Security foundation
Privacy-first by design
Gran Minerva is designed so plaintext customer PII does not enter analytics tables or AI prompts. Sensitive fields are tokenized before analytics use, and BYOT customers can keep raw PII fully outside Gran Minerva.
Tokenization before analytics
Sensitive fields are tokenized before they are used in analytics tables or AI prompts.
Tenant-aware Google Cloud controls
Customer data is protected with Google Cloud encryption controls, tenant-aware data boundaries, and least-privilege access patterns.
Controlled access
Authorized application APIs perform server-side detokenization only when permitted user workflows need real values.
What happens to customer data
- Plaintext PII is kept out of analytics tables and AI prompts.
- Deterministic tokens preserve matching and pattern detection without exposing identity fields to analytics.
- Google Cloud KMS and per-tenant keyring patterns protect encrypted data at rest.
- APIs detokenize server-side before authorized display workflows; tokens are not sent to the browser.
Current security posture
- SOC 2 Type II audit in progress.
- Privacy-request support is designed into the product; GDPR/CCPA deletion workflow work remains explicitly tracked.
- Responsible disclosure is available through security@granminerva.com.
- Public subprocessors are listed and reviewed for current architecture alignment.
Your Data, Your Control
Choose how your data is protected — or protect it yourself.
Platform Protection
- Sensitive PII fields are tokenized before analytics or AI use
- Per-tenant Google Cloud KMS keyring patterns
- No plaintext PII in analytics, logs, or AI prompts
- SOC 2 Type II audit in progress
Bring Your Own Tokenization
- Tokenize sensitive fields yourself before uploading
- We never see raw PII — only your tokens
- You maintain the token-to-PII mapping in your environment
- Open specification + SDK (Python and Node.js) planned
- Your keys, your control, your rules
Both paths deliver the same accurate drift detection. The only difference is who holds the keys.
BYOT gives security-sensitive teams a stricter option than standard platform-managed tokenization.
Contact names, emails, phone numbers, addresses, account IDs. Anything that identifies a person — we only need the pattern, not the name.
Usage metrics (logins, feature usage, session counts), financial values (MRR, contract value), NPS/CSAT scores, dates and timestamps, company demographics (industry, size, region).
- Download our tokenization specification (or install the SDK)
- Tokenize sensitive fields in your pipeline before upload
- Enable "I pre-tokenize my data" in Settings
- Upload as normal — Gran Minerva processes your tokens
- De-tokenize on your end when you need real names back
Languages: Python 3.8+ and Node.js 18+. Use your own vault or secret manager, such as HashiCorp Vault, Google Secret Manager, AWS Secrets Manager, or Azure Key Vault. Open-source release is planned. Deterministic tokens preserve accurate record matching.
Security reviews
For customer security reviews, we can share current subprocessors, privacy policy details, and security review materials. We keep roadmap items separate from implemented controls so your team can evaluate the product honestly.
Responsible disclosure
Report potential vulnerabilities to security@granminerva.com. See security.txt for details.