SECURITY

A broker that touches your warehouses has no room for "trust us."

Quernos sits between your tools and your engines, which means our security model has to be inspectable, not asserted. This page describes how we actually handle credentials, data, results, and evidence. If your security team wants more depth, we'll walk them through the architecture directly.

Your data stays yours

Tables live in your object store, in open formats, in your cloud account. Quernos reads; it does not copy your lake.

No standing credentials

Access is short-lived and scoped per operation — assumed roles and freshly issued tokens, never long-lived secrets sitting in our data path.

Everything is evidence

Every routing decision, credential issuance, and verification result is logged with its rationale — exportable to you.

Credentials and keys

The data path

Correctness as a security property

A router that silently returns wrong answers is a security problem, whatever the compliance paperwork says. Routed queries are checksum-compared against the source engine on a sampled basis; a disagreement quarantines the route, falls the query back to your original engine, and preserves the evidence for you.

Audit

Every routing decision records what was chosen, what was rejected, and the cost model's reasoning at that moment. Credential issuance and administrative access are logged the same way. The log is append-only, retained immutably, and exportable — built for the question "why did this query run there?", whether it comes from your engineer or your auditor.

Compliance

Our SOC 2 program is underway; report status and timelines are available to customers and prospects under NDA. The tenant-isolation, audit, and erasure controls described above are built into the platform's foundations rather than assembled for the audit.

Reporting a vulnerability

Write to security@quernos.com. We acknowledge reports within two business days, and we don't take legal action against good-faith research.