Q: What security certifications does SeeMore Data hold?
A: Our SOC 2 Type 2 certification confirms that we undergo a rigorous, external audit covering security, availability, and confidentiality controls over an extended period. We plan to support ISO 27001 for comprehensive security governance; reports are available upon request.
Q: Do you conduct penetration tests?
A: Yes. We perform annual, third-party penetration tests to assess vulnerabilities. All findings are reviewed, prioritized, and remediated according to our internal risk management process. Reports can be provided upon request.
Q: Which regions are your services hosted in?
A: We utilize AWS Platform in the EU Central, ensuring performance and compliance.
Q: Do you access customer data in Snowflake?
A: No, SeeMore Data does not access your raw or sensitive business data stored in Snowflake. Our platform is architected with data privacy by design principles. We only connect to your Snowflake instance with read-only access to metadata—such as query history, table sizes, warehouse usage, and performance metrics
This metadata is essential to deliver the core functionality of SeeMore Data, including:
- Identifying inefficient or unused queries
- Recommending warehouse right-sizing
- Mapping lineage between dbt models, Fivetran pipelines, and BI dashboards
- Calculating cost breakdowns by user, tool, or dataset
We do not ingest, process, or store raw table contents, PII, or proprietary business information. All access is controlled via least privilege principles, and we can work with you to scope permissions to meet your specific governance requirements.
For more information please read relevant info on SnawFlake website: SNOWFLAKE database | Snowflake Documentation
Q: Do you support 2FA, SSO, etc.?
A: Yes. SeeMore Data supports enterprise-grade identity and access management, including both Single Sign-On (SSO) and Multi-Factor Authentication (MFA).
Single Sign-On (SSO):
We integrate with a range of popular identity providers to support secure, centralized authentication using your organization’s existing systems. Like Okta & Google Auth
Multi-Factor Authentication (MFA):
MFA is enforced for administrative access, and we support MFA configurations managed through your identity provider to enhance account security.
We’re happy to collaborate with your security or IT teams to ensure authentication and access controls align with your internal policies and requirements.
Q: How do you handle vulnerability reports?
A: SeeMore Data encourages responsible disclosure and maintains a transparent, structured process for receiving, assessing, and resolving security vulnerability reports.
-Dedicated Reporting Channel:
Security researchers, customers, and partners can report vulnerabilities via our dedicated email address: security@seemoredata.io. This inbox is monitored by our security team.
Initial Acknowledgment:
All valid reports are acknowledged within five business days, in line with best-practice disclosure timelines. Our response includes an initial assessment and, where applicable, a request for further information to help us reproduce or understand the issue.
Triage & Risk Assessment:
Upon receipt, reports are evaluated for severity, reproducibility, and impact. Critical issues are prioritized based on the potential risk to data confidentiality, integrity, or availability.
Remediation Process:
Once validated, our engineering teams are engaged to develop and test a fix. Timeframes vary based on complexity, but critical vulnerabilities are typically patched within days. Non-critical issues follow our standard release cadence.
Communication with Reporters:
Throughout the process, we maintain communication with the reporter (if contact information is provided), including updates on progress, expected timelines, and resolution confirmation.
No Formal Bug Bounty (Yet):
While we do not currently operate a public bug bounty program, we deeply value the contributions of independent security researchers and acknowledge their efforts when appropriate.
Commitment to Transparency:
For issues that materially impact customers, we provide timely notifications, outline mitigation steps, and share postmortems where applicable.
Q: Policy Management & Change Control
A: SeeMore Data maintains a rigorous, auditable framework for managing internal policies and change control processes, ensuring our security and operational standards are continuously updated, reviewed, and compliant with external certifications such as SOC 2 Type 2, and customer-specific requirements if required.
Centralized Policy Repository:
All organizational policies—including those for information security, access control, SDLC, incident response, and data privacy—are maintained in a centralized, version-controlled document management system. This ensures a single source of truth across departments and prevents policy drift.
Formal Policy Review Schedule:
Each policy is reviewed on a semi-annual or annual basis by designated policy owners and department heads. Reviews are logged, and policy revisions are approved by senior leadership or the Security Steering Committee.
Version Control & Audit Trails:
Every change to a policy includes:
- A documented change log (who changed what, when, and why)
- Clear version increments
- Impact assessments (e.g., whether a change affects compliance scope or employee responsibilities)
These logs are retained indefinitely and are auditable upon request by enterprise customers or external auditors.
Change Management Process:
Operational and technical changes (e.g., infrastructure updates, application rollouts) follow a defined Change Management Policy, which includes:
- Change request submission and approval workflows
- Risk and security impact assessments
- Pre-deployment testing in sandbox/staging environments
- Change window scheduling and rollback plans
Emergency Change Handling:
Emergency changes (e.g., critical patches or zero-day mitigations) are handled through an expedited but logged path that includes post-implementation reviews and approvals to ensure accountability.
Stakeholder Communication:
Material policy updates or platform changes that affect customers—such as changes in data handling, integration models, or access controls—are communicated in advance via release notes, security bulletins, or direct account management briefings.
Alignment with SOC 2 and Beyond:
Our policies are structured to exceed minimum SOC 2 requirements by incorporating automated compliance tooling, evidence collection, and continuous improvement tracking. This helps ensure we’re always audit-ready—and provides transparency to our enterprise customers.
Architecture & Controls
Q: Do you have a security architecture diagram?
A: Yes—our detailed security model, including network zones, authentication flows, and data isolation, is available under NDA.
This is high level diagram of our solution
Q: Secure-by‑Design Cloud Infrastructure
A: Our infrastructure is hosted entirely in AWS, utilizing high availability and auto-scaling services secured with built-in compliance tools.
Q: Network Security & Fixed IP Policies
A: We support network policies for Snowflake using fixed IPs to whitelist traffic.
Q: Authentication to Customer Environments
A: At SeeMore Data, authentication to customer environments—particularly Snowflake—is designed to be secure, auditable, and strictly read-only to enforce data isolation and minimize risk.
-Read-Only Snowflake Users:
Each customer is provisioned a dedicated Snowflake user configured with read-only access. This user account is scoped exclusively to metadata schemas such as INFORMATION_SCHEMA, ACCOUNT_USAGE, and ORGANIZATION_USAGE, ensuring zero access to raw customer data or proprietary tables.
All information on the setup and configuration can be found in our support page
Key-Pair Authentication:
Authentication is performed using public/private key pairs, rather than passwords or API keys. This method enhances security by eliminating reliance on shared secrets, preventing phishing and credential reuse.
- Private keys are generated and controlled by the customer and securely stored encrypted within SeeMore Data’s infrastructure.
- Public keys are registered in the customer’s Snowflake instance with minimal required permissions.
Customer-Side Network Control:
Customers retain complete control over network policies and IP whitelisting in Snowflake. All access can be limited to SeeMore Data’s fixed IP addresses, ensuring that metadata is only pulled from explicitly approved origins.
Session and Access Boundaries:
Sessions initiated by SeeMore Data are stateless and time-bound, using ephemeral connections. No long-lived credentials or tokens are stored or reused. Access frequency is limited to scheduled sync windows and rate-controlled to prevent performance impact.
Zero Data Ingress Model:
SeeMore Data never writes to, modifies, or ingests your raw data. Our integration operates in a read-only, metadata-only mode—accessing only the specific metadata you authorize. All SQL statements executed by our platform are fully transparent and auditable by your team.
Optionally, SeeMore can support infrastructure configuration and optimization actions (e.g. modifying warehouse sizes or schedules), but only when customers explicitly grant the required permissions. These capabilities are entirely opt-in and governed by strict access controls.
Auditability :
All access is logged in Snowflake’s native access logs, and additional telemetry is retained within SeeMore Data for internal auditing. Customers may request summaries or audits of access sessions if needed.
Q: Secure SDLC & CI/CD
A: At SeeMore Data, our Software Development Life Cycle (SDLC) and CI/CD processes are engineered to prioritize security, reliability, and speed—from the first line of code to production deployment. Security is embedded at every phase of development.
Shift-Left Security Approach:
We integrate security early in the development cycle (a “shift-left” model), enabling vulnerabilities to be identified and remediated before they reach production. This reduces risk and increases release velocity.
Test-Driven Development (TDD):
Engineers write unit and integration tests before implementing core logic, ensuring that functionality is defined and validated from the outset. Test coverage is measured and maintained at high thresholds across repositories.
Peer Code Reviews & Approval Gates:
All code changes are subject to peer review. Approval gates prevent merging into main branches unless builds pass quality and security checks, including:
- Linting and style validation
- Security policy compliance
CI/CD Pipelines:
We maintain automated Continuous Integration and Continuous Deployment (CI/CD) pipelines using tools like GitHub Actions. These pipelines:
- Run tests, scans, and validations in parallel
- Deploy infrastructure and applications in a declarative, version-controlled manner
- Require signed commits and protected branches for sensitive environments
Infrastructure as Code (IaC):
All infrastructure, including network policies, storage buckets, and identity rules, is defined using IaC (e.g., Terraform). This ensures changes are auditable, repeatable, and roll-back capable.
Environment Segregation & Staging:
Development, staging, and production environments are completely isolated. New code is tested in staging environments that mirror production before release, minimizing the risk of regression or misconfiguration.
Secrets Management:
Secrets (API keys, credentials) are never stored in source code. Instead, we use AWS Secret Manager.
Release Audits & Rollbacks:
All deployments are logged, versioned, and monitored. In the event of anomalies or errors, our pipelines support automated rollbacks to the last stable release.
Q: Physical & Environmental Security
A: Hosting in AWS ensures data centers with strong physical security controls.
Risk Management, AI & Privacy
Q: Internal Controls & Governance
A: We maintain detailed internal policies covering all aspects of security operations.
Q: Risk & Asset Inventory
A: We maintain up-to-date inventories and conduct regular reviews of architecture and risk posture.
Q: Vulnerability Scanning & Disclosure
A: We run continuous scans and encourage responsible vulnerability disclosure.
Q: Employee Training & Security Culture
A: Employees undergo regular security awareness training.
Q: Secure AI Usage
A: At SeeMore Data, we recognize both the transformative potential and the security risks associated with Artificial Intelligence. To ensure responsible use, all AI features—whether internally developed or third-party powered—are governed by formal security policies, rigorous testing, and compliance oversight.
AI Governance Framework:
We maintain a dedicated AI governance policy that defines how AI models and services are evaluated, deployed, and monitored. This framework is aligned with global guidelines, including:
- NIST AI Risk Management Framework
Third-Party AI Risk Assessments:
Before integrating any third-party AI tool (e.g., for anomaly detection, natural language queries, or predictive analysis), we perform a full vendor risk assessment. This includes:
- Review of data handling practices
- Evaluation of model training transparency
- Verification of access boundaries and logging
- Confirmation of data locality and deletion procedures
No Customer Data Used for Training:
We do not use customer metadata or information to train any AI models, whether internally or via external APIs. Training is only performed on synthetic or publicly available datasets unless explicitly authorized in writing.
AI Feature Isolation:
AI-driven features are logically and technically separated from core services. Their access to metadata is scoped to read-only, anonymized layers to prevent any unintended inference or leakage.
Explainability and Oversight:
AI systems in production are continuously monitored, and decisions or recommendations made by AI (e.g., automated alerts or usage predictions) are explainable and traceable. We ensure that a human is always in the loop for critical decisions.
Model Security & Versioning:
All deployed models are versioned, tested in sandbox environments, and subject to rollback if regressions are detected. We scan for adversarial inputs, injection attempts, and model drift as part of our MLOps practices.
Compliance & Review Cadence:
AI features are reviewed during regular compliance audits done by our security team. This includes verifying usage boundaries, evaluating ethical implications, and confirming adherence to customer data protection commitments.
Q: Data Processing Agreement (DPA)
A: SeeMore Data provides a comprehensive Data Processing Agreement (DPA) that outlines our responsibilities as a data processor and ensures our customers remain compliant with major global data protection regulations—including GDPR, CCPA, and other regional privacy laws.
GDPR & Global Privacy Alignment:
Our DPA is fully aligned with the General Data Protection Regulation (EU 2016/679), covering key principles such as data minimization, lawfulness of processing, purpose limitation, and security safeguards. Where applicable, we also align with:
- California Consumer Privacy Act (CCPA/CPRA)
- UK GDPR and DPA 2018
- Other local regulations as required by customer jurisdiction
Scope of Data Processing:
The DPA clearly defines:
- The nature and purpose of processing (limited to metadata access and processing)
- The categories of data subjects (e.g., enterprise users)
- The types of data processed (e.g., system-generated metadata, user role identifiers)
- Obligations of both data controllers (customers) and processors (SeeMore Data)
Confidentiality & Access Restrictions:
All personnel accessing customer data or metadata are bound by confidentiality agreements. Access is restricted to trained employees with a valid, documented need—and is revoked immediately upon role change or termination.
Sub-Processors & Transparency:
Our DPA includes a list of approved sub-processors (e.g., AWS, Snowflake) along with their roles. Customers are notified of any intended changes and have the right to object under GDPR Article 28(2).
Data Subject Rights Support:
We provide technical and organizational assistance to support customers in fulfilling data subject rights requests, such as:
- Right of access
- Right to rectification
- Right to erasure
- Right to restrict processing
Cross-Border Transfers & SCCs:
Where data may be transferred outside the European Economic Area (EEA), we implement Standard Contractual Clauses (SCCs) and other safeguards to ensure lawful international data transfers.
Security Measures:
The DPA incorporates our organizational and technical security controls—such as encryption, access management, and breach notification procedures—as required under GDPR Article 32.
Data Deletion & Retention:
Upon termination of the agreement or at the customer’s request, we delete or return all personal data in accordance with the timelines outlined in the DPA, subject to applicable legal requirements.
Q: Privacy by Design
A: SeeMore Data is built with privacy as a foundational design principle, not an afterthought. Our systems, architecture, and operational practices are structured to minimize data collection, limit retention, and enforce strong safeguards—ensuring compliance with global privacy regulations such as GDPR, CCPA, and HIPAA (where applicable).
Data Minimization at the Core:
Our platform is architected to collect only the minimum amount of metadata necessary to provide functionality—such as query performance, usage statistics, and billing insights. We do not collect or store raw customer data, personally identifiable information (PII), or sensitive information.
Purpose Limitation & Justified Access:
Every metadata attribute collected serves a clearly defined business purpose (e.g., anomaly detection, performance optimization). We conduct regular reviews to validate that no data is retained “just in case,” ensuring purpose alignment under GDPR Article 5(1)(b).
Configurable Data Retention:
By default, metadata is retained for 365 days, after which it is automatically deleted. Enterprise customers can request custom retention windows, anonymization protocols, or metadata purging to align with their internal policies or regional data protection laws.
Privacy-Aware System Design:
Privacy requirements are embedded into the design process of every system and feature. New product initiatives go through Data Protection Impact Assessments (DPIAs) when applicable, and features involving third-party tools or AI/ML models undergo risk assessments and review.
Access Controls to Metadata:
Metadata access is limited to read-only scopes, governed by least privilege access models, and subject to continuous monitoring. Internal teams cannot query metadata unless granted explicit access for troubleshooting or support.
Transparency & Consent:
Our product documentation and Data Processing Agreement (DPA) outline precisely what metadata we access and how it is used. Customers have the right to inspect, limit, or revoke our access at any time.
Privacy Reviews & Audits:
SeeMore Data conducts internal privacy audits and policy reviews at least annually, and we support customer audits or DPIAs on request. We are committed to remaining transparent and accountable in our data handling practices.
Q: Bug & Vulnerability Reporting
A: Issues can be reported to security@seemoredata.io and are handled promptly.
