Architected for Security from the Start

SuperQuery’s data platform solution seats on top of your existing data source, using a secure connection to query from your data warehouse. EVALUEX writes a query to access the data needed to answer your question, returns the result, and puts the answer in an encrypted, local disk cache that is stored on your Google/AWS/Microsoft/Oracle account.

SuperQuery provides a single point-of-access to your data, allowing administrators to build robust data governance tools that results in a secure experience for their users.

Only you control your data

SuperQuery is built to ensure that your data is safe and secure by limiting movement of data and leveraging your database’s security protocols.

Most BI platforms encourage you to pull your data out, regardless of its size, for analysis. SuperQuery generates SQL that directly queries your own database, allowing you to export senifently less data.

Data Availability, Not Data Storage
SuperQuery uses a read-only connection to access the relevant data needed to answer your query and returns the relevant result set. This means that less data is scanned, there are no data duplication requests and safeguarding your long-term storage charges.

Data Governance from the Bottom Up

Self-service shouldn’t come at the expense of data governance.

Secure User Access and Management
SuperQuery makes it easy for administrators to control users’ access from the database level down to the field level.

Configuration Made Easy
Application permissions, data access, and content access can be set manually in the application, programmatically via SuperQuery’s API, or can be inherited directly from your existing single sign-on authentication protocols.

Enterprise-Grade Feature Set

Authenticate Your Way
SuperQuery’s platform comes out of the box with an enterprise-grade features including two-factor authentication, SAML-based single sign-on (supporting SAML, OneLogin, and Google Apps), and team management to keep EVALUEX access secure and up-to-date with industry standards.

Industry-Standard Encryption
SuperQuery uses industry-standard AES encryption to secure cached data stored at rest, and TLS v1.2 protocol to secure network traffic between users’ browsers and the platform.

Tools to Secure Your Database Connection
SuperQuery offers many options for securing connections to your database, including IP Whitelisting, SSL, SSH, PKI, and Kerberos authentication.

Deployment Options for Every Customer

Different customers have different environments and different security requirements. That’s why EVALUEX provides deployment options to fit every situation.

Extensive Support for Database Connections
The SuperQuery application securely connects to 34 (and counting) different SQL and SQL-on-Hadoop dialects and uses industry-standard git version control (that EVALUEX can manage with for you, or you can manage with any Git server that can use SSH authentication).

Comprehensively monitored and fully auditable

Because SuperQuery’s data platform provides a single point of contact for employees’ work with your enterprise’s data, it’s far easier to keep track of exactly who accessed what, when, and what they did with it.

Easily Monitor Usage and Track Development
SuperQuery logs every interaction so administrators can audit usage and easily set up scheduled reports and alerts. And because EVALUEX’s data model is version-controlled, you can also track when metric definitions have changed, who changed them and why.

Easy Configuration of Support Access
SuperQuery monitors and regularly audits company support technicians’ access to your instance (and as of EVALUEX release 4.22, you'll be able to easily turn that access on or off).

Application Data Collected by SuperQuery

While there is no permanent storage of your data in the SuperQuery application, by default, the application passes the following information back to us to perform license validation and enhance the service. For an on-premise deployment, these can be blocked as required to meet your specific security requirements.

  • License checks - License information, including the number of users, roles, and database connections
  • Basic usage - URLs accessed, time of access, and browser type
  • Backups - Encrypted backups of the SuperQuery instance’s database, which includes saved Looks, query history, and user settings
  • Error emails - Errors from SuperQuery servers are generated for Engineering’s use to diagnose and improve the product (note that passwords and other private information is filtered out)
  • User admin emails - Mail generated from provides new account welcome emails, forgotten password reset links, and scheduled data delivery. If preferred, you can configure these emails to use your own SMTP service instead.
  • Support tickets - Support is provided on demand via an embedded chat client service through Zendesk.

SuperQuery’s Topology

  • Cloud Security - SuperQuery uses Amazon EC2 and other cloud hosting providers to offer industry-standard security, availability and durability of hosted SuperQuery implementations.
  • Product Security - SuperQuery is responsible for ensuring that the code quality for the SuperQuery application is developed according to industry-wide best practices for software development, and is tested for vulnerabilities regularly.

Your Responsibilities

Cloud Security
You are responsible for configuring secure access between the SuperQuery application and your database. SuperQuery provides extensive recommendations on how to do this, including:

  • Enabling secure database access using tools like IP whitelisting, SSL/TLS encryption, and SSH tunneling

  • Setting up the most locked-down database account permissions for SuperQuery that still allow it to perform needed functions

Product Security
You are also responsible for controlling access and permissions for users of your SuperQuery instance within your company. EVALUEX recommends:

  • Setting up user authentication using either a native username/password option or, preferably, using a more robust authentication mechanism like 2FA, LDAP, Google OAuth, or SAML

  • Setting up the most restrictive user permissions and content access that still allow people to carry out their work, paying special attention to who has admin privileges

  • Setting up any API usage in a secure way

  • Regularly auditing any public access links your users create and restricting the permission to create them, as necessary

Cloud Security

SuperQuery hosts its software on AWS Cloud Services, which means that as a EVALUEX customer, you’ll inherit the robust standards of cloud security maintained by AWS, which EVALUEX builds on top of for its own security best practices. EVALUEX also uses industry best practices for the development and testing of the EVALUEX application, ensuring that code quality meets our standards before becoming part of a EVALUEX release.

Cloud Infrastructure

AWS facilities

The SuperQuery application is managed on AWS Facilities which comply with over 50 security certifications, regulations, and frameworks. Physical security is managed by AWS, with facilities monitored by video surveillance, and intrusion detection systems.

Physical separation of data

The SuperQuery application is hosted in a single-tenant environment physically separating the instances of SuperQuery customers from each other. The SuperQuery application is hosted in a single tenant AWS Availability Zone (AZ) environment by default. If you have specific availability needs, you can contact your Account Manager to request implementing the application in a cluster configuration.


SuperQuery follows AWS best practices for security architecture. Proxy servers secure access to the SuperQuery application by providing a single point to filter attacks through IP blacklisting and connection rate limiting.


SuperQuery employs a Cloud-based distributed backup framework for SuperQuery-hosted customer servers.

Availability and durability

The SuperQuery application can be hosted in a variety of different AWS data centers across the globe.
Monitoring & Authentication

Access to a customer’s back-end servers

Access to SuperQuery-hosted back-end environment requires approval and multiple layers of authentication.

Access to a customer’s SuperQuery application

Employee access to customer SuperQuery instances is provided in order to support a customer's needs. Access requires approval and multiple layers of authentication.

Monitored user access

Access to your SuperQuery environment is uniquely identified, logged, and monitored.

Network vulnerability scanning

SuperQuery’s back-end is scanned for known security vulnerabilities on a regular basis.

AES encryption

Application sensitive data stored locally including database connection configurations and cached query data is encrypted using AES encryption.

Secure credential storage & encryption

Native username and passwords are secured using a dedicated password-based key derivation function (bcrypt) with hashing and salting.

TLS encryption v1.2

Data in transit is encrypted from the user's browser to the application via TLS.

SSL / SSH encryption

SuperQuery enables you to configure your database connection via SSL or construct an SSH tunnel.

Product Security


Code development

Code development is done through a documented SDLC process which includes guidance on how code is tested, reviewed, and promoted to production.

Peer review and unit testing of code

Code is peer reviewed before being committed to the master code branch of the SuperQuery application. Functional and unit tests are performed using automated tools.

Routine developer training

Developers are regularly trained on secure coding practices.

Code quality tests

SuperQuery utilizes automated tests specifically targeting injection flaws, input validation, and proper CSRF token usage.

Regular third-party penetration testing

SuperQuery performs regular third-party penetration tests against the SuperQuery application and hosted environment.

Single sign on

SuperQuery provides SAML-based single sign on for users, offering support for SSO solutions from Google Apps, OneLogin, and SAML.

LDAP authentication

SuperQuery provides the ability to authenticate users based on Lightweight Directory Access Protocol (LDAP), enabling administrators to link LDAP groups to EVALUEX roles and permissions.

Two-Factor authentication

SuperQuery provides the ability to use two-factor authentication via Google Authenticator.

Responsible disclosure

SuperQuery embraces the security community and operates a responsible disclosure program to facilitate security vulnerability reporting.

Corporate Security

SuperQuery has robust security protocols that are meant to secure the SuperQuery Office premises and materials that contain sensitive information. EVALUEX also invests in properly vetting and training staff to ensure that there is an organization-wide appreciation for data security.

Personnel & Third Parties

Security organization

Led by the Chief Security Officer (CSO), SuperQuery has an established a dedicated information security function responsible for security and compliance across the organization.

Policies and procedures

SuperQuery maintains various security policies that are maintained, communicated, and approved by management to ensure everyone clearly knows their security responsibilities.

Background checks

New contractors and employees are required to pass a background check and sign confidentiality agreements.

Security awareness education

SuperQuery new-hires complete security training as part of the entry into the organization. Employees receive routine security awareness training and confirm adherence to Company security policies. SuperQuery employees are reminded of security best practices through informal and formal communications.

Vendor management

SuperQuery maintains a vendor management program to ensure that third-parties comply with an expected level of security controls.

Incident Response

Security organization

SuperQuery’s Security and Operations team is available 24/7 to respond to security alerts and events.

Policies and procedures

SuperQuery maintains a documented incident response plan.

Incident response training

Employees are trained on security incident response processes, including communication channels and escalation paths. Please don’t hesitate to contact your account manager, EVALUEX’s Support chat, or email if you see a possible security issue.

SuperQuery Premises and Hardware

Monitoring and secure access to SuperQuery offices

SuperQuery offices are protected by security measures including badge access and security cameras. By policy, employees are required to escort guests inside the EVALUEX offices.

Laptop protection

SuperQuery uses a combination of endpoint management tools to monitor, patch, and protect its laptop population. Laptops have encrypted hard drives and are protected with sign-on password. An AV solution is also installed on laptops to protect against malware.

Compliance & Privacy

One of the priorities of SuperQuery’s security practices is to ensure that use of your data is transparent, safe, and respectful. EVALUEX is in the process of securing security certifications both domestically and internationally, but if you have any questions about specific requirements, email EVALUEX’s security team at

SuperQuery’s Privacy Policy.

Security Compliance

Healthcare compliance

SuperQuery customers include HIPAA Covered Entities and Business Associates. Since SuperQuery doesn’t extract your data, we don’t categorize data as sensitive, personal health information or according to other schemas. Instead, we handle all data according to the same security standards. SuperQuery will assist you to carry out HIPAA-related security obligations, which can include executing Business Associate Agreements as needed.

SOC 2 and ISO 27001 compliance


EU compliance

SuperQuery has many customers in the European Economic Area and will work with you to assure compliance with Personal Data handling requirements and cross-border transfer requirements under the EU Privacy Directive, and the new GDPR, when that comes into force in May 2018.

Determine where SuperQuery is hosted

SuperQuery lets you determine where your SuperQuery is to be hosted. Currently your SuperQuery hosted instance can reside in the US, Japan, Ireland, Australia, or Brazil. If our hosted environment does not meet your specific needs, our software can be implemented on-premises.