Chion is read-only by code, not by prompt. Never writes to your database, never trains AI on your data, never sells what we see.
Before you connect a database to anything, you should know exactly what it can do, what it can see, and where your data goes. Send this page to your security team.
Problem. Connecting a database to an AI tool is the first thing your security team will block. What Chion does. Read-only by code. AES-256-GCM credential vault. Every query auditable. Send this page to your security team.
"In production" means the control is implemented and enforced in code today. Chion does not yet publish a live status page or third-party SLO telemetry.
What "verified SQL agent" means at Chion.
Two validator layers, a typed SQL contract, RLS-honored execution.
A verified SQL agent runs every question through a typed contract and a two-layer validator before it reaches your database. Read-only SELECT enforced at the first layer. SQL contract bound to your RLS-aware schema at the second layer. That’s the architectural difference between a SQL agent and a text-to-SQL tool, and the reason Chion can promise the four invariants above.
Top 10 security questions answered
The questions your security team will ask, answered upfront.
1Can Chion write to, modify, or delete data in my database?
2Does Chion train AI models on my data?
3Does Chion sell my data?
4Where are my database credentials stored?
5What data leaves my database?
6Who can see my queries inside Chion?
7Is Chion SOC 2 certified?
8Is Chion GDPR compliant?
9What happens to my data if I cancel?
10How do I report a vulnerability?
What Chion can and cannot see
A table of exactly what data Chion accesses, and what it never touches.
| What Chion sees | What Chion never sees |
|---|---|
| Table names, column names, and data types | Raw rows from tables you haven't queried |
| The specific SELECT query you asked for | Your database password (encrypted and purged after each connection) |
| Aggregated results of that query (≤1,000 rows) | The contents of tables outside your connected role's permissions |
| Randomly sampled column values used to teach the system your nomenclature | Production writes: Chion cannot INSERT, UPDATE, DELETE, or DROP |
| Your questions and the SQL we generate for you | Anything another Chion customer's database contains |
| Whether a query succeeded or failed | Files, application logs, or anything outside your PostgreSQL instance |
Verified SQL agent architecture: four pillars
Read-only SQL, encrypted vault, row-level security, LLM data isolation.
Read-only SQL enforcement
Every query is SELECT-only. The read-only database role you provide, the SQL contract that bounds generation, and runtime validation (a two-layer validator that blocks writes and enforces the SQL contract) before execution. Any non-SELECT is rejected before it reaches your database.
AES-256-GCM credential vault
Database credentials are encrypted at rest with AES-256-GCM using a Load-Consume-Purge pattern. Plaintext is loaded into memory, consumed for the socket handshake, and immediately shredded. Credentials never persist in application memory beyond the connection moment.
Row-level security
We connect using the role you provide. Your PostgreSQL RLS policies are enforced on every query: from schema ingestion through column profiling to every query execution. We never elevate privileges or bypass access controls.
LLM data isolation
LLM providers receive only structural metadata and aggregated query results. Raw row-level data never reaches our LLM providers. Query results (≤1,000 rows) are processed server-side for chart rendering, held in memory during your session, and discarded when the session ends. Nothing is stored, cached, or retained by the model provider.
Data handling
What we store, what we discard, and when.
Query results are held in memory during your session for chart rendering. They are not persisted to disk or stored long-term. When you close the session, results are discarded.
Schema metadata (table names, column types, cardinality) is stored server-side to enable contract-based SQL generation. This metadata contains no actual data values.
What we store. Randomly sampled column values (e.g., top categories by frequency) used to build a semantic catalog, and structural metadata (table names, column types, relationships). This teaches the system your nomenclature, not your data.
Credentials are encrypted in our vault and never transmitted in plain text. Every credential operation is logged to our security audit trail.
Conversations (your questions and generated SQL) are stored to enable conversation history. They do not contain raw data rows.
Full data retention terms are in our Privacy Policy.
Credential & session lifecycle
Rolling sessions, automatic renewal, and credential purge.
Rolling sessions with automatic renewal
Database sessions roll on a 24-hour cycle with automatic renewal on successful validation. Credentials are scrubbed after 3 consecutive failures or explicit disconnect. A 30-day reconnect hint preserves non-secret topology (host, port, schema names) so re-authentication requires only a password, no full reconfiguration.
For the enterprise SQL copilot use case: DPA, sub-processors, on-prem.
The controls enterprise buyers expect from a SQL copilot at scale.
For enterprise buyers evaluating Chion as a SQL copilot at scale: DPA on request, full sub-processor disclosure. On-prem and dedicated-GPU deployment via CoreWeave, plus model optionality across Anthropic / OpenAI / Google / Mistral, are planned for the Enterprise tier. Contact us about the roadmap and pilot eligibility. Same verified SQL agent pipeline as Starter/Pro/Max.
See Enterprise pricing or contact us to scope a deployment.
Deployment flexibility
Cloud, dedicated GPU, or on-premise. Same pipeline guarantees.
Your deployment, your rules
Choose between managed cloud providers (Mistral, OpenAI, Google, Anthropic), dedicated GPU infrastructure via CoreWeave, or fully on-premise models behind your firewall. Every option runs the same read-only, zero-export pipeline with identical isolation guarantees.
No architectural compromises, no vendor lock-in. Whether the model runs on Mistral's API or a self-hosted instance in your data center, the contract is the same: metadata and summaries in, SQL out. Raw rows never cross the boundary.
Who owns security at Chion
Security principles and ownership across the engineering team.
Fail-closed, not fail-open
When any invariant is violated, the system stops and surfaces the error. No silent recovery.
Owner: Engineering
Data minimalism
We collect only the structural metadata we need to generate correct SQL. We do not hoard.
Owner: Engineering
Vault-only credentials
Every database password lives in an AES-256-GCM vault and is purged from memory within milliseconds of use.
Owner: Engineering Lead
Everything is audited
Every credential operation, every query, every connection event writes to a write-only compliance log. Target retention: up to 12 months for security events, 30-day rolling for diagnostic logs. Actual retention is governed by our database retention policy.
Owner: Engineering
Honest compliance
We publish what's shipped and what's in progress. We do not claim certifications we do not hold.
Owner: Jonathan Dag & Legal
Compliance posture
What certifications we hold, what's in progress, and what's honest.
Chion is a pre-seed startup. Security controls are implemented in code and described on this page. Formal third-party audits (SOC 2, ISO 27001, pen test) are not yet scoped. We will add audit commitments when we have them.
HIPAA. Not supported. Do not connect databases containing protected health information (PHI) to Chion.
GDPR. Chion processes only structural metadata and aggregated results; no personal data leaves your database unless you query it. A formal GDPR program is not yet scoped.
DPA. Data Processing Agreement available on request for enterprise customers. Covers data handling, sub-processor disclosure, and breach notification procedures.
Our Terms of Service cover service-level commitments and breach-notification timelines.
Sub-processors
Every service we send anything to, what we send, and why.
An enterprise SQL copilot is only as trustworthy as the services it touches. Every tool in your stack is a liability if it touches your data. Here's every service we send anything to, what we send, and why. No hidden processors.
In production today
| Provider | Role | Location |
|---|---|---|
| Supabase | Authentication, database, edge functions | US/EU |
| Anthropic | LLM provider, primary model (Claude) | US |
| Stripe | Payment processing | US |
| Resend | Transactional email delivery | US |
Planned / roadmap
| Provider | Role | Location |
|---|---|---|
| OpenAI | LLM provider, planned (GPT) | US |
| LLM provider, planned (Gemini) | US | |
| Mistral | LLM provider, planned (Mistral) | EU |
| CoreWeave | Dedicated GPU compute for isolated model hosting (planned) | US |
Planned processors are listed for transparency. They are not yet integrated and receive no production data today. We will move them above when they ship.
Vulnerability reporting
How to report a security issue to our team.
If you discover a security vulnerability or suspect unauthorized access, email contact@chion.ai.
By using Chion, you agree to the disclosure obligations in our Terms of Service.
Last reviewed: May 17, 2026