Try for free

Overview

We built our unified data platform with industry standards to protect your data and ensure compliance while delivering observability and governance.

Decube is designed from the ground up to ensure that enterprise-grade security, compliance, and scalability are built into every layer of our platform. This document outlines Decube’s infrastructure design, security protocols, and compliance posture.

For deployment-specific models details, refer to our Architecture .

How we handle your data?

Control & Data Plane Separation

Decube follows a strict separation of concerns between the Control Plane and the Data Plane:

  • Control Plane (Decube-managed): Handles authentication, user management, licensing, configuration, scheduling, and alerting.

  • Data Plane (deployment-dependent): Executes metadata collection, monitors data quality, and stores metadata, either in a shared or isolated environment based on the deployment model.

Details for each model are available in:

Collection

  • Decube's data collectors only extract metadata, query logs, and aggregated statistics into its cloud service.

  • Data extracted from these scans is solely for assessing your data's reliability and providing statistics and incident alerts of which you have opted-in.

  • Decube uses encrypted connections (HTTPS and TLS) to protect the contents of data in transit.

  • Decube's architecture also supports a setup specifically for enterprise customers where you can host the data collectors within your own cloud infrastructure so you never have to expose any of your data sources to decube's cloud service.

Compliance

  • Decube is currently SOC2 certified. Reach out to us if you would like a copy of the SOC2 report.

  • Decube will sign any NDAs and/or DPAs where it is appropriate.

  • Decube, while collecting metadata, query logs, and metrics for the purposes of running the monitoring, cataloging, acknowledges that personal data may be collected and processed. If any such data is passed into Decube, it is used only for the sole purpose of running the monitoring and cataloging.

  • Usage of all SaaS applications internally within Decube for operational purposes is vetted with due diligence so that confidential company and personnel data are protected.

Organizational Security and Privacy Practices

Decube's team practices industry best practices across the board to protect the security of the application, and the data privacy of its customers.

  • Decube engages a third party to perform an annual penetration test over the application layers of the platform.

  • Processing of collected data is conducted on secure servers hosted on Amazon Web Services.

  • Decube employees engage in privacy and security training during the onboarding and are required to take an examination after the training. All Decube personnel are required to acknowledge, electronically, that they have attended training and understand the security policy.

  • Access to all critical systems and production environments are protected using strong passwords and multi-factor authentication. SSO is also used to centralize access control for certain applications. Access rights are reviewed before being granted, and then periodically reviewed thereafter.

Data collected by Decube

The following information may be processed and stored by Decube on its cloud services:

Collected Data
Details
Purpose of collection

Metadata

Asset names such as tables and columns, field types, status of transformation jobs and other such metadata.

To populate the data catalog with information about the assets available (table, columns, jobs etc.) within the data warehouses, databases and other data sources.

Metrics

Row counts, last updated and other similiar metrics.

Enable tracking of metrics such as freshness, volume and other metrics.

Aggregated Statistics

Measures the data in selected table which is opt-in only by the user. Statistics may include null percentiles, distinctness, and other similar metrics.

Enable tracking of data health and setup of field tests by user via preset or custom SQL.

Multi-AZ Compute

Decube’s cloud infrastructure spans multiple AWS Availability Zones to ensure high availability and business continuity.

Metadata Collection Approach

Decube collects only the metadata required for observability, governance, and quality monitoring:

Metadata Types Collected

Aspect

Description

Sample

Encrypted

Retention

Location

Data Source Schema

Schema metadata about data sources, broken into logical grouping

Table name, Column names, Column data type, Constraints, Dashboard names

At-Rest Encryption

Indefinite

Metadata DB & Elasticsearch

Monitoring Metrics

Aggregated metrics from data quality monitoring

Row count, Nulls, Unique values

At-Rest Encryption

Indefinite

Metadata DB

Change Requests

User changes on metadata

Asset description, Tags, Classification

At-Rest Encryption

Indefinite

Metadata DB

Profiling Info

Statistical values (may contain raw data)

Null %, Min/Max/Average values

Dual Layer Encryption

30 Days

Blob Storage

User Attachments

Uploaded files

PDF, CSV, Text

Dual Layer Encryption

Indefinite

Blob Storage

Query History

Historic queries on platforms

Synapse, Databricks logs

At-Rest Encryption

60 Days

Metadata DB

Data Source Credentials

Connection credentials

Username, Host, Password

Dual Layer Encryption

Indefinite

Metadata DB

Data Access & Encryption

All connections to customer systems use read-only credentials and are encrypted with TLS.

Decube supports dual-layer encryption:

  • Content Encryption using AES-256-GCM

  • At-Rest Encryption for data stored in our services

Encryption Details

  • Dual-Layer Encryption for Maximum Security

    • Decube employs a robust dual-layer encryption approach to ensure the confidentiality and integrity of sensitive data across all deployment models.

  • Content Encryption - AES-256-GCM

    • All sensitive data—such as query history, profiling metrics, and credentials—is encrypted using the Advanced Encryption Standard (AES) with 256-bit keys in Galois/Counter Mode (GCM). This method guarantees both data confidentiality and integrity by protecting the actual content from unauthorized access or tampering.

  • At-Rest Encryption - AES-256-GCM

    • In addition to content-level encryption, all stored data benefits from at-rest encryption. This additional layer secures data while it’s stored in databases or object storage, offering comprehensive protection against breaches or unauthorized access at the storage level.

  • Indefinite Retention

    • Data stored until the underlying data source is deleted from Decube’s platform. For attachments; until no reference to the attached file exists.

Scalability & Reliability - Distributed Computing

Scalable Data Engine Worker Pool

Decube’s engine dynamically scales based on workload, provisioning additional compute workers under load while minimizing resource usage during idle periods. The distributed architecture also ensures fault tolerance against node-level failures.

High Performance & Reliable Job Scheduling

Our custom-built job scheduler, written in Rust, delivers:

  • At-most-once scheduling to prevent duplicate task execution.

  • At least once execution to maintain coverage for critical workloads.

Understand further how these models are handled refer to decube architecture.

PreviousSupportNextDeployment Methods

Last updated