Security & Data Handling

How Sparvi handles your data, what we store, and what we don't.

The headline

Sparvi never stores your row-level data. We query your warehouse for metadata, statistics, and validation results. The data itself stays in your warehouse, under your access controls.

What we store

  • Table and column metadata (names, types, sizes, freshness timestamps)
  • Column statistics (counts, distinct values, null rates, distributions)
  • Validation rule definitions and execution results (pass/fail, threshold values, counts)
  • Schema change history (what changed, when, by whom in your warehouse)
  • User account data (email, name, organization membership)

What we don't store

  • Row-level data from your warehouse
  • PII from customer records
  • Query results beyond aggregate statistics needed for validation
  • Credentials in plaintext (everything is encrypted at rest)

Connection security

Sparvi requires read-only credentials to your warehouse. We recommend:

  • Snowflake: key-pair authentication with a dedicated read-only role scoped to the schemas you want monitored
  • BigQuery: service account JSON with BigQuery Data Viewer and BigQuery Job User permissions on the target dataset(s)

Service account JSON and private keys are encrypted at rest with AES-256 and decrypted in memory only during query execution.

Infrastructure

  • Hosting: Microsoft Azure (US East). Database: managed Postgres via Supabase.
  • Transit encryption: TLS 1.2+ for all client connections; TLS for warehouse connections.
  • At-rest encryption: AES-256 for all stored data.
  • Backups: daily point-in-time backups with 30-day retention.

Access controls

  • Authentication: email + password with two-factor (TOTP) via authenticator app.
  • Authorization: organization-scoped, users in one organization cannot see another's data. Enforced by row-level security policies in our database.
  • Roles: owner, admin, member, and viewer roles. Admins control connections, integrations, and user invitations; members and viewers cannot.
  • Session tracking: active sessions are tracked per user with IP, device, and last-active timestamp; users can terminate sessions from their settings.
  • Audit log: security events (sign-in, MFA enrollment, session termination) are logged with timestamp and actor. Expansion to cover all configuration-change events (monitors, connections, role assignments) is on the near-term roadmap and tracked publicly.

SSO and enterprise security

We're honest that we're early. SAML SSO is not yet shipped. If SAML is a hard requirement for your security review, talk to us before evaluating, we offer founding-customer commitments with implementation dates in writing. The build path is well-scoped (WorkOS integration, ~1 week of engineering work) and we'll commit a date as part of your contract.

What is built today: MFA, organization-scoped data isolation, role-based access (owner/admin/member/viewer), API keys for programmatic access, encrypted credentials at rest, and a public security questionnaire response (see below).

Compliance

We do not currently hold SOC 2 Type II certification. We follow SOC 2-aligned controls and can share our control documentation under NDA for security reviews. SOC 2 Type I audit is targeted to begin once we have 5 paying customers; Type II observation period would complete approximately 6 months after.

For healthcare customers: HIPAA Business Associate Agreement (BAA) is available on request. We follow HIPAA-aligned controls for PHI handling. Email contact@sparvi.io if your evaluation requires a signed BAA.

GDPR: we are a data processor for the metadata we store. Standard DPA available on request.

Pre-filled security questionnaire (CAIQ-Lite): We've answered the Cloud Security Alliance's CAIQ-Lite (~50 questions) covering identity, encryption, incident response, and vendor management. Download the PDF or email us if you'd prefer the original Excel.

Incident response

Security incidents are triaged within 1 business hour. Customers affected by a security incident are notified within 24 hours of confirmation. We publish post-mortems for any incident with customer-data impact.

Reporting a vulnerability

Email security@sparvi.io. We respond within 1 business day. Responsible disclosure is appreciated.

Questions?

If your security team has a questionnaire, send it. We'll fill it out honestly, including the gaps. Email contact@sparvi.io.