Security
Read-only by construction.
trend was designed so the most damaging mistakes we could make structurally can’t happen. Your warehouse is read-only. Your credentials are encrypted. Your data stays yours.
Read-only, three layers deep
We ask for SELECT-only warehouse credentials. Our SQL validator rejects any statement that isn’t a query. Every session sets the warehouse’s read-only flag (Postgres, MySQL, Snowflake) or authenticates as an IAM-scoped read-only principal (BigQuery). Any single layer failing still leaves two more.
Details →AES-256-GCM at rest
Warehouse credentials, API keys, and service-account JSON blobs are encrypted before they hit our database. The encryption key lives in an environment variable separate from the DB. Nothing usable ever lands in a backup or a snapshot.
Details →Workspace isolation via RLS
Every table with tenant data has Row-Level Security policies keyed on workspace_id. Enforcement happens in Postgres — not just in application code. Even a bug in a query can’t leak data across workspaces because the DB itself refuses the read.
We don’t store your query results
Every chart re-runs its query against your warehouse on each load. We hold the query text (the SQL you wrote) so dashboards can reload — but never the rows. Your data stays in your warehouse.
Encryption in transit
Every request between your browser, our servers, and your warehouse rides TLS 1.2 or higher. Certificate validation is enforced for warehouse connections — we won’t connect to a warehouse presenting an untrusted cert unless you explicitly configure that per connection.
Access controls
Every workspace has role-based access: owner, editor, viewer. Owners manage billing and members. Editors modify datasets and dashboards. Viewers can read published dashboards but can’t change them. All admin actions (create, delete, permission changes) are recorded in an audit log the workspace owner can review.
Embed customers
Embed customers authenticate via short-lived JWTs your server signs. Every embed query resolves {{trend.attributes.*}} variables from the JWT before compiling SQL — so a customer viewing their embedded dashboard physically cannot query rows belonging to another customer. The isolation is enforced at query compile time, not by filters your application code has to remember to set.
Subprocessors
We rely on a small set of vendors: Stripe (payments) and Anthropic (AI, only when a workspace has opted in). We don’t send warehouse data or query results to any of them — only workspace metadata needed to run the service.
Reporting a vulnerability
If you find a security issue, please email security@trend.dev with a description and steps to reproduce.
Learn more
The full engineering details of each layer live in the security docs. If you have specific compliance or procurement questions not covered here, reach us at security@trend.dev.