Overview
We built our unified data platform with industry standards to protect your data and ensure compliance while delivering observability and governance.
Last updated
We built our unified data platform with industry standards to protect your data and ensure compliance while delivering observability and governance.
Last updated
Decube is designed from the ground up to ensure that enterprise-grade security, compliance, and scalability are built into every layer of our platform. This document outlines Decube’s infrastructure design, security protocols, and compliance posture.
For deployment-specific models details, refer to our .
Decube follows a strict separation of concerns between the Control Plane and the Data Plane:
Control Plane (Decube-managed): Handles authentication, user management, licensing, configuration, scheduling, and alerting.
Data Plane (deployment-dependent): Executes metadata collection, monitors data quality, and stores metadata, either in a shared or isolated environment based on the deployment model.
Details for each model are available in:
Decube's data collectors only extract metadata, query logs, and aggregated statistics into its cloud service.
Data extracted from these scans is solely for assessing your data's reliability and providing statistics and incident alerts of which you have opted-in.
Decube uses encrypted connections (HTTPS and TLS) to protect the contents of data in transit.
Decube's architecture also supports a setup specifically for enterprise customers where you can host the data collectors within your own cloud infrastructure so you never have to expose any of your data sources to decube's cloud service.
Decube is currently SOC2 certified. Reach out to us if you would like a copy of the SOC2 report.
Decube will sign any NDAs and/or DPAs where it is appropriate.
Decube, while collecting metadata, query logs, and metrics for the purposes of running the monitoring, cataloging, acknowledges that personal data may be collected and processed. If any such data is passed into Decube, it is used only for the sole purpose of running the monitoring and cataloging.
Usage of all SaaS applications internally within Decube for operational purposes is vetted with due diligence so that confidential company and personnel data are protected.
Decube's team practices industry best practices across the board to protect the security of the application, and the data privacy of its customers.
Decube engages a third party to perform an annual penetration test over the application layers of the platform.
Processing of collected data is conducted on secure servers hosted on Amazon Web Services.
Decube employees engage in privacy and security training during the onboarding and are required to take an examination after the training. All Decube personnel are required to acknowledge, electronically, that they have attended training and understand the security policy.
Access to all critical systems and production environments are protected using strong passwords and multi-factor authentication. SSO is also used to centralize access control for certain applications. Access rights are reviewed before being granted, and then periodically reviewed thereafter.
The following information may be processed and stored by Decube on its cloud services:
Metadata
Asset names such as tables and columns, field types, status of transformation jobs and other such metadata.
To populate the data catalog with information about the assets available (table, columns, jobs etc.) within the data warehouses, databases and other data sources.
Metrics
Row counts, last updated and other similiar metrics.
Enable tracking of metrics such as freshness, volume and other metrics.
Aggregated Statistics
Measures the data in selected table which is opt-in only by the user. Statistics may include null percentiles, distinctness, and other similar metrics.
Enable tracking of data health and setup of field tests by user via preset or custom SQL.
Decube’s cloud infrastructure spans multiple AWS Availability Zones to ensure high availability and business continuity.
Decube collects only the metadata required for observability, governance, and quality monitoring:
Aspect
Description
Sample
Encrypted
Retention
Location
Data Source Schema
Schema metadata about data sources, broken into logical grouping
Table name, Column names, Column data type, Constraints, Dashboard names
At-Rest Encryption
Indefinite
Metadata DB & Elasticsearch
Monitoring Metrics
Aggregated metrics from data quality monitoring
Row count, Nulls, Unique values
At-Rest Encryption
Indefinite
Metadata DB
Change Requests
User changes on metadata
Asset description, Tags, Classification
At-Rest Encryption
Indefinite
Metadata DB
Profiling Info
Statistical values (may contain raw data)
Null %, Min/Max/Average values
Dual Layer Encryption
30 Days
Blob Storage
User Attachments
Uploaded files
PDF, CSV, Text
Dual Layer Encryption
Indefinite
Blob Storage
Query History
Historic queries on platforms
Synapse, Databricks logs
At-Rest Encryption
60 Days
Metadata DB
Data Source Credentials
Connection credentials
Username, Host, Password
Dual Layer Encryption
Indefinite
Metadata DB
All connections to customer systems use read-only credentials and are encrypted with TLS.
Decube supports dual-layer encryption:
Content Encryption using AES-256-GCM
At-Rest Encryption for data stored in our services
Encryption Details
Dual-Layer Encryption for Maximum Security
Decube employs a robust dual-layer encryption approach to ensure the confidentiality and integrity of sensitive data across all deployment models.
Content Encryption - AES-256-GCM
All sensitive data—such as query history, profiling metrics, and credentials—is encrypted using the Advanced Encryption Standard (AES) with 256-bit keys in Galois/Counter Mode (GCM). This method guarantees both data confidentiality and integrity by protecting the actual content from unauthorized access or tampering.
At-Rest Encryption - AES-256-GCM
In addition to content-level encryption, all stored data benefits from at-rest encryption. This additional layer secures data while it’s stored in databases or object storage, offering comprehensive protection against breaches or unauthorized access at the storage level.
Indefinite Retention
Data stored until the underlying data source is deleted from Decube’s platform. For attachments; until no reference to the attached file exists.
Decube’s engine dynamically scales based on workload, provisioning additional compute workers under load while minimizing resource usage during idle periods. The distributed architecture also ensures fault tolerance against node-level failures.
Our custom-built job scheduler, written in Rust, delivers:
At-most-once scheduling to prevent duplicate task execution.
At least once execution to maintain coverage for critical workloads.
Understand further how these models are handled refer to decube architecture.
