Security
Your data never leaves your perimeter.
End-to-end encryption, granular RBAC, exportable audit log and on-premise or air-gapped deployment. Security is a core feature, not a bolt-on.
-
End-to-end encryption
DB credentials encrypted at-rest with enterprise-level encryption. Encryption in transit on all channels.
-
SOC2 · GDPR · ISO 27001
Compliance by default. Exportable audit logs, configurable retention, traceable chain of custody.
-
On-premise or cloud
Deploy where you decide: managed cloud, private cloud or on-premise. Air-gapped mode for regulated environments.
-
SSO & SAML 2.0
Integration with Okta, Microsoft Entra ID, Google Workspace, Auth0 and generic SAML 2.0 providers.
Data flow
Where your data goes. Step by step.
No magic, no "trust us". Every stage of the flow is designed to minimise data exposure and maximise control.
- step 01
User input
The user asks a question in natural language. The role and execution policy are loaded from the profile.
- step 02
Schema snapshot
Only the schema (tables, columns, types, FK) is extracted. Credentials remain encrypted, never sent to the AI.
- step 03
AI prompt
The AI receives: schema, user policy, question. No production data, no credentials, no secrets.
- step 04
Dialect-specific validation
The generated SQL passes engine-specific validation: only allowed verbs, schema check, forced parameterization.
- step 05
Controlled execution
Configurable row limit and timeout, parameters always bound. Destructive operations require explicit approval.
- step 06
Audit log
Every query, every approval, every role change ends up in an append-only log, exportable for compliance (SOC2 / ISO 27001).
- SOC 2 Type II
- ISO 27001
- GDPR
- CCPA
- HIPAA ready
- PCI-DSS aligned
Our guarantees
Four principles, zero compromises.
-
Zero secret leaks to the AI
The AI only receives schema and policy. DB credentials remain safely encrypted and are read only at query execution time.
-
Granular RBAC with DDL approval
Per-role execution policy (SELECT / INSERT / UPDATE / DELETE / DDL). Destructive operations subject to explicit approval with signed chain of custody.
-
Append-only audit log
Every interaction is logged immutably: user, question, generated SQL, rows affected, approval decision. JSON/CSV export for compliance.
-
Data residency & sovereignty
Choose where the AI runs: managed cloud in EU/US region, private self-hosted model, or air-gapped on-prem. No data leaves the perimeter you define.
Frequently asked questions
- Does the AI see production data?
- No. The AI is only sent a schema snapshot (structure, not content) and the user's execution policy. Data remains in your database.
- Where are DB credentials stored?
- Encrypted at-rest with enterprise-level encryption, in a dedicated vault. Decrypted only in memory when opening a connection, never logged in plain text.
- Can I use a private AI instead of the managed model?
- Yes. The Enterprise plan supports self-hosted or private fine-tuned models: Neural Data Studio's orchestration is provider-agnostic.
- How do you handle destructive operations?
- INSERT / UPDATE / DELETE require the corresponding permission in the user role. DDL (CREATE / DROP / ALTER) is always subject to an approval flow with a second approver, digital signature and a log entry.
- Have you had any security incidents?
- No incidents with customer impact to date. Our security advisory page is accessible to all Enterprise customers, with a coordinated 90-day disclosure policy.
- Who do we contact for vulnerability disclosure?
- Write to us at support@neuraldatastudio.ai (subject "security disclosure") or use the PGP channel published on the contacts page. We respond within 24 business hours.
Need a SOC2 report, a DPA or a penetration test?
The Security team responds within 24 business hours to Enterprise customers and qualified prospects.