A Focus on


Secure, Down to the Foundation

Sigma sits atop your existing cloud database, using a secure connection to query your data warehouse directly. Sigma writes a query to access the data needed to answer your question and returns the result in the browser - we never store any data at rest.

Because Sigma provides a single point-of-access for your data, you can establish robust data governance, enabling all within your organization to answer their own questions, while keeping report sprawl to a minimum and access to sensitive information restricted. Administrators can set permissions by team and namespace, and can restrict data access directly from the database as well.  

Sigma uses Google Cloud Platform to offer industry-standard security, availability, and durability.

Sigma Security Architecture

Sensitive metadata is encrypted at-rest with per-organization keys. Sigma does not cache or copy data onto its own servers. Sigma supports Security-Conscious functionality like SSO, DB-Enforced OAuth, Usage Audits (coming soon).

SOC - 2

Sigma leverages established best practices for security controls as part of our security program. We work with AICPA-certified, third-party auditors to maintain security compliance including SOC 2, Type II.  Prospective and existing Sigma customers and partners can request a copy of our SOC 2 Type II report.  

For full SOC - 2 report, you can send a written request.

Cloud Security Alliance (CSA)

Sigma has completed the CSA's "Consensus Assessments Initiative Questionnaire” (CAIQ), which provides a set of questions a cloud consumer may wish to ask to ascertain their compliance to the Cloud Controls Matrix and CSA best practices. It is available for download and is updated periodically.


At Sigma, we firmly support the GDPR - in practice and in philosophy.  We work with our customers in the European Economic Area to assure compliance with personal data handling requirements and cross-border transfer requirements under GDPR.
As a processor, we process data (including potentially personal data) on behalf of our customers.  We expect that some of our customers will require us to enter into a data processing addendum (“DPA”), per Article 28 of the GDPR.  
Sigma uses several subprocessors. The majority of our obligations hinge on our primary subprocessor: Google Cloud Platform.  GCP touts a strong commitment to compliance with GPDR, using transparent and well-vetted controls across their platform.  Read more about Google Cloud Platform's commitment to GDPR.

Healthcare Data

Sigma is currently undergoing attestation for the processes and controls required by the U.S. Health Insurance Portability and Accountability Act (HIPAA), to be completed in 2019.

See Cloud-Native Analytics in Action