Last updated: April 2026

Security

rawquery stores and queries your business data. This page describes exactly how we protect it. No marketing language, just facts.

Infrastructure

All data is hosted in Frankfurt, Germany (EU) by UpCloud. No data leaves the European Union.

Your data is stored in Apache Iceberg format (open-standard Parquet files) on S3-compatible object storage, self-hosted on the same server. No data leaves the EU. You can export your Iceberg tables at any time and read them with any tool.

Authentication

Passwords are hashed with Argon2id (64 MB memory cost, 3 iterations, 4 parallel lanes). Argon2id won the Password Hashing Competition and is resistant to both GPU and side-channel attacks. We never store passwords in plain text.

Authentication uses short-lived JWT access tokens (30-minute expiry) with opaque refresh tokens. Tokens are stored in the browser's local storage. Login attempts are rate-limited per IP address and per account.

API keys are stored encrypted at rest. The full key can be retrieved later with password re-authentication.

Credential encryption

When you connect a data source (Postgres, Stripe, HubSpot, etc.), the credentials are encrypted at rest using Fernet symmetric encryption (AES-128-CBC with HMAC-SHA256 authentication). Credentials are decrypted only at sync time, never logged, and never exposed via the API.

Object storage encryption at rest

Every Iceberg data file (Parquet), manifest, and metadata object written to our object store is encrypted at rest with AES-256 server-side encryption (SSE-KMS). Encryption is applied transparently at write time; decryption happens only when an authorized query reads the data. The master key is managed by us and never leaves our infrastructure.

This means that even if someone gained raw disk access to the storage volume, the Parquet files would be unreadable without the master key.

Data isolation

Tenant data is isolated at the catalog level. Each workspace operates on its own Nessie branch, and query-time enforcement prevents cross-tenant access.

Access control uses four roles: Owner, Admin, Member, and Viewer. Every API endpoint that touches workspace data enforces role checks before executing. Role changes require Owner or Admin privileges.

The query engine enforces isolation at execution time. Queries cannot reference tables outside your workspace, regardless of SQL content.

Network

All traffic is served over HTTPS with automatic TLS certificates via Caddy. HTTP Strict Transport Security (HSTS) is enabled with a 2-year max-age.

Security headers on all responses: X-Content-Type-Options: nosniff, Referrer-Policy: strict-origin-when-cross-origin, X-Frame-Options: SAMEORIGIN.

Connectors include SSRF protection: connections to private and internal IP ranges are blocked by default. fail2ban monitors access logs and bans abusive IPs at the firewall level.

Rate limiting

Query execution is rate-limited per workspace based on your plan (Free: 10/min, Team: 60/min, Business: 100/min). Rate limits are enforced server-side using a Postgres-backed sliding window. No client-side enforcement.

Billing and payment data

All payments are processed by Paddle, who acts as Merchant of Record. Paddle handles credit card processing, invoicing, taxes, and refunds. We never see, store, or process your payment card details.

Analytics and tracking

No tracking cookies. No Google Analytics. No Facebook pixel. Website analytics use Umami, self-hosted on our own server, which collects no personal data and sets no cookies. Email is sent via self-hosted Postfix and Listmonk. No external email service.

Roadmap

Planned for 2026:

• SSO (SAML and OIDC)
• Audit logs
• SOC 2 Type II

These are planned, not shipped. We will update this page when they are live.

Report a vulnerability

If you find a security issue, email hello@rawquery.dev. We will acknowledge within 2 business days and keep you informed of our progress.