Security Model
A complete technical reference for how Squish accesses your database, what queries we run, and how credentials are managed.
Security Levels
Squish operates at three security levels. You choose which level to use when running discovery. Level 1 (metadata only) is the default and is sufficient for most use cases.
Metadata Only (Default)
Queries only information_schema and system catalogs. Returns table names, column names, data types, and constraint definitions. No actual data is read.
SELECT table_schema, table_name, table_type
FROM information_schema.tables
WHERE table_schema NOT IN (
'information_schema', 'pg_catalog'
);SELECT table_name, column_name,
data_type, is_nullable,
column_default
FROM information_schema.columns
WHERE table_schema = 'public';SELECT tc.table_name,
tc.constraint_type,
kcu.column_name,
ccu.table_name AS foreign_table,
ccu.column_name AS foreign_column
FROM information_schema.table_constraints tc
JOIN information_schema.key_column_usage kcu
ON tc.constraint_name = kcu.constraint_name
LEFT JOIN information_schema.constraint_column_usage ccu
ON ccu.constraint_name = tc.constraint_name
WHERE tc.table_schema = 'public';Statistical Sampling
In addition to metadata, runs COUNT and COUNT(DISTINCT) queries to compute cardinality statistics for relationship scoring. Never reads actual values.
SELECT COUNT(*) FROM schema.table_name;SELECT COUNT(DISTINCT column_name)
FROM schema.table_name;Query History Analysis
On supported databases (PostgreSQL pg_stat_statements, Snowflake QUERY_HISTORY), analyzes past query patterns to identify join relationships. Reads query text, not data.
SELECT query, calls, mean_exec_time
FROM pg_stat_statements
WHERE query ILIKE '%JOIN%'
LIMIT 100;Credential Lifecycle
Encryption at Rest
When you save a connection, credentials are immediately encrypted with AES-256-GCM using a customer-specific key from Google Cloud KMS. The plaintext is discarded.
Decryption at Query Time
When a discovery job runs, the encrypted credentials are loaded and decrypted in memory. A database connection is established using the decrypted credentials.
Query Execution
Metadata queries are executed against information_schema and system catalogs. Only schema structure is returned. No row data is read.
Connection Closed
After queries complete, the database connection is closed. Decrypted credentials are cleared from memory. Results (table/column metadata) are stored.
Network Architecture
Transport Encryption
All connections to customer databases use TLS 1.2 or higher. SSL mode is enforced by default (ssl_mode=require). API traffic uses TLS 1.3 with HSTS headers.
No Credential Caching
Credentials are never cached in application memory, Redis, or any intermediate store. Each query execution decrypts credentials fresh from the encrypted store.
Service Isolation
Each microservice runs in an isolated Cloud Run container. The connection service (which handles credentials) is separate from the discovery service (which processes metadata). Inter-service communication uses internal-only networking with JWT authentication.
No Inbound Access Required
Squish connects outbound to your database. You do not need to expose any inbound ports or set up VPN tunnels. Ensure your database accepts connections from Squish's IP range (available on request for IP allowlisting).
Data Flow
User creates connection
|
-> Credentials encrypted (AES-256-GCM)
-> Stored in Supabase (encrypted blob)
|
User starts discovery
|
-> Credentials decrypted in memory
-> TLS connection to customer DB
-> SELECT FROM information_schema
-> Metadata returned (table names, columns, types)
-> Connection closed
-> Credentials cleared from memory
|
Discovery results stored
|
-> Schema metadata (table names, column names)
-> Discovered relationships (FK and inferred)
-> Confidence scores
-> NO row data, NO PII, NO application data
Frequently Asked Questions
Ready to set up secure access?
Read-Only Setup Guide