Skip to main content

Security

:::info Source Sourced from services/analytics-service/SECURITY_MODEL.md in the documentation repo. :::

1. Authentication

  • JWT internal.
  • S2S mTLS for firehose consumers.

2. Authorization

  • analytics:read — tenant admin.
  • analytics:admin — create/edit dashboards/metrics.
  • analytics:ad_hoc — run ad-hoc SQL (restricted).
  • analytics:audit_export — compliance_officer only.
  • analytics:ai — AI insights (separate entitlement).

3. Multi-Tenant Isolation

  • ClickHouse: tenant_id in ORDER BY; every query filtered.
  • Postgres RLS on metadata.
  • Platform-admin cross-tenant queries logged + audited.

4. PII Handling

  • Hot events: actor_id_hash only.
  • Audit tier (restricted): full PII; separate cluster; access logged.
  • GDPR subject-access-request exports from audit tier.

5. SQL Injection Prevention

  • Ad-hoc queries parsed (SqlParser); tenant filter auto-injected; destructive operations (DROP, TRUNCATE, ALTER) rejected.
  • Metric definitions templated; parameters escaped.

6. Data Classification

  • Hot events: Confidential.
  • Audit tier: Restricted.
  • Exports with PII: Restricted → short-lived signed URLs.

7. Threat Model

ThreatMitigation
Cross-tenant data leak via ad-hoc SQLAuto-injected tenant filter; SQL parser
Platform-admin abuseAudit log + 4-eyes for cross-tenant queries
PII exposure via exportRedaction; audit export requires compliance_officer
Event spoofing (fake analytics events)Firehose from trusted services only (mTLS)
DoS via expensive queryQuery timeouts; cost-based limits; dedicated pool for large queries
AI SQL generation injectionSchema-constrained generation; tenant filter check; destructive ops blocked

8. Audit

  • Compliance exports logged.
  • Platform-admin cross-tenant access logged with justification.
  • AI insight decisions linked to AIProvenance.

9. Compliance

  • GDPR/CCPA: subject-access-request export from audit tier.
  • HIPAA: PHI aggregated with restricted access; BAA with AI providers when applicable.
  • SOC 2: access logs, reviews.
  • EU AI Act: at-risk predictor high-risk classification.