Select Star: Security & Compliance

Select Star will never access your data values or run queries against your data unless explicitly authorized by your organization. By default, Select Star’s access and processing are limited to system metadata and query logs only.

If your organization chooses to enable features such as data previews or AI-powered data querying, Select Star will access data values only as necessary to support those features.

We recommend creating a dedicated service account for Select Star with metadata-only roles and permissions, as described in our documentation.

Information Transfer & Processing Limitation

‍

Information	Example	Purpose
Metadata	Data object (schema, table, column, dashboard…) name, description, creation / update timestamp, system user information (name, email), etc.	Data catalog and metadata analysis
Query logs, activity logs	Executed SQL query history, dashboard query/view history, timestamp, user information (name, email), etc.	Data lineage and popularity modeling
System user	First name, last name, email, IP address	System user analysis, Select Star account record keeping

Sensitive / PII Tag

Although we do not have read access to your data values, sometimes Select Star and its users may be exposed to sensitive data. This can happen if a user-executed query Select Star has ingested exposes sensitive data values. For example, Select Star may ingest a query that was executed as "SELECT * FROM Users WHERE SSN='123-45-5678'".

To prevent this type of scenario, we recommend our customers tag their sensitive columns as “PII”. Once a column is tagged as PII, Select Star will remove any value from the query log before the query gets saved in Select Star for processing.

This way, no sensitive data values are transferred to Select Star and no organization user will encounter queries containing potentially sensitive values.

To learn more about using the PII tag in Select Star, see our docs.

SOC 2 Compliance

Select Star has been completing annual SOC 2 Type II audit in Security, Confidentiality, and Availability criteria, with no exceptions since May 2021.

SOC 2 is a Service and Organization Control (SOC) governance framework developed by the American Institute of CPAs (AICPA) on storing of private business and customer information by third-party service providers. SOC 2 specifically relates to data security for companies that store client information on cloud-based servers, and hence relevant for Software as a Service (SaaS) providers like Select Star.

Independent auditors use the SOC 2 framework to validate a company’s systems and controls with respect to information security. Upon completion of the audit and a thorough review of the evidence, the auditor issues a SOC 2 report detailing its findings and attestation on the company’s security controls related to areas such as:

Data encryption (in transit and at rest)
Third-party penetration testing
Least-privilege access controls
Audit logging
Endpoint monitoring
Internal corporate governance & policies
Risk management processes
Regulatory oversight

SOC 2 has more than 200 of these requirements and mandates long-term policy and procedures to better secure customer information through tightened internal control. SOC 2 Type II audit requires all the controls and systems are effective over a designated period of time, and hence the SOC 2 Type II audit report provides a guarantee that there are organizational practices already running in place to safeguard the privacy and security of all customer information.

SOC 2 Type II audit report, 3rd party pentest report, and summary of technical and organizational security measures for Select Star are all available upon request under MNDA.

Ask AI

Select Star's AI capabilities leverage OpenAI's and Anthropic's GPT technology. OpenAI and Anthropic are SOC-2 compliant vendors, and our security team reviews their SOC-2 report annually.

When using AI features of Select Star, the following data may be shared with OpenAI and Anthropic:

Metadata: Names of data objects (such as schemas, tables, columns, dashboards), object descriptions, object types, and the folders they belong to.
Select Star Metadata Analysis: Popular SQL queries, popularity scores, table creation statements, and names of data object sources/destinations (i.e., data lineage information).
User Metadata:
- Select Star Users and Teams: Email and first and last name of users in Select Star, as well as team names and descriptions.
- Data Source Users: Names, emails, or identifiers of users associated with data sources - for example, table/dashboard owners or users running queries.
Select Star Users and Teams: Email and first and last name of users in Select Star, as well as team names and descriptions.
Documentation: User-written documentation (docs, metrics, glossary) within Select Star.
Chat Feedback: Any user feedback (ratings or text) from using the AI features.
(Optional) Data values: If your organization has authorized data access and enabled features like AI Data Querying, Select Star may execute SQL queries on behalf of users and process the resulting data.

To be explicit, the following data is not shared outside of Select Star:

User or account information.
Data in queries classified as sensitive, according to PII tags, will be scrubbed or masked.
Data values — Select Star does not access, store, or transmit data values unless data access has been explicitly granted and features such as AI Data Querying have been enabled.

OpenAI and Anthropic do not store or use any of the above data for training.

Select Star’s AI features (such as Ask AI) can be disabled if customers prefer not to have any metadata sent to OpenAI or Anthropic.

Data Deletion Policy

All customer data will be deleted either upon request or following a termination or cancellation of a Select Star account. It may take up to 10 business days to complete the deletion.

Select Star users with an admin role can also remove a Data Source in Select Star application at any time. This will delete all of its metadata, query logs, and any user-created or Select Star-created metadata (i.e., description, comments, tags, popularity, lineage) from the Select Star application.

All customer data deletion is permanent. Once deleted, customer data cannot be restored.

Data Centers

Select Star uses Amazon Web Services (AWS) to host its cloud infrastructure. AWS is a secure cloud services platform, offering compute power, database storage, content delivery and other functionality to help us continue to grow with our customers.

AWS security and operational processes for its network and infrastructure services are documented in here: Amazon Web Services: Overview of Security Processes. This document includes an overview of AWS’s data center controls, including:

Physical and Environmental Security
Fire Detection and Suppression
Power
Climate and Temperature
Management
Storage Device Decommissioning
AWS uses the techniques detailed in NIST 800-88 (“Guidelines for Media Sanitization”) as part of the decommissioning process.
Amazon’s infrastructure fault tolerant design
Core applications are deployed in an N+1 configuration, so that in the event of a data center failure, there is sufficient capacity to enable traffic to be load-balanced to the remaining sites.

Customers can obtain further details of AWS’ compliance and security position via their website at: