Security at Kyomi

Security isn't just a feature—it's foundational to everything we build. This page explains our security practices in detail.

Our Security Philosophy

Privacy by design: We built Kyomi to minimize data warehouse data storage. We cache table/column metadata for search, but your actual data rows stay in your warehouse. Query results stream through our infrastructure but aren't stored (except limited 20-row samples in AI chat history).

Defense in depth: Multiple layers of security protect your account, data, and infrastructure.

Transparency: We're open about our security practices so you can make informed decisions.

Data Security

Your Data Warehouse Data

The most important point: We minimize data warehouse data storage and use encryption when we do store it.

What we cache: Table and column metadata (names, types, descriptions) to enable intelligent search. This metadata is workspace-isolated.

What we don't cache: Your actual data rows. Query results are handled differently depending on the mode (see below).

Kyomi has three data access modes with different security implications:

Mode 1: AI Agent Queries (Server-Side, Limited)

20-row limit - AI queries are restricted to maximum 20 rows
Server-side analysis - Results sent to our backend for AI analysis
Encrypted storage - 20-row samples stored encrypted at rest with AES-256-GCM (for chat history display)
Workspace-isolated - Only you can access your chat data
User-deletable - Delete chat history anytime

Mode 2: Standard Dashboard Access (Default, Most Secure)

Direct to browser - Results stream directly from your data warehouse API to your browser
Bypasses our servers - Data never touches our infrastructure
Client-side processing - DuckDB WASM processes data in your browser
No storage - Query results aren't stored by us

This is the default mode for dashboards and SQL editor.

Mode 3: Arrow Streaming (Opt-In, Faster)

Optional checkbox - You choose to enable this for faster downloads
Through our server - Data passes through backend (20-100x faster)
In-memory only - Data never written to disk on our servers
No storage - Data immediately discarded after streaming

Result: Even if our servers were compromised:

Mode 1 (AI Agent): Only encrypted 20-row samples exposed (not full datasets)
Mode 2 (Standard): Zero data warehouse data exposed (bypasses our servers)
Mode 3 (Arrow): Zero data warehouse data exposed (in-memory only, no persistence)

Connection Security by Datasource Type

Different datasources use different authentication methods, all secured appropriately:

OAuth-Based (Most Secure)

BigQuery: Google OAuth 2.0 with automatic token refresh
Snowflake: OAuth 2.0 for enterprise deployments
Databricks: OAuth 2.0 for supported deployments
Azure Synapse: Microsoft OAuth 2.0 with automatic token refresh
Slack: OAuth 2.0 with automatic token refresh

Token-Based

Databricks: Personal Access Tokens (encrypted at rest)
ClickHouse: Tokens or username/password

Username/Password

PostgreSQL, MySQL, SQL Server, Redshift, Snowflake, Synapse
Credentials encrypted with AES-256-GCM at rest
SSH tunnel support for on-premise databases

Key Pair Authentication

Snowflake: RSA key pair authentication supported
Private keys encrypted at rest

All credentials are:

Encrypted in transit (TLS 1.3)
Encrypted at rest (AES-256-GCM)
Workspace-isolated (multi-tenant)
Deletable at any time

Application Data

Data we do store (chat messages, dashboards, queries, catalog metadata) is protected with:

Encryption

In transit - TLS 1.3 for all connections
At rest - AES-256-GCM authenticated encryption for:
- Chat message content (AI responses, summaries)
- Chat message metadata (20-row data samples)
- OAuth tokens (Google, Snowflake, Databricks, Microsoft access/refresh tokens)
Backups - Encrypted backups in Google Cloud Storage

Catalog Metadata

We cache metadata about your data warehouse tables to enable intelligent search:

What we store:

Table names, descriptions, and schema structure
Column names, data types, and descriptions
Modified timestamps for incremental indexing

What we DON'T store:

Actual data rows from your tables
Query results (except 20-row samples in AI chat history)

How it's protected:

✅ Stored in PostgreSQL database
✅ Workspace-isolated (only your team can access)
✅ Used only for search functionality
✅ Incremental updates minimize data transfer

Why we cache it: Enables semantic search across thousands of tables, helping you quickly find relevant datasets without querying BigQuery repeatedly.

Access Controls

Multi-tenant isolation - Workspace data is strictly isolated
Role-based access - Users only see what they're authorized to see
API authentication - OAuth 2.0 with short-lived access tokens
Session management - Secure HTTP-only cookies

Data Retention

Active data - Kept while your account is active
Deleted data - Permanently deleted within 30 days
Backups - Retained for 30 days, then permanently deleted
Logs - Security logs kept for 90 days

Authentication & Access

Authentication Methods

Kyomi supports multiple secure authentication methods:

Email & Password

Passwords hashed using bcrypt (industry-standard one-way hashing)
We never store plaintext passwords
Recommended: Use a strong, unique password

Google OAuth

Industry-standard OAuth 2.0 flow
No password to manage for Kyomi
Leverages Google's security infrastructure

Passkeys (WebAuthn)

Passwordless authentication using device biometrics or security keys
Public key cryptography - private keys never leave your device
Phishing-resistant by design
Supported on modern browsers and devices

Two-Factor Authentication (2FA)

TOTP-based 2FA compatible with Google Authenticator, Authy, etc.
Adds an extra layer of security to password-based login
2FA secrets encrypted at rest

Session Security

Short-lived tokens - Access tokens expire automatically
Refresh tokens - Securely stored and rotated
Automatic logout - Sessions expire after period of inactivity
HTTP-only cookies - Protected from XSS attacks

Infrastructure Security

Infrastructure Hosting

Infrastructure - Secure dedicated servers with encrypted storage
Network - VPC isolation, private subnets
Firewalls - Strict ingress/egress rules
Physical security - Secure data center with controlled access

Application Security

Code Security

Dependency scanning - Automated vulnerability detection
Static analysis - CodeQL security analysis
Secret scanning - No credentials in code
Security updates - Patched within 48 hours of disclosure

Runtime Security

Container isolation - Docker containers with minimal attack surface
Least privilege - Services run with minimum necessary permissions
Security headers - CSP, HSTS, X-Frame-Options, etc.
Rate limiting - Protection against brute force and DoS

API Security

Input validation - All inputs sanitized and validated
SQL injection prevention - Parameterized queries only
XSS protection - Content Security Policy, output encoding
CSRF protection - Token-based validation

Monitoring & Detection

Security monitoring - 24/7 automated threat detection
Intrusion detection - Anomaly detection and alerting
Error tracking - Sentry for error monitoring
Audit logs - All sensitive operations logged
Uptime monitoring - UptimeRobot checks every 5 minutes

Third-Party Security

We carefully vet all third-party services:

Critical Services

Service	Purpose	Security Features
Google BigQuery	Cloud data warehouse	SOC 2, ISO 27001, GDPR compliant
Snowflake	Cloud data warehouse	SOC 2 Type II, HIPAA eligible
AWS Redshift	Cloud data warehouse	SOC 1/2/3, ISO 27001
Azure Synapse	Cloud analytics	SOC 1/2, ISO 27001, GDPR
Databricks	Lakehouse platform	SOC 2 Type II, HIPAA eligible
PostgreSQL/MySQL	Self-hosted databases	Your security responsibility
ClickHouse	Analytics database	Your security responsibility
Google OAuth	Authentication	Industry-standard OAuth 2.0
Slack	Team messaging integration	SOC 2, Enterprise Grid, E2E encryption
Stripe	Payment processing	PCI DSS Level 1

Data Processing Agreements

We have DPAs in place with all services that process customer data, ensuring:

GDPR compliance
Data protection requirements
Incident notification procedures
Secure data handling practices

Security Best Practices for Users

For Workspace Owners

✅ Enable 2FA on your Google account - Protect your Kyomi access
✅ Review workspace members - Remove users who no longer need access
✅ Monitor usage - Check for suspicious activity
✅ Keep contact info current - So we can reach you about security issues

For All Users

✅ Don't share credentials - Each team member should have their own account
✅ Log out on shared computers - Or use private browsing
✅ Report suspicious activity - Email security@kyomi.ai
✅ Keep your browser updated - For the latest security patches
✅ Be cautious with dashboard sharing - Understand who can see shared dashboards

For Data Warehouse Security

For Cloud Data Warehouses (BigQuery, Snowflake, Redshift, Databricks):

Use least-privilege IAM/roles—Grant Kyomi only necessary permissions
Enable audit logging—Track all data warehouse access
Monitor costs—Detect unusual query patterns
Use network restrictions where available

For Self-Hosted Databases (PostgreSQL, MySQL, ClickHouse):

Use read-only database users for Kyomi
Restrict network access (firewall rules, VPN, SSH tunnels)
Enable database audit logging
Rotate credentials regularly
Use SSL/TLS for all connections

Incident Response

If You Suspect a Security Issue

Act quickly:

Email us immediately - security@kyomi.ai
Include details - What you observed, when, any evidence
Don't publicly disclose - Give us time to fix it first

We'll respond within 24 hours (usually much faster)

Our Incident Response Process

If we detect a security incident:

Contain - Stop the threat immediately
Investigate - Understand scope and impact
Notify - Inform affected users within 72 hours
Remediate - Fix the vulnerability
Post-mortem - Learn and improve

What You'll Receive

Transparent communication - We'll tell you what happened
Timeline - When it occurred, when we detected it
Impact assessment - What data (if any) was affected
Remediation steps - What we're doing to fix it
Prevention - How we're preventing it from happening again

Vulnerability Disclosure

Responsible Disclosure

We welcome security researchers to help us stay secure:

Report vulnerabilities - security@kyomi.ai
Give us time to fix - 90 days before public disclosure
Don't exploit - Don't access user data or disrupt service
Act in good faith - We won't take legal action against responsible disclosures

Bug Bounty Program

Currently, we don't have a formal bug bounty program, but we:

Acknowledge all valid reports
Fix vulnerabilities promptly
Credit researchers (with permission) in our security updates
Provide public thanks for significant findings

Interested in a formal bug bounty? Email us—we're considering it for the future.

Compliance & Certifications

Current Status

GDPR - Compliant with EU data protection regulations
CCPA - Compliant with California privacy laws
SOC 2 - Planned for when we have enterprise customers requiring it
ISO 27001 - Under consideration for global certification

Privacy Regulations

We apply EU-level data protection to all users:

Data minimization - Collect only what's necessary
Purpose limitation - Use data only for stated purposes
Storage limitation - Retain only as long as needed
Integrity & confidentiality - Appropriate security measures

Security Updates

We publish security updates when appropriate:

Security advisories - For vulnerabilities affecting users
Changelog - For security-related feature updates
Blog posts - For major security improvements

Subscribe to updates: Blog or follow our changelog

Questions About Security?

We're happy to discuss our security practices:

General questions - security@kyomi.ai
Vulnerability reports - security@kyomi.ai
Enterprise inquiries - enterprise@kyomi.ai

Response time: 24 hours for security issues, 2 business days for general questions

Security is a Journey

Security isn't a destination—it's an ongoing commitment. We continuously:

Monitor threats and vulnerabilities
Update our security practices
Educate our team
Listen to our users
Invest in security infrastructure

Your trust is our most valuable asset. We take that responsibility seriously.

Last updated: January 18, 2026

For our Privacy Policy, see kyomi.ai/privacy

Security at Kyomi ​

Our Security Philosophy ​

Data Security ​

Your Data Warehouse Data ​

Mode 1: AI Agent Queries (Server-Side, Limited) ​

Mode 2: Standard Dashboard Access (Default, Most Secure) ​

Mode 3: Arrow Streaming (Opt-In, Faster) ​

Connection Security by Datasource Type ​

Application Data ​

Encryption ​

Catalog Metadata ​

Access Controls ​

Data Retention ​

Authentication & Access ​

Authentication Methods ​

Email & Password ​

Google OAuth ​

Passkeys (WebAuthn) ​

Two-Factor Authentication (2FA) ​

Session Security ​

Infrastructure Security ​

Infrastructure Hosting ​

Application Security ​

Code Security ​

Runtime Security ​

API Security ​

Monitoring & Detection ​

Third-Party Security ​

Critical Services ​

Data Processing Agreements ​

Security Best Practices for Users ​

For Workspace Owners ​

For All Users ​

For Data Warehouse Security ​

Incident Response ​

If You Suspect a Security Issue ​

Our Incident Response Process ​

What You'll Receive ​

Vulnerability Disclosure ​

Responsible Disclosure ​

Bug Bounty Program ​

Compliance & Certifications ​

Current Status ​

Privacy Regulations ​

Security Updates ​

Questions About Security? ​

Security is a Journey ​