Safe to point AI at your database, because it's read-only by code, not by prompt.

Before you let any AI tool touch your production Postgres, here is exactly what Chion can see, what it can never do, and where your data goes. Every query is a verified read-only SELECT, validated in code before it reaches your database. Send this page to your security team before they ask.

Watch the demo →

AES-256-GCM vaultIn production
TLS 1.3 in transitIn production
Read-only SELECTIn production

Read-only SELECT. AES-256-GCM credential vault. 1,000-row cap. Immutable audit log. Raw rows never leave for the LLM.

"In production" means the control is implemented and enforced in code today. Chion does not yet publish a live status page or third-party SLO telemetry.

Every query is verified read-only before it touches your database

Two validator layers, a typed SQL contract, RLS-honored execution.

Chion runs every question through a typed contract and a two-layer validator before it reaches your database. Read-only SELECT enforced at the first layer. SQL contract bound to your RLS-aware schema at the second layer. That is how a SQL agent differs from a plain text-to-SQL tool, and the reason Chion can promise the four invariants above.

Top 10 security questions answered

The questions your security team will ask, answered upfront.

1Can Chion write to, modify, or delete data in my database?
No. Every query Chion generates is a SELECT statement. Multi-stage safety: the read-only database role you provide, the SQL contract that bounds generation, and runtime validation (a two-layer validator that blocks writes and enforces the SQL contract) before execution. Any non-SELECT is rejected before it reaches your database.
2Does Chion train AI models on my data?
No. We use Anthropic Claude (Haiku, Sonnet, and Opus) via paid commercial API tiers. Provider terms prohibit training on customer inputs. OpenAI and Google are available on request.
3Does Chion sell my data?
No. Chion will never sell, license, rent, or share your data or metadata with any third party. There is no advertising business model here.
4Where are my database credentials stored?
In an encrypted vault using AES-256-GCM. Plaintext credentials are loaded into memory only at the moment a connection is opened, used for the socket handshake, and immediately destroyed. Credentials are never logged and never returned in API responses.
5What data leaves my database?
Only the aggregated results of the specific SELECT you asked for, capped at 1,000 rows or 12,000 cells. Raw row-level data is never sent to LLM providers. The model receives structural metadata and summaries, and returns SQL.
6Who can see my queries inside Chion?
Only you, under your authenticated session. All tables use PostgreSQL Row-Level Security so one customer's data cannot be read by another. Every access event is logged to a write-only compliance log.
7Is Chion SOC 2 certified?
Not today. Chion is a pre-seed startup. Security controls are implemented in code. Formal certifications are not yet scoped.
8Is Chion GDPR compliant?
Chion processes only structural metadata and aggregated results; no personal data leaves your database unless you query it. A formal GDPR program is not yet scoped.
9What happens to my data if I cancel?
When you disconnect a data source, all semantic metadata, embeddings, and cached samples for that source are purged. Query results are session-only and discarded when the session ends. Conversation history is deleted on account deletion.
10How do I report a vulnerability?
Email contact@chion.ai.

Exactly what an AI gets to see in your database, and what it never touches

A table of exactly what data Chion accesses, and what it never touches.

What Chion seesWhat Chion never sees
Table names, column names, and data typesRaw rows from tables you haven't queried
The specific SELECT query you asked forYour database password (encrypted and purged after each connection)
Aggregated results of that query (≤1,000 rows)The contents of tables outside your connected role's permissions
Randomly sampled column values used to teach the system your nomenclatureProduction writes: Chion cannot INSERT, UPDATE, DELETE, or DROP
Your questions and the SQL we generate for youAnything another Chion customer's database contains
Whether a query succeeded or failedFiles, application logs, or anything outside your PostgreSQL instance
Instructions hidden in your dataTreated as data, never executed: user input is escaped before it reaches the model

The guardrails you'd otherwise build yourself, already enforced in code

Most teams assemble this themselves: a read-replica, a least-privilege role, a hand-written query allowlist, or an MCP gateway you configure and maintain yourself. Chion enforces all of it in code by default.

Read-only SQL enforcement

Every query is SELECT-only. The read-only database role you provide, the SQL contract that bounds generation, and runtime validation (a two-layer validator that blocks writes and enforces the SQL contract) before execution. Any non-SELECT is rejected before it reaches your database.

AES-256-GCM credential vault

Database credentials are encrypted at rest with AES-256-GCM using a Load-Consume-Purge pattern. Plaintext is loaded into memory, consumed for the socket handshake, and immediately shredded. Credentials never persist in application memory beyond the connection moment.

Row-level security

We connect using the role you provide. Your PostgreSQL RLS policies are enforced on every query: from schema ingestion through column profiling to every query execution. We never elevate privileges or bypass access controls.

LLM data isolation

LLM providers receive only structural metadata and aggregated query results. Raw row-level data never reaches our LLM providers. Query results (≤1,000 rows) are processed server-side for chart rendering, held in memory during your session, and discarded when the session ends. Nothing is stored, cached, or retained by the model provider.

Data handling

What we store, what we discard, and when.

Query results are held in memory during your session for chart rendering. They are not persisted to disk or stored long-term. When you close the session, results are discarded.

Schema metadata (table names, column types, cardinality) is stored server-side to enable contract-based SQL generation. This metadata contains no actual data values.

What we store. Randomly sampled column values (e.g., top categories by frequency) used to build a semantic catalog, and structural metadata (table names, column types, relationships). This teaches the system your nomenclature, not your data.

Credentials are encrypted in our vault and never transmitted in plain text. Every credential operation is logged to our security audit trail.

Conversations (your questions and generated SQL) are stored to enable conversation history. They do not contain raw data rows.

Full data retention terms are in our Privacy Policy.

Credential & session lifecycle

Rolling sessions, automatic renewal, and credential purge.

Rolling sessions with automatic renewal

Database sessions roll on a 24-hour cycle with automatic renewal on successful validation. Credentials are scrubbed after 3 consecutive failures or explicit disconnect. A 30-day reconnect hint preserves non-secret topology (host, port, schema names) so re-authentication requires only a password, no full reconfiguration.

Hand your security team the DPA, sub-processor list, and on-prem path

The controls enterprise buyers expect at scale.

For enterprise buyers evaluating Chion at scale: DPA on request, full sub-processor disclosure. On-prem and dedicated-GPU deployment via CoreWeave, plus per-deployment model choice across OpenAI, Anthropic, and Google, are planned for the Enterprise tier. Contact us about the roadmap and pilot eligibility. Same read-only pipeline as Starter/Pro/Max.

See Enterprise pricing or contact us to scope a deployment.

Deployment flexibility

Cloud today; dedicated GPU and on-premise on the Enterprise plan. Same pipeline guarantees.

Your deployment, your rules

Choose between managed cloud providers (OpenAI, Anthropic, Google), dedicated GPU infrastructure via CoreWeave, or fully on-premise models behind your firewall. Every option runs the same read-only, zero-export pipeline with identical isolation guarantees.

No architectural compromises, no vendor lock-in. Whether the model runs on a managed provider's API or a self-hosted instance in your data center, the contract is the same: metadata and summaries in, SQL out. Raw rows never cross the boundary.

Who owns security at Chion

Security principles and ownership across the engineering team.

Fail-closed, not fail-open

When any invariant is violated, the system stops and surfaces the error. No silent recovery.

Owner: Engineering

Data minimalism

We collect only the structural metadata we need to generate correct SQL. We do not hoard.

Owner: Engineering

Vault-only credentials

Every database password lives in an AES-256-GCM vault and is purged from memory within milliseconds of use.

Owner: Engineering Lead

Everything is audited

Every credential operation, every query, every connection event writes to a write-only compliance log. Target retention: up to 12 months for security events, 30-day rolling for diagnostic logs. Actual retention is governed by our database retention policy.

Owner: Engineering

Honest compliance

We publish what's shipped and what's in progress. We do not claim certifications we do not hold.

Owner: Jonathan Dag & Legal

Compliance posture

What certifications we hold, what's in progress, and what's honest.

Chion is a pre-seed startup. Security controls are implemented in code and described on this page. Formal third-party audits (SOC 2, ISO 27001, pen test) are not yet scoped. We will add audit commitments when we have them.

HIPAA. Not supported. Do not connect databases containing protected health information (PHI) to Chion.

GDPR. Chion processes only structural metadata and aggregated results; no personal data leaves your database unless you query it. A formal GDPR program is not yet scoped.

DPA. Data Processing Agreement available on request for enterprise customers. Covers data handling, sub-processor disclosure, and breach notification procedures.

Our Terms of Service cover service-level commitments and breach-notification timelines.

Sub-processors

Every service we send anything to, what we send, and why.

Chion is only as trustworthy as the services it touches. Every tool in your stack is a liability if it touches your data. Here's every service we send anything to, what we send, and why. No hidden processors.

In production today

ProviderRoleLocation
SupabaseAuthentication, database, edge functionsUS/EU
AnthropicLLM provider, primary model (Claude)US
StripePayment processingUS
ResendTransactional email deliveryUS

Planned / roadmap

ProviderRoleLocation
OpenAILLM provider, planned (GPT)US
GoogleLLM provider, planned (Gemini)US
MistralLLM provider, planned (Mistral)EU
CoreWeaveDedicated GPU compute for isolated model hosting (planned)US

Planned processors are listed for transparency. They are not yet integrated and receive no production data today. We will move them above when they ship.

Vulnerability reporting

How to report a security issue to our team.

If you discover a security vulnerability or suspect unauthorized access, email contact@chion.ai.

By using Chion, you agree to the disclosure obligations in our Terms of Service.

Last reviewed: July 5, 2026