Prepared by: Blaze Analytics vGmbH
This document provides pre-filled answers to common vendor security assessment questions. If your organization uses a specific security questionnaire or vendor risk platform (SIG, CAIQ, HECVAT, etc.), contact [email protected] and we will complete it for you.
Registration | LU35935057 |
Address | 23 Boulevard Friedrich Wilhelm Raiffeisen, 2411 Luxembourg |
Product | BlazeSQL — AI-powered SQL data analyst |
Enterprise contact |
2. Service Description
BlazeSQL connects to customers' SQL databases and answers data questions in natural language. It generates SQL queries, executes them, and returns results as tables, charts, and dashboards.
Key architectural principle: BlazeSQL never imports or copies customer databases in full. To generate queries, it accesses schema metadata (table names, column names, data types). With offline mode enabled (default on Desktop), only schema metadata leaves your device. When offline mode is disabled, query results are also sent for deeper AI analysis. Actual data rows are queried on demand.
Encryption: All data stored on BlazeSQL servers is encrypted with AES-256 at rest and TLS 1.2+ in transit. Zero Data Retention (ZDR) is enabled on all AI model calls.
Deployment options:
Desktop app — query results stay local on the user's device by default (offline mode enabled)
Web app — results stored encrypted on BlazeSQL's GCP infrastructure
Database Connection API — all query processing stays in the customer's own infrastructure
3. Data Handling and Classification
What data does BlazeSQL access?
Database schema metadata (table/column names, data types) — always
Database credentials — all deployment models, stored encrypted. Exceptions: SQL Server Windows Authentication uses device credentials; Entra Authentication is token-based, no stored credentials
Query results — web app stores server-side; desktop app stores locally (offline mode, on by default); DB Connection API stores in customer infrastructure
Chat messages — stored encrypted on BlazeSQL servers
Unique values for categorical columns (column samples) — optional, stored encrypted
Is customer data used for AI model training?
No. BlazeSQL does not train models on customer data. Zero Data Retention (ZDR) is enabled on all AI model calls via GCP Vertex AI, meaning prompts and responses are not stored by Google and are not used for model training.
How is customer data used?
Solely to provide the BlazeSQL service: answering questions, generating SQL, displaying results, enabling dashboards and collaboration.
Data classification:
BlazeSQL processes data across a range of sensitivity levels depending on the customer's database contents. This is why BlazeSQL offers multiple deployment models — customers with highly sensitive data (PHI, student records, financial NPI) can use the Desktop app or Database Connection API to keep data rows entirely within their own environment. Schema metadata and chat messages are classified as confidential and are encrypted at rest and in transit.
4. Encryption and Key Management
Control | Implementation |
Encryption at rest | AES-256 across all GCP data centers |
Encryption in transit | TLS (HTTPS) for all client-server communication |
Database encryption (Firestore) | AES-256 at rest, TLS in transit, custom security rules |
Key management | Google-managed encryption keys by default |
Hardware security modules | Cloud HSM available for enterprise (FIPS 140-2 Level 3) |
5. Access Control and Authentication
User access model:
Database access is controlled by the admin who added the database
Only explicitly invited users can access a database
Permission levels: read-only or read-write (set by admin)
All users require unique accounts
Authentication methods:
Standard: email and password
SSO: SAML 2.0 and OpenID Connect
Multi-Factor Authentication (MFA): Two-factor authentication (2FA) is available natively. MFA is also enforced through your identity provider when using SSO (SAML/OpenID Connect).
Service principal / enterprise identity provider integration available (e.g., Microsoft Entra ID)
Internal access (BlazeSQL employees):
Production data access is restricted to personnel required for service operation and support
All production access is logged and reviewed regularly
Access is revoked promptly upon departure or role change
6. Network Security
BlazeSQL servers run in a firewalled, non-public subnet on GCP
Web app uses a static IP address for customer firewall whitelisting
All communication encrypted via TLS
GCP's built-in DDoS protection and network security controls apply
7. Vulnerability Management and Security Testing
Penetration testing:
Application-layer penetration testing is conducted by a qualified third-party firm. Results are available to enterprise customers under NDA. BlazeSQL's infrastructure inherits GCP's continuous security testing program.
Dependency scanning:
GitHub Dependabot scans for known vulnerabilities in third-party dependencies.
Bug reporting:
Security issues can be reported to [email protected].
8. Software Development Lifecycle (SDLC)
BlazeSQL follows secure development practices:
Code review: All code changes require peer review via GitHub pull requests before merge.
Dependency management: GitHub Dependabot monitors third-party dependencies for known vulnerabilities.
Deployment: Deployments are managed through controlled release processes. Production changes require code review approval before merge.
9. Physical Security
BlazeSQL has no physical infrastructure. All computing, storage, and networking runs on Google Cloud Platform data centers. GCP data centers are certified under ISO 27001, SOC 2, and other standards, and include physical security controls such as biometric access, 24/7 monitoring, and environmental protections. See Google's data center security documentation.
10. Incident Response
BlazeSQL follows a structured six-step incident response process:
Identification: GCP security monitoring and real-time alerting flag anomalous activity
Assessment: Security team evaluates severity, scope, and potential impact
Containment: Affected components isolated immediately to limit exposure
Eradication: Root cause identified and eliminated
Recovery: Services restored using GCP backup and recovery infrastructure
Post-Incident Review: Root cause analysis, effectiveness review, prevention planning
Notification: Affected customers are notified promptly in accordance with applicable regulations (e.g., GDPR requires notification within 72 hours of becoming aware of a personal data breach).
11. Business Continuity and Disaster Recovery
BlazeSQL runs on Google Cloud Platform, which provides built-in redundancy across availability zones
Data is stored in GCP Firestore with automatic replication
Backups are taken daily and retained for 30 days
Recovery Point Objective (RPO): 24 hours
Recovery Time Objective (RTO): 7 days
GCP's backup and recovery infrastructure supports service restoration
For enterprise deployments, custom backup and DR configurations are available
12. Compliance and Certifications
GCP Infrastructure Certifications (held by Google Cloud Platform, not BlazeSQL)
Certification | Held By | Scope |
SOC 1, SOC 2, SOC 3 | Google Cloud Platform | Security, availability, and confidentiality controls |
ISO 27001, ISO 27017, ISO 27018 | Google Cloud Platform | Information security and cloud security management |
GDPR | Google Cloud Platform | EU data protection regulation |
CCPA | Google Cloud Platform | California Consumer Privacy Act |
HIPAA | Google Cloud Platform | Health Insurance Portability and Accountability Act |
FIPS 140-2 Level 3 | Google Cloud Platform | Cryptographic key management (via Cloud HSM) |
BlazeSQL's compliance posture:
GDPR compliant (data subject rights, data export within 14 days, deletion controls, subprocessor transparency)
CCPA compliant
HIPAA-ready (BAA with Google in place; customer BAAs available for enterprise contracts)
Zero Data Retention verified on all AI model calls
13. Third-Party / Subprocessor Management
Subprocessor | Service | Data Processed | Location |
Google Cloud Platform | Cloud infrastructure, compute, storage | All service data | EU / US (configurable) |
Google Vertex AI | AI model inference | Chat prompts (ZDR enabled — not retained) | EU / US |
Google Cloud Firestore | Application database | Account data, schema, chats, query results | Per GCP region |
Crisp | Customer support live chat | Name, email, support conversations | EU (Netherlands / Germany) |
Stripe | Payment processing | Payment details, billing email, transaction data | US |
BlazeSQL will notify customers of material changes to subprocessors.
14. Data Retention and Disposal
Active accounts: Data retained until user deletes it or closes account
Self-service deletion: Users can delete any stored data — including chats, queries, dashboards, results, database connections, credentials, and schema metadata — at any time
Bulk deletion: Organization-wide deletion available via support
Account closure: All associated data deleted, subject to any legally required retention periods
Source databases: Never modified or affected by BlazeSQL deletion actions
Data export: Machine-readable export available within 14 days upon request
Backups: Retained for up to 30 days following deletion, then permanently removed
Server logs: Retained for a minimum of 1 year. Available for audit purposes or deleted upon request.
15. Employee Security
Production system access is restricted to personnel required for service operation
Unique accounts required; shared credentials are not permitted
All production access is logged
Employees with access to customer data are bound by confidentiality and non-disclosure agreements
Access is revoked promptly upon departure or role change, including deprovisioning of all accounts and credentials
All team members receive security awareness onboarding. Access to production systems requires completion of security training.
16. Additional Information
Static IP for whitelisting: Available for web app database connections
Database Connection API: Query processing stays entirely within customer infrastructure — maximum data isolation option
Dedicated GCP region: Available for enterprise data residency requirements
Contact
For security assessments, questionnaire completion, or additional documentation:
© Blaze Analytics vGmbH (LU35935057), 23 Boulevard Friedrich Wilhelm Raiffeisen, 2411 Luxembourg