Introduction

TextQL provides enterprise-grade data analysis capabilities while maintaining the highest standards of security and governance, including compliance with SOC2 and HIPAA frameworks. Our platform enables organizations to leverage their data warehouse investments efficiently and securely, ensuring that sensitive data remains protected while delivering powerful analytical capabilities to users across the enterprise. This whitepaper outlines our comprehensive approach to security, access control, and data governance.

From the ground up, TextQL has been designed with security and compliance in mind. Our platform incorporates industry best practices for data protection while providing flexible configuration options to meet diverse organizational needs. Whether deployed on-premises or as a hosted solution, TextQL ensures that your data remains secure and accessible only to authorized users under carefully controlled conditions.

Security Architecture Overview

TextQL’s security architecture is built on multiple layers of protection, each working in concert to ensure comprehensive data security.

Our platform employs a defense-in-depth approach, with security controls implemented at every layer of the stack. This begins at the network level with strict isolation and access controls, extends through authentication and authorization layers, and continues through to fine-grained data access policies at the query level.

The security architecture is designed to be both robust and flexible, allowing organizations to implement their security policies while maintaining operational efficiency. This approach ensures that security measures enhance rather than impede legitimate data access and analysis activities.

Authentication and Access Management

TextQL integrates seamlessly with existing enterprise authentication infrastructure through industry-standard OpenID Connect (OIDC) protocols. TextQL’s OIDC integration supports connection to common enterprise authentication solutions such as Microsoft Active Directory, Okta, Google Workspace, and more. This ensures that organizations can maintain consistent access control policies across their technology stack while leveraging existing identity management investments.

Our platform supports role-based access control (RBAC) as a fundamental security principle. Roles can be mapped directly from your existing authentication provider, ensuring consistent access policies across your organization. These roles determine not only what data users can access but also what platform capabilities are available to them.

Data Access Controls and Policies

TextQL enforces data access controls at multiple levels to ensure comprehensive security. At the database level, the platform respects and enforces native row-level security (RLS) policies, ensuring that users can only access data appropriate for their role and permissions.

Database credential management is handled securely through role-based credential sets. Each role within TextQL can be associated with specific database credentials, ensuring that users can only access data through appropriate pathways. During any given session, TextQL enforces strict boundaries based on the current user’s role and associated credentials.

All data stores with customer data, in addition to blob storage buckets buckets, are encrypted at rest. This means the data is encrypted even before it hits the database so that physical access, nor logical access to the database, is enough to read the most sensitive information.

TextQL uses TLS 1.2 or higher everywhere data is transmitted over potentially insecure networks. We also use features such as HSTS (HTTP Strict Transport Security) to maximize the security of our data in transit.

Ontology-Based Governance

TextQL’s ontology system provides an additional layer of governance by modeling your data warehouse in a way that reflects your organization’s structure and security requirements.

The ontology layer allows administrators to:

  • Create different views of the data warehouse for different roles
  • Configure access controls at a semantic level
  • Ensure users only see and interact with data appropriate to their function
  • Maintain consistent data governance across all interactions

This approach allows for fine-grained control over how users interact with data while maintaining a coherent and intuitive user experience.

Organizational Isolation

For organizations requiring the highest levels of data segregation, TextQL supports complete organizational isolation through our Organizations feature. This capability, available in on-premises deployments, enables the creation of entirely separated environments within the platform.

Organizations can be structured to reflect:

  • Different business units
  • Functional teams
  • Geographic regions
  • Regulatory requirements

Each organization operates as an independent entity within TextQL, with its own authentication, access controls, and data connections. This provides the highest level of isolation while maintaining centralized administration capabilities.

Deployment Options and Network Security

TextQL offers flexible deployment options to meet various security and operational requirements. Our platform can be deployed either as a single-tenant hosted solution or on-premises, with each option providing robust security controls.

Single-Tenant Hosted Deployment

In hosted deployments, TextQL operates in a dedicated Virtual Private Cloud (VPC) with strict network isolation. All data access occurs through private subnets, with carefully controlled access points. Organizations can whitelist specific IP addresses or create a VPC private link to allow secure data warehouse access, ensuring that data never traverses untrusted networks.

On-Premise Deployment

On-premises deployments provide organizations with maximum control over their security environment. The platform can be integrated directly with existing security infrastructure and policies.

The Docker-based deployment exposes only the necessary frontend interfaces, with all backend services operating within a controlled network environment. In addition to requiring enterprise SSO, the deployed frontend may be restricted to only be accessible behind corporate VPN or zero-trust network access solution. This approach ensures that data access and processing occur entirely within your security perimeter.

Conclusion

TextQL’s comprehensive security and governance features enable organizations to leverage their data assets while maintaining strict control over access and usage. Our platform’s flexible configuration options, robust security controls, and integration capabilities ensure that organizations can implement their security policies effectively while providing powerful data analysis capabilities to their users.

By combining multiple layers of security controls, from network isolation to fine-grained access policies, TextQL provides a secure environment for enterprise data analysis. Whether deployed on-premises or as a hosted solution, our platform helps organizations balance the needs for data access and security in an increasingly complex regulatory environment.