Your Data. Your Control.
superQuery’s data platform is based on top of your existing database, using a secure connection to query your data warehouse directly. Your optimized queries access the data needed to answer your question in your database, return the results, and the answer is stored in a short-lived cache. You can also control and configure these parameters based on your needs and policies.
Thanks to superQuery’s single point-of-access for your data, you can establish a robust data governance infrastructure, giving everyone within your company the ability to answer their own questions, while keeping data sprawl to a minimum and access to sensitive information restricted. Administrators can configure permissions by user or group, and can restrict data access from the database level all the way down to the row or column level.
Administrators can always maintain a secure experience for their users with the robust business intelligence data governance we enable.
Leverage Your Database’s Security Protocols
superQuery generates SQL that directly queries your database. The result: Your analysts and data scientists don’t need to pull your data out of the database to run queries.
Data access without changing your storage functionalities and policies
superQuery uses a read-only connection to access the minimum amount of data needed to answer your queries and only returns the relevant result set. The result: less data duplication, no long-term storage of sensitive data on local machines, and maintaining the full power of your existing database security model.
Reign your data
Secure User Access and Management
superQuery makes it easy for administrators to control users’ access from the database level down to the field level.
Easy permissions, access and configurations
Application permissions, data access, and content access can be set manually in our dashboard, programmatically via superQuery’s API, or can be inherited directly from your existing single sign-on authentication protocols.
Enterprise-level feature set
Authenticate Your Way
superQuery’s platform comes standard with enterprise-level features including two-factor authentication, SAML-based single sign-on (supporting SAML, OneLogin, and Google Apps), and team management to keep superQuery access secure and up-to-date.
Highest Data Security Encryption standards
superQuery uses industry-standard AES encryption to secure cached data stored at rest, and the TLS protocol to secure network traffic between users’ browsers and the platform.
Secure Your Database Connection
superQuery offers many options for securing connections to your database, including IP Whitelisting, SSL, SSH, PKI, and Kerberos authentication.
Comprehensively monitored and fully auditable
Because superQuery’s data platform provides a single point of contact for employees’ work with your enterprise’s data, it’s far easier to keep track of exactly who accessed what, when, and what they did with it.
Easily Keep Track of Usage and Development
superQuery logs every interaction so administrators can audit usage and easily set up scheduled reports and alerts. And because superQuery’s data model is version-controlled, you can also track when metric definitions have changed, who changed them and why.
Easy Configuration of Support Access
superQuery monitors and regularly audits company support technicians’ access to your instance (and as of superQuery release 4.22, you’ll be able to easily turn that access on or off).
Our Shared Security Partnership
superQuery connects to your organization’s database, and is designed to leave your data in that database. Because superQuery connects to technology that you are responsible for maintaining, security becomes a shared responsibility between superQuery and you.
Application Data Collected by superQuery
While there is no permanent storage of your data in the superQuery application, by default, the application passes the following information back to us to perform license validation and enhance the service.
- License checks – License information, including the number of users, roles, and database connections
- Basic usage – URLs accessed, time of access, and browser type
- Backups – Encrypted backups of the superQuery instance’s database, which includes saved Looks, query history, and user settings
- Error emails – Errors from superQuery servers are generated for Engineering’s use to diagnose and improve the product (note that passwords and other private information is filtered out)
- User admin emails – Mail generated from support@superQuery.io provides new account welcome emails, forgotten password reset links, and scheduled data delivery. If preferred, you can configure these emails to use your own SMTP service instead.
- Support tickets – Support is provided on demand via an embedded chat client service through Intercom.
NOTE: By default, superQuery stores models in a secured GitHub repository.
- Cloud Security – superQuery uses Amazon Web Services and other hosting providers to offer industry-standard security, availability and durability of hosted superQuery implementations.
- Product Security – superQuery is responsible for ensuring that the code quality for the superQuery application is developed according to industry-wide best practices for software development, and is regularly tested for vulnerabilities.
- Corporate Security – superQuery is responsible for educating and disseminating security best practices throughout its organization, and ensuring that superQuery’s ancillary applications, systems, and networks are securely configured and monitored.
- Physical Security – superQuery is responsible for monitoring the superQuery corporate facilities, and ensuring that both offices and hardware are protected.
You are responsible for configuring secure access between the superQuery application and your database. superQuery provides extensive recommendations on how to do this, including:
- Enabling secure database access using tools like IP whitelisting, SSL/TLS encryption, and SSH tunneling.
- Setting up the most locked-down database account permissions for superQuery that still allow it to perform needed functions.
You are also responsible for controlling access and permissions for users of your superQuery instance within your company. We recommend:
- Setting up user authentication using either a native username/password option or, preferably, using a more robust authentication mechanism like 2FA, LDAP, Google OAuth, or SAML.
- Setting up the most restrictive user permissions and content access that still allow people to carry out their work, paying special attention to who has admin privileges.
- Setting up any API usage in a secure way.
- Regularly auditing any public access links your users create and restricting the permission to create them, as necessary.
Cloud Security Architecture
superQuery hosts its software on AWS Cloud Services, which means that as a superQuery customer, you’ll inherit the robust standards of cloud security maintained by AWS, which superQuery builds on top of for its own security best practices. superQuery also uses industry best practices for the development and testing of the superQuery application, ensuring that code quality meets our standards before becoming part of a superQuery release.
The superQuery application is managed on AWS Facilities which comply with over 50 data security certifications, regulations, and frameworks. Physical security is managed by AWS, with facilities monitored by video surveillance, and intrusion detection systems.
Physical separation of data
The superQuery application is hosted in a single-tenant environment physically separating the instances of superQuery customers from each other. The superQuery application is hosted in a single tenant AWS Availability Zone (AZ) environment by default. If you have specific availability needs, you can contact your Account Manager to request implementing the application in a cluster configuration.
Data Security Architecture
superQuery follows AWS best practices for security architecture. Proxy servers secure access to the superQuery application by providing a single point to filter attacks through IP blacklisting and connection rate limiting.
superQuery employs a Cloud-based distributed backup framework for superQuery-hosted customer servers.
Availability and durability
The superQuery application can be hosted in a variety of different AWS data centers across the globe.
Monitoring & Authentication
Access to a customer’s back-end servers
Access to superQuery-hosted back-end environment requires approval and multiple layers of authentication.
Access to a customer’s superQuery application
Employee access to customer superQuery instances is provided in order to support a customer’s needs. Access requires approval and multiple layers of authentication. Additionally, customers can control all access from superQuery to their application via a Support toggle.
Monitored user access
Access to your superQuery environment is uniquely identified, logged, and monitored.
Network and application vulnerability scanning
superQuery’s front-end application and back-end infrastructure is scanned for known security vulnerabilities at least monthly.
Logs across the superQuery production and corporate environments are collected and stored centrally for monitoring and alerting on possible security events.
Reputation monitoring/threat intelligence
Collected logs and network activity are checked against commercial threat intelligence feeds for potential risks.
Anomalous activity, like unexpected authentication activity, triggers alarms.
Data Security Encryption
Application sensitive data stored locally including database connection configurations and cached query data is encrypted and secured using AES encryption.
Secure credential storage & encryption
Native username and passwords are secured using a dedicated password-based key derivation function (bcrypt) with hashing and salting.
Data in transit is encrypted and secured from the user’s browser to the application via TLS.
SSL / SSH encryption
superQuery enables you to configure your database connection via encrypted TLS or SSH.
Code development is done through a documented SDLC process which includes guidance on how code is tested, reviewed, and promoted to production.
Peer review and unit testing of code
Code is peer reviewed before being committed to the master code branch of the superQuery application. Functional and unit tests are performed using automated tools.
Routine developer training
Developers are regularly trained on secure coding practices.
Code quality tests
superQuery utilizes automated tests specifically targeting injection flaws, input validation, and proper CSRF token usage.
Regular third-party penetration testing
superQuery performs regular third-party penetration tests against the superQuery application and hosted environment.
Single sign on
superQuery provides SAML-based single sign on for users, offering support for SSO solutions from Google Apps, OneLogin, and SAML.
superQuery provides the ability to authenticate users based on Lightweight Directory Access Protocol (LDAP), enabling administrators to link LDAP groups to superQuery roles and permissions.
superQuery provides the ability to use two-factor authentication via Google Authenticator.
superQuery works under robust security protocols to secure the superQuery Office premises and materials that contain sensitive information. superQuery also invests in properly vetting and training staff to ensure that there is an organization-wide appreciation for data security.
Personal & Third Parties
Led by the Chief Security Officer (CSO), superQuery has an established a dedicated information security function responsible for security and data compliance across the organization.
Policies and procedures
superQuery maintains various security policies that are maintained, communicated, and approved by management to ensure everyone clearly knows their security responsibilities.
New contractors and employees are required to pass a background check and sign confidentiality agreements.
Security awareness education
superQuery new-hires complete security training as part of the entry into the organization. Employees receive routine security awareness training and confirm adherence to Company security policies. superQuery employees are reminded of security best practices through informal and formal communications.
superQuery maintains a vendor management program to ensure that third-parties comply with an expected level of security controls.
superQuery maintains a robust security risk management program. Our CSO chairs our internal quarterly Security Steering Committee.
superQuery’s Security and Operations team is available 24/7 to respond to security alerts and events.
Policies and procedures
superQuery maintains a documented incident response plan.
Incident response training
Employees are trained on security incident response processes, including communication channels and escalation paths.
superQuery Premises and Hardware
Monitoring and secure access to superQuery offices
superQuery offices are protected by security measures including security cameras.
superQuery uses a combination of endpoint management tools to monitor, patch, and protect its laptop population. Laptops have encrypted hard drives and are protected with sign-on password. Also, an AV/HIDs solution is installed on laptops to protect against malware and monitor for possible security events.
Data Security, Privacy & Compliance
One of the priorities of superQuery’s security practices is to ensure that use of your data is transparent, safe, and respectful. To that end, superQuery maintains a Compliance team to perform regular assessments and ensure that risks are appropriately being mitigated and that controls are designed and operating correctly.
Data Security & Compliance
Healthcare data security compliance
superQuery customers include HIPAA Covered Entities and Business Associates. Since superQuery doesn’t extract your data, we don’t categorize data as sensitive, personal health information or according to other schemas. Instead, we handle all data according to the same security standards. superQuery will assist you to carry out HIPAA-related security obligations & compliance, which can include executing Business Associate Agreements as needed.
SOC 2 and ISO 27001 compliance
superQuery has a SOC 2 Type 1 report and and is collecting evidence for the Type 2 audit. We anticipate the Type 2 report being available in September, 2018. Following the SOC 2 Type 2 audit, superQuery will direct its attention towards ISO 27001.
EU Compliance & GDPR Compliance
superQuery has many users in the European Economic Area and will work with you to assure database compliance with Personal Data handling requirements and cross-border transfer requirements under the EU Privacy Directive, and the new GDPR.
Determine where superQuery is hosted
superQuery lets you determine where your superQuery is to be hosted. Currently your superQuery hosted instance can reside in the US, Japan, Ireland, Australia, or Brazil.