Security at Kyomi

Security isn't just a feature—it's foundational to everything we build. This page explains our security practices in detail.

Our Security Philosophy

Privacy by design: We built Kyomi to minimize BigQuery data storage. We cache table/column metadata for search, but your actual data rows stay in your warehouse. Query results stream through our infrastructure but aren't stored (except limited 20-row samples in AI chat history).

Defense in depth: Multiple layers of security protect your account, data, and infrastructure.

Transparency: We're open about our security practices so you can make informed decisions.

Data Security

Your BigQuery Data

The most important point: We minimize BigQuery data storage and use encryption when we do store it.

What we cache: Table and column metadata (names, types, descriptions) to enable intelligent search. This metadata is workspace-isolated.

What we don't cache: Your actual data rows. Query results are handled differently depending on the mode (see below).

Kyomi has three data access modes with different security implications:

Mode 1: AI Agent Queries (Server-Side, Limited)

  • 20-row limit - AI queries are restricted to maximum 20 rows
  • Server-side analysis - Results sent to our backend for AI analysis
  • Encrypted storage - 20-row samples stored encrypted at rest with AES-256-GCM (for chat history display)
  • Workspace-isolated - Only you can access your chat data
  • User-deletable - Delete chat history anytime

Mode 2: Standard Dashboard Access (Default, Most Secure)

  • Direct to browser - Results stream directly from BigQuery API to your browser
  • Bypasses our servers - Data never touches our infrastructure
  • Client-side processing - DuckDB WASM processes data in your browser
  • No storage - Query results aren't stored by us

This is the default mode for dashboards and SQL editor.

Mode 3: Arrow Streaming (Opt-In, Faster)

  • Optional checkbox - You choose to enable this for faster downloads
  • Through our server - Data passes through backend (20-100x faster)
  • In-memory only - Data never written to disk on our servers
  • No storage - Data immediately discarded after streaming

Result: Even if our servers were compromised:

  • Mode 1 (AI Agent): Only encrypted 20-row samples exposed (not full datasets)
  • Mode 2 (Standard): Zero BigQuery data exposed (bypasses our servers)
  • Mode 3 (Arrow): Zero BigQuery data exposed (in-memory only, no persistence)

Application Data

Data we do store (chat messages, dashboards, queries, catalog metadata) is protected with:

Encryption

  • In transit - TLS 1.3 for all connections
  • At rest - AES-256-GCM authenticated encryption for:
    • Chat message content (AI responses, summaries)
    • Chat message metadata (20-row data samples)
    • OAuth tokens (Google access/refresh tokens)
  • Backups - Encrypted backups in Google Cloud Storage

BigQuery Catalog Metadata

We cache metadata about your BigQuery datasets to enable intelligent search:

What we store:

  • Table names, descriptions, and schema structure
  • Column names, data types, and descriptions
  • Modified timestamps for incremental indexing

What we DON'T store:

  • Actual data rows from your tables
  • Query results (except 20-row samples in AI chat history)

How it's protected:

  • ✅ Stored in PostgreSQL database
  • ✅ Workspace-isolated (only your team can access)
  • ✅ Used only for search functionality
  • ✅ Incremental updates minimize data transfer

Why we cache it: Enables semantic search across thousands of tables, helping you quickly find relevant datasets without querying BigQuery repeatedly.

Access Controls

  • Multi-tenant isolation - Workspace data is strictly isolated
  • Role-based access - Users only see what they're authorized to see
  • API authentication - OAuth 2.0 with short-lived access tokens
  • Session management - Secure HTTP-only cookies

Data Retention

  • Active data - Kept while your account is active
  • Deleted data - Permanently deleted within 30 days
  • Backups - Retained for 30 days, then permanently deleted
  • Logs - Security logs kept for 90 days

Authentication & Access

Authentication Method

We use Google OAuth for secure, passwordless authentication:

Google OAuth

  • Industry-standard OAuth 2.0 flow
  • No passwords to manage
  • Leverages Google's security infrastructure
  • Two-factor authentication via your Google account

Session Security

  • Short-lived tokens - Access tokens expire automatically
  • Refresh tokens - Securely stored and rotated
  • Automatic logout - Sessions expire after period of inactivity
  • HTTP-only cookies - Protected from XSS attacks

Infrastructure Security

Infrastructure Hosting

  • Infrastructure - Secure dedicated servers with encrypted storage
  • Network - VPC isolation, private subnets
  • Firewalls - Strict ingress/egress rules
  • Physical security - Secure data center with controlled access

Application Security

Code Security

  • Dependency scanning - Automated vulnerability detection
  • Static analysis - CodeQL security analysis
  • Secret scanning - No credentials in code
  • Security updates - Patched within 48 hours of disclosure

Runtime Security

  • Container isolation - Docker containers with minimal attack surface
  • Least privilege - Services run with minimum necessary permissions
  • Security headers - CSP, HSTS, X-Frame-Options, etc.
  • Rate limiting - Protection against brute force and DoS

API Security

  • Input validation - All inputs sanitized and validated
  • SQL injection prevention - Parameterized queries only
  • XSS protection - Content Security Policy, output encoding
  • CSRF protection - Token-based validation

Monitoring & Detection

  • Security monitoring - 24/7 automated threat detection
  • Intrusion detection - Anomaly detection and alerting
  • Error tracking - Sentry for error monitoring
  • Audit logs - All sensitive operations logged
  • Uptime monitoring - UptimeRobot checks every 5 minutes

Third-Party Security

We carefully vet all third-party services:

Critical Services

ServicePurposeSecurity Features
Google BigQueryYour data warehouseSOC 2, ISO 27001, GDPR compliant
Google OAuthAuthenticationIndustry-standard OAuth 2.0
StripePayment processingPCI DSS Level 1, we never see card numbers

Data Processing Agreements

We have DPAs in place with all services that process customer data, ensuring:

  • GDPR compliance
  • Data protection requirements
  • Incident notification procedures
  • Secure data handling practices

Security Best Practices for Users

For Workspace Owners

  • Enable 2FA on your Google account - Protect your Kyomi access
  • Review workspace members - Remove users who no longer need access
  • Monitor usage - Check for suspicious activity
  • Keep contact info current - So we can reach you about security issues

For All Users

  • Don't share credentials - Each team member should have their own account
  • Log out on shared computers - Or use private browsing
  • Report suspicious activity - Email security@kyomi.ai
  • Keep your browser updated - For the latest security patches
  • Be cautious with dashboard sharing - Understand who can see shared dashboards

For BigQuery Security

  • Use least-privilege IAM - Grant Kyomi only necessary permissions
  • Enable audit logging - Track all BigQuery access
  • Monitor costs - Detect unusual query patterns
  • Restrict by IP - Use VPC Service Controls if needed

Incident Response

If You Suspect a Security Issue

Act quickly:

  1. Email us immediately - security@kyomi.ai
  2. Include details - What you observed, when, any evidence
  3. Don't publicly disclose - Give us time to fix it first

We'll respond within 24 hours (usually much faster)

Our Incident Response Process

If we detect a security incident:

  1. Contain - Stop the threat immediately
  2. Investigate - Understand scope and impact
  3. Notify - Inform affected users within 72 hours
  4. Remediate - Fix the vulnerability
  5. Post-mortem - Learn and improve

What You'll Receive

  • Transparent communication - We'll tell you what happened
  • Timeline - When it occurred, when we detected it
  • Impact assessment - What data (if any) was affected
  • Remediation steps - What we're doing to fix it
  • Prevention - How we're preventing it from happening again

Vulnerability Disclosure

Responsible Disclosure

We welcome security researchers to help us stay secure:

  • Report vulnerabilities - security@kyomi.ai
  • Give us time to fix - 90 days before public disclosure
  • Don't exploit - Don't access user data or disrupt service
  • Act in good faith - We won't take legal action against responsible disclosures

Bug Bounty Program

Currently, we don't have a formal bug bounty program, but we:

  • Acknowledge all valid reports
  • Fix vulnerabilities promptly
  • Credit researchers (with permission) in our security updates
  • Provide public thanks for significant findings

Interested in a formal bug bounty? Email us—we're considering it for the future.

Compliance & Certifications

Current Status

  • GDPR - Compliant with EU data protection regulations
  • CCPA - Compliant with California privacy laws
  • SOC 2 - Planned for when we have enterprise customers requiring it
  • ISO 27001 - Under consideration for global certification

Privacy Regulations

We apply EU-level data protection to all users:

  • Data minimization - Collect only what's necessary
  • Purpose limitation - Use data only for stated purposes
  • Storage limitation - Retain only as long as needed
  • Integrity & confidentiality - Appropriate security measures

Security Updates

We publish security updates when appropriate:

  • Security advisories - For vulnerabilities affecting users
  • Changelog - For security-related feature updates
  • Blog posts - For major security improvements

Subscribe to updates: Blog or follow our changelog

Questions About Security?

We're happy to discuss our security practices:

Response time: 24 hours for security issues, 2 business days for general questions

Security is a Journey

Security isn't a destination—it's an ongoing commitment. We continuously:

  • Monitor threats and vulnerabilities
  • Update our security practices
  • Educate our team
  • Listen to our users
  • Invest in security infrastructure

Your trust is our most valuable asset. We take that responsibility seriously.

Last updated: November 16, 2025

For our Privacy Policy, see kyomi.ai/privacy