Security & Data Handling

How Sparvi handles your data, what we store, and what we don't.

The headline

Sparvi never stores your row-level data. We query your warehouse for metadata, statistics, and validation results. The data itself stays in your warehouse, under your access controls.

What we store

  • Table and column metadata (names, types, sizes, freshness timestamps)
  • Column statistics (counts, distinct values, null rates, distributions)
  • Validation rule definitions and execution results (pass/fail, threshold values, counts)
  • Schema change history (what changed, when, by whom in your warehouse)
  • User account data (email, name, organization membership)

What we don't store

  • Row-level data from your warehouse
  • PII from customer records
  • Query results beyond aggregate statistics needed for validation
  • Credentials in plaintext (everything is encrypted at rest)

Connection security

Sparvi requires read-only credentials to your warehouse. We recommend:

  • Snowflake: key-pair authentication with a dedicated read-only role scoped to the schemas you want monitored
  • BigQuery: service account JSON with BigQuery Data Viewer and BigQuery Job User permissions on the target dataset(s)

Service account JSON and private keys are encrypted at rest with AES-256 and decrypted in memory only during query execution.

Infrastructure

  • Hosting: Microsoft Azure (US East). Database: managed Postgres via Supabase.
  • Transit encryption: TLS 1.2+ for all client connections; TLS for warehouse connections.
  • At-rest encryption: AES-256 for all stored data.
  • Backups: daily point-in-time backups with 30-day retention.

Access controls

  • Authentication: email + password with optional two-factor (TOTP).
  • Authorization: organization-scoped — users in one organization cannot see another's data.
  • Roles: admin, member roles with separate permissions for connection management vs. read-only viewing.
  • Audit logs: all administrative actions (connection changes, rule changes, user invitations) are logged with timestamp and actor.

SSO and Enterprise security

SSO (SAML and OIDC), advanced RBAC, dedicated audit logging, and SOC2 Type II evidence sharing are available on the Enterprise plan. Talk to us if your security review requires any of these.

Compliance

We're a small team and are honest about it. We do not currently hold SOC2 Type II certification. We follow SOC2-aligned controls and can share our control documentation under NDA for Enterprise evaluations. SOC2 Type II is on the H2 2026 roadmap.

GDPR: we are a data processor for the metadata we store. Standard DPA available on request.

Incident response

Security incidents are triaged within 1 business hour. Customers affected by a security incident are notified within 24 hours of confirmation. We publish post-mortems for any incident with customer-data impact.

Reporting a vulnerability

Email security@sparvi.io. We respond within 1 business day. Responsible disclosure is appreciated.

Questions?

If your security team has a questionnaire, send it. We'll fill it out honestly, including the gaps. Email contact@sparvi.io.