Security & Compliance

Security Service

From day one, Select Star was designed with data security and confidentiality in mind. As a data discovery platform that’s designed to consume metadata from multiple sources, Select Star applies the highest standards for secure data management and confidentiality protection for its users. Also, we believe it is our responsibility to be transparent with how we operate and govern our data collection and processing.

System Metadata Only

Select Star does not access your data values or run queries against your data. Select Star's access and data processing is restricted to system metadata and query logs only. When connecting to your data sources, we recommend creating a dedicated service account for Select Star with metadata-only roles and permissions as defined in our docs.

Information Transfer & Processing Limitation 

Information Example Purpose
Metadata Data object (schema, table, column, dashboard…) name, description, creation / update timestamp, system user information (name, email), etc. Data catalog and metadata analysis
Query logs, activity logs Executed SQL query history, dashboard query/view history, timestamp, user information (name, email), etc. Data lineage and popularity modeling
System user First name, last name, email, IP address System user analysis, Select Star account record keeping

Sensitive / PII Tag

Although we do not have read access to your data values, sometimes Select Star and its users may be exposed to sensitive data.  This can happen if a user-executed query Select Star has ingested exposes sensitive data values. For example, Select Star may ingest a query that was executed as "SELECT * FROM Users WHERE SSN='123-45-5678'".

To prevent this type of scenario, we recommend our customers tag their sensitive columns as “PII”. Once a column is tagged as PII, Select Star will remove any value from the query log before the query gets saved in Select Star for processing.

This way, no sensitive data values are transferred to Select Star and no organization user will encounter queries containing potentially sensitive values.

To learn more about using the PII tag in Select Star, see our docs.

SOC 2 Compliance

AICPA

Select Star has been completing annual SOC 2 Type II audit in Security, Confidentiality, and Availability criteria, with no exceptions since May 2021.

SOC 2 is a Service and Organization Control (SOC) governance framework developed by the American Institute of CPAs (AICPA) on storing of private business and customer information by third-party service providers. SOC 2 specifically relates to data security for companies that store client information on cloud-based servers, and hence relevant for Software as a Service (SaaS) providers like Select Star.

Independent auditors use the SOC 2 framework to validate a company’s systems and controls with respect to information security. Upon completion of the audit and a thorough review of the evidence, the auditor issues a SOC 2 report detailing its findings and attestation on the company’s security controls related to areas such as:

  • Data encryption (in transit and at rest)
  • Third-party penetration testing
  • Least-privilege access controls
  • Audit logging
  • Endpoint monitoring
  • Internal corporate governance & policies
  • Risk management processes
  • Regulatory oversight

SOC 2 has more than 200 of these requirements and mandates long-term policy and procedures to better secure customer information through tightened internal control. SOC 2 Type II audit requires all the controls and systems are effective over a designated period of time, and hence the SOC 2 Type II audit report provides a guarantee that there are organizational practices already running in place to safeguard the privacy and security of all customer information.

SOC 2 Type II audit report, 3rd party pentest report, and summary of technical and organizational security measures for Select Star are all available upon request under MNDA.

Ask AI

Select Star's AI capabilities leverage OpenAI's GPT technology. OpenAI is a SOC-2 compliant vendor, and our security team reviews their SOC-2 report annually.

When using AI features of Select Star, the following data may be shared with OpenAI to generate conversation responses:

  • Metadata: Names of data objects (such as schemas, tables, columns, dashboards), object descriptions, object types, and the folders they belong to
  • Select Star Metadata Analysis: Popular SQL queries, popularity scores, table creation statements, and names of data object sources/destinations (i.e., data lineage information)
  • Documentation: User-written documentation (docs, metrics, glossary) within Select Star
  • Chat Feedback: Any user feedback (ratings or text) from using the AI features

OpenAI does not store or use any of the above data for training. Select Star’s Ask AI feature can be disabled if customers do not wish to have any metadata sent to OpenAI.

Data Deletion Policy

All customer data will be deleted either upon request or following a termination or cancellation of a Select Star account. It may take up to 10 business days to complete the deletion.

Select Star users with an admin role can also remove a Data Source in Select Star application at any time. This will delete all of its metadata, query logs, and any user-created or Select Star-created metadata (i.e., description, comments, tags, popularity, lineage) from the Select Star application.

All customer data deletion is permanent. Once deleted, customer data cannot be restored.

Data Centers

Select Star uses Amazon Web Services (AWS) to host its cloud infrastructure. AWS is a secure cloud services platform, offering compute power, database storage, content delivery and other functionality to help us continue to grow with our customers.

AWS security and operational processes for its network and infrastructure services are documented in here: Amazon Web Services: Overview of Security Processes. This document includes an overview of AWS’s data center controls, including:

  • Physical and Environmental Security
  • Fire Detection and Suppression
  • Power
  • Climate and Temperature
  • Management
  • Storage Device Decommissioning
  • AWS uses the techniques detailed in NIST 800-88 (“Guidelines for Media Sanitization”) as part of the decommissioning process.
  • Amazon’s infrastructure fault tolerant design
  • Core applications are deployed in an N+1 configuration, so that in the event of a data center failure, there is sufficient capacity to enable traffic to be load-balanced to the remaining sites.

Customers can obtain further details of AWS’ compliance and security position via their website at:

Turn your metadata into real insights