Security
Precog implements defense-in-depth security across infrastructure, network, application, and operational layers. This page describes how we protect your data and our platform.
Data Encryption
In Transit
All data transmitted to and from Precog is encrypted:
- Protocol: TLS 1.2 minimum; TLS 1.3 used where supported
- Auto-negotiation: Precog automatically negotiates the highest TLS version supported by both parties
- Non-encrypted connections are automatically redirected to encrypted connections
This includes:
- Connections from your browser to Precog
- API calls between Precog and your data sources
- Data transfer to your destination (e.g., Snowflake, BigQuery)
At Rest
Any data temporarily stored during processing is encrypted:
- Algorithm: AES-256 encryption
- Scope: Ephemeral storage during data processing
- Retention: Data retained between runs for schema maintenance and incremental updates; auto-purged after 14 days
Infrastructure Security
Cloud Hosting
Precog runs on Amazon Web Services (AWS):
- Region: US-based AWS regions (Amazon East) or Amazon EU Central
Network Architecture
Precog uses an outbound-only network model:
Key security properties:
- No inbound ports exposed to the internet
- All connections initiated by Precog (outbound only)
- TLS encryption for all external traffic
- Private subnets for internal workloads
Data Access Requirements
Source Access
Precog requires only READ access to your data sources. We do not modify data in source systems.
Destination Access
For destinations (e.g., Snowflake, BigQuery), Precog requires:
- CREATE schema permissions
- CREATE table permissions
- WRITE to created tables
- READ from tables created by Precog
Customer-Controlled Scope
You control what Precog can access:
- Service account permissions: You create and configure the service account credentials provided to Precog
- Schema/table restrictions: Limit the service account to specific schemas or tables in your destination
- Credential rotation: Update or revoke credentials at any time through the Precog platform
We recommend creating dedicated service accounts with minimum necessary permissions for Precog connections.
Physical Security
AWS datacenters provide enterprise-grade physical security. For details, see AWS Data Center Security.
Access Control
Customer Access
Precog uses role-based access control (RBAC) to manage permissions:
Organization Roles:
| Role | Capabilities |
|---|---|
| Owner | Full organization control, member management |
| Admin | Manage organization settings, invite members |
| Billing | Manage billing and subscription |
| Member | Access to workspaces based on workspace role |
Workspace Roles:
| Role | Capabilities |
|---|---|
| Editor | Manage sources, destinations, schedules |
| Viewer | Read-only access to workspace resources |
Precog Platform Access
From our security statement, access to the Precog platform requires:
- MFA required for administrative access
- Role-based access with least privilege principles
- Access managed via roles with minimum necessary permissions
Employee Access
From our privacy policy:
- Only trained Precog employees may access customer data when troubleshooting transmission problems
- Access to customer data is tracked and periodically reviewed for appropriateness
- Access performed only to ensure proper transfers or at customer request
Security Monitoring
From our security statement:
- Systems hardened to industry-standard benchmarks
- Monitored for constant compliance with security benchmarks
- Centralized logging for troubleshooting and security analysis
- Automated alerts for security and performance issues
Connection Management
Precog is designed to work within the constraints of source and destination endpoints:
- Rate limit detection: Automatically detects rate limits, timeouts, and connection limits
- Intelligent backoff: Automatic backoff and retry logic when limits are encountered
- Resource management: Intelligent handling of endpoint constraints to prevent resource exhaustion
Questions?
For security inquiries, contact your account representative.