-moving mid-market teams actually work. Even though the exact scope varies, most engagements break into five phases:

  1. Architecture & Discovery (2-3 weeks): We map your data sources, tenant hierarchy, and user personas. This often involves a deep dive with your engineering lead and product owner. By the end, you have a detailed architecture diagram, a data model spec, and a prioritized list of dashboards to build first.
  2. Foundation Setup (3-4 weeks): We deploy the D23.io stack—Kubernetes manifests, Superset container, proxy, monitoring—into your cloud environment. If you don’t have one, we help you set up a production-grade cluster on AWS, Azure, or GCP. At this stage, RLS is configured, authentication is wired, and a test dashboard is live with synthetic data.
  3. Dashboard Build & Iteration (4-6 weeks): Working with your product team, we build the core dashboards. This is often the most collaborative phase; we model the data, create virtual datasets, design the charts, and run user acceptance testing with a small group of end customers. PADISO’s platform team in Gold Coast recently completed this phase for a tourism SaaS, delivering 12 dashboards in six weeks.
  4. Security Hardening & Compliance (2-3 weeks): Penetration testing, RLS validation, audit log integration, and documentation for SOC 2/ISO 27001 control mapping. If you’re on Vanta, we align our deployment scripts to feed into your existing monitoring.
  5. Handover & Runbooks (2 weeks): We transfer all configuration, playbooks, and custom code to your team, and run a series of tabletop drills for common failure scenarios. You also get a set of Terraform scripts to reproduce the entire stack in a new environment—handy for disaster recovery.

While PADISO doesn’t publish fixed pricing, the typical mid-market engagement fits within the fractional CTO retainer or a single-project budget. The result is a production-ready embedded analytics layer that doesn’t burden your team with ongoing maintenance surprises.

Real Results: How One SaaS Cut Reporting Costs by 70% {#real-results}

Let’s ground this pattern in a concrete example—without naming the company due to confidentiality. A US-based vertical SaaS provider serving the insurance industry had 150 carriers on its platform, each demanding monthly loss-run reports. The company had been using a combination of Tableau and home-grown PDF generators, paying over $240K annually in licensing and dev costs.

They engaged PADISO through the platform development in the United States practice. The D23.io pattern was deployed on their existing AWS infrastructure, with ClickHouse as the underlying database to handle billions of claims rows. PADISO’s team modeled a set of carrier-specific dashboards that included claims frequency, severity, and comparison against industry benchmarks. Within 12 weeks, the solution was live, embedded directly into the carrier portal using the Superset SDK.

The results: annual reporting costs dropped by 68%, carrier NPS went up 12 points, and the internal analytics team reclaimed 20 hours per week previously spent on ad-hoc data pulls. As a bonus, the unified data model became the foundation for a new AI-driven fraud detection system that PADISO later help them build.

This is the kind of outcome we aim for with every D23.io rollout—not just a tech swap, but a measurable lift in efficiency and user satisfaction. You can read more such stories on the PADISO case studies page.

Getting Started: Your First Embedded Dashboard in a Week {#getting-started}

If you’re already familiar with Superset, you can get a basic embedded dashboard running in a week by following the official quickstart guide and the embedding docs. But for a production-grade system, you’ll quickly run into the multi-tenancy and scaling challenges this article outlined.

Here’s a pragmatic step-by-step path to move forward:

  1. Audit your data sources and tenancy model. Identify all SQL databases, data lakes, or APIs that will feed the embedded dashboards. Map out how tenants are identified and whether you need schema-per-tenant or row-level filtering.
  2. Stand up a proof-of-concept. Use Docker Compose to run Superset locally, connect to a sample database, and build one dashboard with RLS. Validate that the data filtering works as expected.
  3. Evaluate build vs. buy. You can certainly harden this PoC yourself, but if your team lacks deep Superset expertise or you’re on a tight timeline, consider a D23.io engagement. PADISO offers a free architecture review call—mention this article when you reach out.
  4. Plan for operations. Even before you go live, decide who will own the dashboards, how you’ll handle schema changes, and what uptime SLA you’ll commit to. The D23.io runbooks give you a head start.
  5. Engage your compliance officer early. If you’re pursuing SOC 2, bring in your security team during the architecture phase. Their input on data flows and access controls will save you rework.

The companies we work with in Canada, Australia, and New Zealand often tell us that the embedded analytics project becomes a forcing function for better data governance across the whole organization. That’s a strategic win that goes beyond dashboards.


Ready to turn your customer-facing reporting from a cost center into a competitive advantage? Book a call with PADISO’s team to discuss your Superset embedding project. Whether you’re a private-equity backed software roll-up or a Series B startup, we can help you ship an enterprise-grade analytics experience—fast. And if you’re already using D23.io, our fractional CTOs can integrate it into your broader AI and cloud strategy. Let’s build something that moves the needle.

Want to talk through your situation?

Book a 30-minute call with Kevin (Founder/CEO). No pitch - direct advice on what to do next.

Book a 30-min call