In this section we list below the most frequently asked questions from our current and prospective users about our security posture.

What data ends up in paradime?

We store the following data:

  • Source code from git repository in password protected FsX file shares.

  • Commit hashes and filenames from git repository in AWS RDS

  • SSH Keys to access git repo in Github / Bitbucket / Gitlab in Hashicorp Vault

  • API credentials to access third party applications like Looker, Tableau in Hashicorp Vault.

  • Metadata from the Looker or Tableau API in AWS RDS - only metadata is stored but not any actual company-specific data that is being viewed in the dashboards - the APIs don’t allow that in the first place.

  • Operational data from user interaction and processing in AWS RDS e.g. we display in paradime dependency diagrams of how various dbt™️ files from git repo relate to each other. We would store the dependency information i.e. the relationship between files, commit hashes and file names, but not file contents.

How will users be provisioned in paradime and how do we authenticate?

Company users need to be added to Paradime by the admin on Paradime either through Slack (would require the Paradime Slack App to be installed in your Slack workspace) or through email. When the invited user clicks on the invitation link, they will be directed to the Paradime sign up page. If the admin enables Auto-join domains then anybody with an email in that domain and in that company can join Paradime, but they will be granted a read-only business user license. A business user can only view and interact with a production version of the catalog and lineage.

We use Auth0 for authentication. For every company, we create a separate organisation in Auth0 and company employees will have to enter the organisation name at signup/login and will be directed to Google authentication by default or Okta or both based company specific setup. Because we use Auth0 we can support any other authentication including SSO using Okta, Azure Active Directory, Google Workspace etc. Also, we don’t store any user auth data in our systems - all user auth data is stored by Auth0.

How is data protected at rest?

At rest, each company has their own database in our Postgres instance. The database access is protected by a randomly generated username and password that is unique to each company. The username and password is then stored in Hashicorp Vault Instance unique to each company within the company’s cluster namespace and the Vault is sealed with AWS KMS Keys, which are rotated every year.

Where is this VPC located? Can we choose?

Currently we support VPCs located in

  • London(eu-west-2)

  • Frankfurt(eu-central-1)

  • Ireland(eu-west-1)

  • N. Virginia (us-east-1)

  • Singapore (ap-southeast-1)

  • Sydney (ap-southeast-2)

If you are on the Enterprise plan, you can choose any region at startup. This setting cannot be changed later. On other plans, EU regions default to London and US regions default to N.Virginia.

If we wanted to delete a piece of data, how would that work? Let's say we mistakenly committed something in a repo, how will we replicate deletion to Paradime. Both soft and hard deletion.

We store a cloned copy of the repo in a password protected FsX file share - this is where all the file contents are. In our database we only store the filenames, commit hashes and not file contents. We parse file contents in memory but never store them.

So if something gets committed by mistake and you delete that file from the repo, the file will also get deleted from the FsX share when users sync their repo with remote git repo.

If you want to delete the commit hash too, then if you give us the hash, we will hard delete the hash from our database.

How long is the data retention period post deletion?

At the moment we retain your data for 90 days post deletion as we have not come across any legal basis yet why to retain it for any longer. This may change in case there is a regulatory need but otherwise, it won’t.

Will there be a need for some data to be migrated? How will this transfer occur?

No existing data from company systems need to be migrated to use Paradime. We get all the data to use Paradime from the git repository.

Last updated