Security isn't a feature.
It's the foundation.
Klairr is built for organizations that take data seriously. Every layer — from how we query your data to how we store credentials — is designed around a simple principle: your data stays yours.
Data protection
Your data stays yours
We never copy your database. We never store your raw data. Every query is executed in real time against your own data source.
Read-only connections
All database connections are read-only by default. DML statements (INSERT, UPDATE, DELETE) are blocked at the guardrail layer before they ever reach your database.
No bulk data replication
We never copy or replicate your database. Queries are executed against your data source in real time, and only the results are returned.
Result samples only
Each question returns up to 20 rows of data. Full table exports and bulk downloads are not supported by design.
Credential recommendations
We recommend customers provide read-only database credentials with access scoped to only the schemas and tables needed.
Encryption
Encrypted everywhere
Credentials never logged. Never displayed. Never accessible after setup.
In transit
TLS 1.2+
All data in transit is encrypted using TLS. Every connection between clients, APIs, and data sources is secured.
Credentials at rest
AES-256-GCM
Database credentials and secrets are encrypted with AES-256-GCM before storage. They are never logged, never displayed after setup, and never accessible in plaintext.
Data at rest
MongoDB Atlas encryption
All stored data is encrypted at rest using MongoDB Atlas built-in encryption with customer-isolated databases.
Access control
The right access for every role
Four distinct roles with granular permissions. Every user sees only what they should.
| Role | Description | Permissions |
|---|---|---|
| Admin | Full platform access | Manage connectors Manage users and roles Access GRC dashboard Configure AI Memory Set spend limits |
| Power User | Advanced query capabilities | Ask questions across all connectors SQL Live Edit Create and share reports Schedule report refreshes |
| Analyst | Standard data access | Ask questions View generated SQL Save answers to reports Access assigned connectors |
| Member | Basic read access | Ask questions View answers and reports Access assigned connectors only |
Connector-level access
Control which data sources each user or role can query. Users only see connectors they have been granted access to.
Production connector warnings
Connectors marked as production display a visible warning to all users, reinforcing awareness when querying live data.
Per-user spend limits
Admins can set monthly LLM cost caps per user. When a user hits their limit, queries are paused until the next billing cycle.
Governance
Audit everything
A built-in GRC dashboard gives admins full visibility into every question asked, every action taken, and every risk signal detected.
Question audit trail
Every question, the generated SQL, the data source, the user, and the timestamp are logged and searchable.
Admin action logging
User management changes, connector modifications, AI Memory edits, and role assignments are all recorded.
Risk signals
The GRC dashboard surfaces anomalies and risk indicators, including unusual query patterns and access attempts.
CSV export
Export audit logs as CSV for external compliance tools, SOC reviews, or internal reporting.
Date filtering
Filter audit data by date range to investigate specific incidents or generate periodic compliance reports.
AI safety
AI you can trust
Every AI-generated answer passes through multiple safety layers before reaching the user.
Confidence scoring
Every answer receives one of four confidence levels: High, Medium, Low, or Uncertain. Users see the score before relying on the result.
SQL guardrails
Generated SQL is validated before execution. DML, DDL, and unsafe patterns are blocked. Only SELECT queries pass through.
LIMIT injection
Every query has a LIMIT clause injected automatically to prevent runaway queries and excessive data retrieval.
Byte budget enforcement
Response payloads are capped to prevent excessively large result sets from consuming resources or leaking sensitive data.
No fabrication
Answers are grounded in actual query results. The system does not fabricate data. If a query returns no results, the user is told so.
Infrastructure
Built on proven infrastructure
Hosted in the EU on AWS with industry-standard components at every layer.
| Component | Technology |
|---|---|
| Cloud provider | AWS |
| Region | eu-central-1 (Frankfurt) |
| Compute | Node.js on Amazon ECS |
| Static assets | S3 + CloudFront CDN |
| Database | MongoDB Atlas (encrypted, isolated) |
| Cache | Redis |
| Authentication | JWT-based session tokens |
| AI provider | Anthropic Claude API |
Have security questions?
We take security seriously and are happy to discuss our practices in detail. Reach out to our security team or start using the platform today.
No credit card required