Security

How AI Analyst protects your data at every layer.

Our current security posture: AI Analyst is an early-stage product. We implement strong foundational security practices and rely on certified third-party infrastructure. We do not yet hold our own SOC 2 or ISO 27001 certifications — those are on our roadmap as we scale.

Architecture Overview

AI Analyst uses a two-step architecture that separates query generation from insight generation, minimising what each AI call receives.

Step 1 — SQL generation: Only your table structure (column names, data types, and a sample of distinct values for low-cardinality columns like status fields) is sent to the AI. No row data is involved at this step.

Step 2 — Insight generation: After the SQL executes on our servers, we compute aggregate statistics across your entire result set — totals, averages, min/max, distributions. Those pre-computed numbers, plus up to 50 sample rows for entity context (e.g. customer names), are then sent to the AI to generate the executive summary, key findings, and KPI cards. The AI uses our pre-computed statistics for all numerical values — it is not deriving conclusions from 50 rows alone.

Step 1: Question + Schema only → AI → SQL query
Step 2: SQL runs on our servers → aggregate stats (all rows) + 50 sample rows → AI → Insights
✓ Your full dataset never leaves our servers
✓ KPI numbers are computed on our servers from all result rows — not inferred from a sample

Encryption

All data in transit is encrypted using TLS. All data at rest is encrypted using AES-256 by our cloud infrastructure providers (Railway for the database, Cloudflare R2 for file storage). Database connector credentials are encrypted at the application level before storage.

Server-Side Statistics, Not AI Guesswork

SQL generation uses only your schema — no row data. For insights, aggregate statistics (sum, mean, max, distributions) are computed on our servers across all result rows, then passed to the AI. KPI values come from our math, not the AI's interpretation of a sample.

AI Processing

We use OpenAI and Anthropic APIs for SQL generation and insight analysis. Only your schema structure and aggregated query results are sent — your raw data never leaves our servers. Both providers maintain SOC 2 Type II certifications for their API infrastructure.

Third-Party Compliance

Payment processing by Stripe is PCI DSS Level 1 compliant. Authentication by Clerk is SOC 2 Type II certified. File storage by Cloudflare R2 is ISO 27001 certified. We inherit these compliance guarantees for the services they provide.

Data Isolation

User data is isolated at the application level — each account can only access its own datasets and queries. Uploaded files are stored in isolated per-user paths in cloud storage. No cross-account data access is possible through our application.

Data Deletion

Delete any uploaded dataset anytime from the My Data page — deletion removes the file from storage immediately. When you close your account, all associated data is permanently deleted within 90 days. You may request immediate deletion by emailing support@agenticanalyst.io.

Responsible Disclosure

If you discover a security vulnerability, please report it to support@agenticanalyst.io. We take all reports seriously and will review them as soon as possible.