Security

How AI Analyst protects your data at every layer.

Our current security posture: AI Analyst is an early-stage product. We implement strong foundational security practices and rely on certified third-party infrastructure. We do not yet hold our own SOC 2 or ISO 27001 certifications — those are on our roadmap as we scale.

Architecture Overview

AI Analyst uses a two-step architecture that separates query generation from insight generation, minimising what each AI call receives.

Step 1 — SQL generation: Only your table structure (column names, data types, and a sample of distinct values for low-cardinality columns like status fields) is sent to the AI. No row data is involved at this step.

Step 2 — Insight generation: After the SQL executes on our servers, we compute aggregate statistics across your entire result set — totals, averages, min/max, distributions. Those pre-computed numbers, plus up to 50 sample rows for entity context (e.g. customer names), are then sent to the AI to generate the executive summary, key findings, and KPI cards. The AI uses our pre-computed statistics for all numerical values — it is not deriving conclusions from 50 rows alone.

Step 1: Question + Schema only → AI → SQL query
Step 2: SQL runs on our servers → aggregate stats (all rows) + 50 sample rows → AI → Insights
✓ Full datasets stay on platform infrastructure; AI calls receive only the context needed for each step
✓ KPI numbers are computed on our servers from all result rows — not inferred from a sample

Encryption

Data is encrypted in transit using TLS. Data stored in our managed infrastructure is protected at rest using cloud-provider encryption controls. Database connector credentials are encrypted at the application level before storage.

Server-Side Statistics, Not AI Guesswork

SQL generation uses only your schema — no row data. For insights, aggregate statistics (sum, mean, max, distributions) are computed on our servers across all result rows, then passed to the AI. KPI values come from our math, not the AI's interpretation of a sample.

AI Processing

We use OpenAI and Anthropic APIs for SQL generation and insight analysis. SQL generation uses schema information only. Insight generation uses server-computed metrics plus up to 50 sample rows for context. We rely on our providers' published API security programs and data-handling commitments.

Third-Party Compliance

Payment processing is handled by Stripe, authentication by Clerk, and file storage by Cloudflare R2. Those vendors publish their own security and compliance certifications. We rely on those controls for the services they provide, but our product does not automatically inherit their certifications.

Data Isolation

User data is isolated at the application level, with ownership checks on datasets and queries. Uploaded files are stored with dataset-scoped keys, and access is enforced by the application. The system is designed to prevent cross-account access.

Data Deletion

You can delete uploaded datasets from the My Data page, and we process those deletions from active storage promptly. Account-deletion requests can be sent to support@agenticanalyst.io, and we process associated data removal within our operational retention window.

Responsible Disclosure

If you discover a security vulnerability, please report it to support@agenticanalyst.io. We take all reports seriously and will review them as soon as possible.