SOC 2 Type II audited

Security

Last updated: May 15, 2026

Security is built into every layer of Queringo, from the data model to the infrastructure. This page summarises our key technical and organisational controls. For the full SOC 2 Type II report, see our SOC 2 page.

Encryption at rest

Each Workspace receives a unique 256-bit Data Encryption Key (DEK) at creation time. The DEK is itself encrypted with a master key managed by AWS Key Management Service (KMS), following the envelope encryption pattern. Sensitive database fields are encrypted with AES-256-GCM via libsodium before being written to PostgreSQL. This includes:

  • Conversation messages and AI insight text
  • Generated SQL and result row snapshots
  • Alert payloads and notification channel configurations
  • Data source credentials
  • Schema annotations and domain knowledge entries

An attacker with raw database access sees only ciphertext. Decryption requires both the database and AWS KMS access. DEK rotation is available on demand for Scale and Enterprise accounts.

Encryption is plan-tiered: off by default on Starter (admins can enable it), on by default on Growth (admins can disable it with confirmation), and mandatory on Scale and Enterprise.

Encryption in transit

  • All client-to-server traffic uses TLS 1.3. TLS 1.0 and 1.1 are not accepted.
  • HTTP Strict Transport Security (HSTS) is enforced with a one-year max-age and includeSubDomains.
  • Connections to your data sources use TLS by default; SSH tunnel support is available on all plans.
  • Internal service-to-service traffic is encrypted over AWS VPC private links.

Access controls

  • Read-only database roles: Queringo connects to your data sources with read-only credentials. We cannot write to, modify, or delete your data.
  • Permission groups: every Workspace ships with Admin, Member, and Viewer groups. Admins can create and clone custom groups with granular capability controls.
  • PII masking: columns flagged as PII are masked in query results by default. Only members with an explicit reveal grant can see unmasked values.
  • TOTP two-factor authentication: enforceable per Workspace by the Admin. Users who have not enrolled are gated to the 2FA setup page until they complete enrolment.
  • Session management: configurable timeout from 1 to 480 minutes. Users can view and revoke all active sessions. All sessions are revoked automatically on password change.
  • Audit log: every sensitive action is recorded with actor identity, IP address, timestamp, and payload. Logs are retained based on plan (30 days on Starter, longer on higher plans).

PII and financial data protection

During schema discovery, Queringo samples up to 100 rows per column to detect PII and financial data using a combination of regex patterns and AI analysis. Sample rows are held in memory only and discarded immediately after detection. They are never written to disk or logged.

Masking is applied post-query in the Queringo application layer. The source database is never modified. Column names are always visible; only cell values are masked for users without the appropriate reveal grant.

Infrastructure and resilience

ComponentTechnologyNotes
ComputeAWS ECS FargateAuto-scaling, multi-AZ, zero-ops containers
DatabaseAWS RDS PostgreSQL 15, Multi-AZPITR enabled, nightly snapshots, 30-day retention
Cache and queueAWS ElastiCache RedisUsed for DEK cache, job queue, and session state
CDNCloudFrontEdge caching for static assets and API responses
FrontendVercelGlobal edge network
WAFAWS WAF with OWASP Core Rule SetIn front of the API load balancer

Disaster recovery targets: Recovery Point Objective (RPO) of 5 minutes. Recovery Time Objective (RTO) of 1 hour. Multi-AZ deployment ensures automatic failover without manual intervention.

Network isolation: per-workspace egress IP addresses are available on Growth and above. Optional VPC peering is available on Enterprise, allowing your data source to accept connections only from our static IPs.

Compliance

  • SOC 2 Type II: covers the Security, Availability, and Confidentiality Trust Service Criteria. The full report is available to Scale and Enterprise customers under NDA.
  • HIPAA-ready: Enterprise accounts can execute a Business Associate Agreement (BAA). Contact legal@queringo.com.
  • GDPR: we act as a data processor under GDPR Article 28. A signed Data Processing Addendum (DPA) incorporating EU Standard Contractual Clauses is available on request.
  • CCPA and LGPD: self-service data export and deletion are available to all users. Jurisdiction-aware retention policies apply automatically.

Vulnerability management

  • Annual penetration tests by an accredited third-party firm, with findings remediated before the next audit period
  • Dependency scanning and static analysis on every pull request
  • Critical CVEs patched within 72 hours of disclosure
  • Public bug bounty programme (details below)

Reporting a vulnerability

Email security@queringo.com with a clear description of the issue, steps to reproduce, and the potential impact. We aim to acknowledge reports within 24 hours and resolve critical findings within 72 hours. We do not pursue legal action against researchers who act in good faith and follow responsible disclosure practices.