Trust Center

Your Data Never Leaves Your Database

Squish only queries your database's system catalogs to read table names, column names, and data types. We never read, copy, or store your actual row data.

How Squish Accesses Your Database

A transparent look at exactly what happens when you connect a database to Squish.

Squish

Sends metadata query

SELECT table_name, column_name

FROM information_schema

System catalog query only

Your Database

Returns metadata only

Returned to Squish

Table names, column names, data types

Never Queried

SELECT * FROM your_tables

After Discovery

Credentials encrypted, connection closed

What Squish Accesses vs. What It Never Touches

What Squish Accesses

  • Table names and schema names
  • Column names and data types
  • Primary key and foreign key definitions
  • Index and constraint metadata
  • Approximate row counts

What Squish Never Touches

  • Row data from your tables
  • Customer records or PII
  • Application data or business logic
  • Stored procedures or functions
  • Database user credentials
  • Financial or payment data

Choose Your Access Level

Start with just your warehouse. Expand when you are ready.

Recommended

Warehouse Only

info_schema only

What you connect

  • Snowflake
  • BigQuery
  • Databricks
  • Redshift

What you get

  • Full warehouse relationship map
  • Implicit join discovery
  • dbt model validation
  • Semantic layer bootstrap

Full Stack

info_schema per database

What you connect

  • Everything in Warehouse Only
  • PostgreSQL
  • MySQL

What you get

  • Cross-database lineage
  • ETL relationship validation
  • Full-stack data map
  • Source-to-warehouse tracing

Statistical

info_schema + COUNT (Optional)

What you connect

  • Same databases as Full Stack
  • COUNT query permissions

What you get

  • Confidence scores
  • Cardinality analysis
  • Ambiguous match disambiguation
  • Value overlap scoring

No tier requires access to row data. Even at the Statistical level, Squish runs only COUNT and COUNT(DISTINCT) queries, never reading actual values. Statistical analysis is optional and recommended to run against data warehouses or read replicas rather than production OLTP databases.

Exact SQL Queries We Run

Full transparency. These are the actual queries Squish executes against your database at Security Level 1 (metadata only).

List all tables
SELECT table_schema, table_name
FROM information_schema.tables
WHERE table_schema NOT IN (
  'information_schema', 'pg_catalog'
);
List columns for each table
SELECT table_name, column_name,
       data_type, is_nullable
FROM information_schema.columns
WHERE table_schema = 'public';
View complete technical documentation

Credential Security

Your database credentials are protected at every stage.

AES-256-GCM

Credentials encrypted with AES-256-GCM at rest using customer-specific keys

Cloud KMS

Encryption keys managed through Google Cloud KMS with automatic rotation

Never Logged

Credentials are never written to logs, error messages, or API responses

Never Cached

Credentials are decrypted only at query time and discarded from memory after use

Recommended: Use a Read-Only Database User

For maximum security, create a dedicated read-only database user for Squish with access limited to information_schema. This ensures Squish cannot access your data even if credentials were compromised.

View setup guides for PostgreSQL, MySQL, Snowflake, and BigQuery

Security Principles

Our security model is built on the principle of least privilege. We only access what we need, when we need it, and we never store your actual data.

Read-Only Access

Squish only reads database metadata through system catalogs like information_schema. We never modify your data, execute writes, or store your actual data.

AES-256 Encryption

Database credentials are encrypted with AES-256 at rest. All stored credentials are encrypted before being written to the database.

TLS In Transit

All communications use TLS encryption. API traffic and database connections are encrypted in transit.

JWT Authentication

JWT-based authentication with secure token handling. MFA support available for additional account security.

Organization Isolation

Role-based access control with organization-level isolation. Users can only access connections and discoveries within their organization.

Audit Logging

Logging of security-relevant actions including logins, connection access, and discovery runs.

Infrastructure Security

Squish runs on enterprise-grade cloud infrastructure with multiple layers of security controls.

Cloud Infrastructure

Infrastructure runs on managed cloud services with isolated execution environments and encrypted credential storage.

PostgreSQL Backend

User data stored in managed PostgreSQL with organization-level data isolation enforced at the application and database level.

Compliance

We are committed to meeting the compliance requirements of enterprise organizations.

Data Residency

US Region

Data is currently hosted in US regions. Contact us for specific data residency questions.

SOC 2

Planned

SOC 2 certification is on our roadmap as we scale. Not yet in progress.

Privacy Controls

Active

User account data deletion available upon request. We implement privacy best practices for user data handling.

Security Inquiries

Questions about our security practices?

Have questions about how Squish handles your data? We are happy to discuss our security practices and provide additional documentation.

security@squishdata.com

Ready to get started?

Experience enterprise-grade security with metadata-only access. Free during beta, no credit card required.

Get Started FreeRead-Only Setup Guide