Security & Trust

Built for teams that cannot afford a data leak

QuerySafe Intelligence is designed so that customer data never leaves your BigQuery warehouse. This page documents how we make that work, what we promise in writing, and how to verify it.

Our zero-data-leak commitment

Your data does not leave your BigQuery warehouse. QuerySafe Intelligence runs queries inside your own Google Cloud project using a service account you control. We do not copy, sync, replicate, or cache your row-level data on our servers.

We only see the queries you let us run and the results returned. Those results are processed in memory to format the answer for your screen and are not persisted to long-term storage.

If you revoke the service account, we lose access instantly. There is no shadow copy. There is no orphaned cache. You keep the keys.

This commitment is reflected in the Data Processing Agreement we sign with every customer.

What we promise, in writing

Every commitment below is reflected in the DPA we sign with you. No fine-print escape hatches.

No data movement

Your data stays inside your BigQuery datasets. Queries execute in your warehouse, in your region, under your access policies.

Read-only by default

The service account we ask you to grant is read-only. We cannot mutate, drop, or alter your tables. You can audit this in your Google Cloud IAM console.

PII masked by default

Personally identifiable fields are masked in results before they reach your screen. Aggregated summaries are shown in place of raw customer IDs unless explicitly authorized.

Full query audit trail

Every query is logged with the user, the prompt, the generated SQL, the timestamp, and the tables touched. Exportable for your compliance team.

Encrypted in transit

All connections to BigQuery and to our service use TLS 1.2 or higher. Your data is never sent over an unencrypted channel.

Role-based access

Different roles inside your QuerySafe workspace see different rows, columns, and capabilities. Row-level security is mirrored from your BigQuery policies.

How a query actually flows

From the moment a user asks a question to the moment they see the answer. No magic, no hidden steps.

Query lifecycle

Step 01
User asks a question
Plain-English question entered in QuerySafe. Sent over TLS to our service.
Step 02
SQL is generated
Schema-aware LLM produces a SQL query. Validated against your BigQuery schema before execution.
Step 03
Query runs in your warehouse
Executed inside your BigQuery project under your service account. Data never leaves your perimeter.
Step 04
Result formatted, then discarded
Result is processed in memory to format the answer. Not written to long-term storage on our side.
What we store long-term: the question text, the SQL we generated, the tables touched, timestamps, and the user who asked. This is the audit trail. What we do not store: the actual row values returned by the query.

Compliance and certifications

Where we are today. We commit to honest status, not aspirational claims.

GDPR alignment DPA available. Data subject rights honored. EU sub-processors mapped. No data transferred outside the customer's chosen region. In effect
India DPDP Act Compliant with the Digital Personal Data Protection Act 2023. Indian customer data stays in asia-south1 by default. In effect
SOC 2 Type II Audit engagement underway. Targeting completion in the next 6 months. Letter of engagement available on request. In progress
ISO/IEC 27001 Internal controls aligned to ISO/IEC 27001:2022. Formal certification targeted after SOC 2. Planned
HIPAA Not currently positioned for HIPAA-regulated workloads. Reach out if you need a path forward and we will discuss. On request

Sub-processors

The third-party services we use to deliver QuerySafe Intelligence. We notify you in advance of any change.

Service Purpose Data region
Google Cloud Platform Application hosting, BigQuery connectivity asia-south1 (India) by default
Google Gemini API Natural language to SQL translation Zero-training mode, no data retention
Cloud SQL (PostgreSQL) Application metadata: prompts, generated SQL, audit logs asia-south1 (India)
Stripe Payment processing Billing data only. PCI DSS Level 1.

Incident response

If we identify or are notified of a security incident affecting customer data, we follow a documented response plan: containment, investigation, customer notification within 72 hours of confirmation, and post-incident review. Customers receive a written report within 30 days of resolution.

To report a security concern or suspected vulnerability, email security@metricvibes.com. We respond within one business day.

Need our DPA, sub-processor list, or anything else?

Download our standard Data Processing Agreement. For custom terms, security questionnaires, or your CISO's vendor assessment, email security@metricvibes.com and we will get back within one business day.