This guide explains how BlazeSQL supports compliance with specific regulatory frameworks. For each framework, we describe what BlazeSQL does, how to configure it for your requirements, and what documentation is available.
For BlazeSQL's general security posture, see the Security Overview.
Requirement | How BlazeSQL Addresses It |
BAA coverage | Sign BAA with BlazeSQL for enterprise contract |
Access controls | Use SSO (SAML/OIDC) with your organization's identity provider |
Audit trail | Enable enterprise logging for user activity, security events |
Data deletion | Use self-service deletion controls; request bulk deletion via support |
To set up a HIPAA-compliant deployment: Contact [email protected] to discuss your requirements and initiate the BAA process.
FERPA — Family Educational Rights and Privacy Act
Who This Applies To
Educational institutions that receive funding from the U.S. Department of Education and handle student education records.
How to Configure BlazeSQL for FERPA Requirements
FERPA restricts disclosure of personally identifiable information from education records. BlazeSQL can be configured so that student data never leaves your institution's control.
Data Sharing Agreements: FERPA's "school official" exception requires specific contractual language governing access to student data. BlazeSQL can work with your institution to establish appropriate data sharing agreements that include required FERPA provisions. Contact [email protected] to initiate this process.
Recommended FERPA Configuration:
Requirement | How BlazeSQL Addresses It |
Student data stays within institution control | Use Desktop app (results stay local) or Database Connection API (results stay in your infrastructure) |
No unauthorized disclosure | Only invited users can access databases; admin controls all permissions |
AI model does not retain student data | Zero Data Retention on all AI calls — data is not stored or used for training |
Audit capability | Enterprise logging tracks who accessed what data and when |
Data minimization | BlazeSQL needs only schema metadata to generate queries. With offline mode enabled (default), actual student records stay on the user’s device. |
What syncs to BlazeSQL servers (even with Desktop app):
Schema metadata (table names, column names, data types)
Chat messages (your questions to the AI)
Database Credentials, except for SQL Server with Windows Authentication, or Entra authentication
If your table or column names contain student-identifiable information, the Desktop app or Database Connection API configuration prevents actual record data from leaving your environment, while schema metadata is encrypted in transit and at rest.
Recommended deployment for universities:
Use the Desktop app with default settings (offline mode on)
Or deploy the Database Connection API so query execution stays within your infrastructure
Enable SSO to integrate with your campus identity provider
Enable enterprise logging for FERPA audit requirements
HECVAT: BlazeSQL can complete the Higher Education Community Vendor Assessment Toolkit (HECVAT) questionnaire for universities that require it as part of their vendor assessment process. Contact [email protected] to request a completed HECVAT.
GLBA — Gramm-Leach-Bliley Act
Who This Applies To
Financial institutions that handle nonpublic personal information (NPI) of customers.
How to Configure BlazeSQL for GLBA Requirements
GLBA requires financial institutions to protect the security and confidentiality of customer NPI. BlazeSQL's security controls — AES-256 encryption, access controls, SSO, audit logging, and incident response — support GLBA safeguard requirements.
Recommended configuration for financial institutions:
Use Desktop app or Database Connection API to keep customer financial data within your infrastructure
Enable SSO with your institution's identity provider
Enable enterprise logging for audit and compliance reporting
Financial institutions should evaluate BlazeSQL's controls against their specific GLBA compliance requirements. See the Security Overview for full details.
PCI DSS — Payment Card Industry Data Security Standard
BlazeSQL does not process, store, or transmit payment card data. Payment processing is handled by Stripe, which is PCI DSS Level 1 certified.
SOC 2
BlazeSQL runs exclusively on Google Cloud Platform, which holds SOC 1, SOC 2, and SOC 3 certifications covering its security, availability, and confidentiality controls.
BlazeSQL's application-layer security controls (access management, encryption, logging, incident response) are documented in the Security Overview and Vendor Security Assessment.
Data Residency
Data residency requirements vary by regulation and jurisdiction:
Regulation | Data Residency Consideration |
GDPR | Personal data of EU residents can be transferred outside the EEA with appropriate safeguards (e.g., Standard Contractual Clauses). BlazeSQL is based in Luxembourg (EU) and uses SCCs for any non-EEA transfers. |
HIPAA | No specific geographic requirement, but PHI must be protected per BAA terms regardless of location. |
FERPA | No specific geographic requirement, but data must be under institutional control. Desktop app or DB Connection API recommended. |
GLBA | No specific geographic requirement, but safeguard requirements apply. |
For enterprise deployments requiring specific data residency, BlazeSQL can be deployed in dedicated GCP regions. Contact [email protected] to discuss options.
General Configuration Guidance
Maximum Data Isolation
For organizations with the strictest compliance requirements, regardless of specific regulation:
Database Connection API — Query processing stays within your infrastructure. BlazeSQL sends SQL queries to your API endpoint; results go directly from your storage to the end user's device.
Desktop App (offline mode) — Query results never leave your device. Schema metadata and chat messages still sync to BlazeSQL servers (encrypted).
Data Flow Comparison
Deployment Model | Schema Metadata | Query Results | Chat Messages | AI Processing |
Desktop App (default) | BlazeSQL servers (encrypted) | Local device only (offline mode on by default) | BlazeSQL servers (encrypted) | GCP Vertex AI (ZDR)
|
Web App | BlazeSQL servers (encrypted) | BlazeSQL servers (encrypted) | BlazeSQL servers (encrypted) | GCP Vertex AI (ZDR) |
DB Connection API | BlazeSQL servers (encrypted) | Customer infrastructure | BlazeSQL servers (encrypted) | GCP Vertex AI (ZDR) |
Common Questions
"Can we get a BAA?"
Yes. BlazeSQL has a BAA with Google and can sign BAAs with enterprise customers for HIPAA compliance. Contact [email protected].
"Do you support our compliance framework?"
If your framework isn't listed here, contact us. BlazeSQL's flexible deployment model (Desktop, Web, DB Connection API) can be configured to meet specific regulatory requirements.
"What's the fastest way to evaluate BlazeSQL for compliance?"
Review the Security Overview and Vendor Security Assessment
Start with the Desktop app for a zero-risk proof of concept (query results stay local with offline mode, on by default)
Contact [email protected] for your specific compliance discussion
Contact
For compliance questions, BAA requests, or regulatory framework discussions:
© Blaze Analytics vGmbH (LU35935057), 23 Boulevard Friedrich Wilhelm Raiffeisen, 2411 Luxembourg