Keebo | Architecture & Security
Architecture & Security

Enterprise-Grade Security—Metadata-Only Optimization

Keebo is architected by design to optimize Snowflake and Databricks using metadata only—enterprise-grade security, SOC 2 Type II certified.

Request Demo
komodo logo cropped
chalice logo cropped
Keebo | Architecture & Security
cimpress vector logo
oktaaa

How We Keep Your Environment Safe

Keebo’s security architecture is built on fundamental principles that protect your data at every level

Minimal and Secure Data Access

Minimal & Secure Data Access

Warehouse Optimization and Workload Intelligence use metadata only. Query Routing requires query access for routing but never stores data or uses it for routing decisions. Sensitive data remains protected. See required roles & grants.

Ai Optimization without Risk

AI Optimization Without Risk

Warehouse Optimization (KWO) and Workload Intelligence (KWI) work exclusively on metadata—never seeing query results. Query Routing (KQR, Diamond tier) analyzes query text inside an customer-isolated, firewalled Kubernetes cluster.

Encrypted Connections

Encrypted Connections

Every connection to Snowflake and Databricks is fully encrypted to protect your environment at all times.

Restricted Platform Permissions

Restricted Platform Permissions

Uses a dedicated user and role with strict, limited access to only necessary Snowflake or Databricks metadata.

Strict Access Controls

Strict Access Controls

Firewall-protected with IP whitelisting — only your domains can connect to our infrastructure.

Dedicated Infrastructure

Dedicated Infrastructure

Your own Kubernetes cluster with isolated resources — no shared infrastructure with other customers.

Enterprise-Grade Data Access Architecture

Keebo analyzes 76+ metadata fields for every query, operating through a dedicated user and role with strict permissions. It leverages only metadata—query logs, performance metrics, warehouse settings—never storing tables or sensitive data.

  • All connections are secure and encrypted with industry‑standard protocols.
  • AI‑driven optimization runs in either autopilot or recommendation mode.
  • Full governance and audit visibility—proven at enterprise scale.
AD 4nXfQDsat8ru1ApDspYHb43FFuyntaKod DPh0WffTy753Ly6WUdHpEFrinxNlYf d4YSpu5kJEFy6VHVj79gnYtaSJ 9LXSSMXrNslvn9mfnWIyYcGWCvIdFak2 OyCMmZTnRPtN3Q?key=wZYM8 U1nsN QkaBhRbEFQ

How Keebo Uses Metadata to Optimize Cost + Performance

Keebo Workload Intelligence (KWI) is the FinOps & observability module of the Keebo platform that analyzes warehouse, compute, query, and storage health to uncover inefficiencies and performance bottlenecks—surfacing ~18% additional savings opportunities with clear, prioritized recommendations. 

Real-time Metadata Learning

Analyzes 76+ metadata fields – no actual data accessed or stored

AI-Powered Decisions

Automatically right-sizes warehouses and tunes resources based on workload patterns

Autonomous Cost Reduction

Intelligently scales down resources during low-usage periods

Automatic Performance Scaling

Protects performance when latency rises or demand increases

No Extra Data Collected

Only collects what’s essential for optimization – nothing more

Patented Optimization Models

Continuously adapt for maximum ROI with zero maintenance overhead

Security-First Query Routing

Keebo Query Routing (KQR) acts as a smart, secure proxy between your workloads and Snowflake
KQR dynamically routes each query to the most cost-efficient warehouse based on real-time conditions and your custom rule set. The highest-priority rule that matches both the query and the current environment determines where the query is sent.

Audit‑Ready Query Routing

KQR gives you complete control over workload placement with zero compromise on data security.

Rules are AI‑recommended and logged for audit; you can review, modify, re‑order, and approve every rule before it goes live. All routing decisions are logged, and if no rule applies, KQR safely falls back to the session’s default warehouse, ensuring zero disruption to live traffic.

Enterprise-Grade Security Features

Encrypted Credentials

Customer credentials are encrypted at rest and in transit using industry-standard protocols.

No Data Stored (Ephemeral Processing)

Keebo processes metadata in‑memory and never stores query results or sensitive data.

Continuous Security Testing

Automated code scanning and third-party penetration testing

Private Network Connectivity

Support for AWS PrivateLink, GCP Private Service Connect, and Azure PrivateLink connections to your environment

Role-Based Access Control (RBAC)

Billing Administrator, Administrator, User, and Read Only roles with least-privilege defaults.

Enterprise-Grade Security Compliance

Keebo operates with the highest security standards to protect your Snowflake environment

SOC 2 Type II Certified

“Keebo’s architecture demonstrates a sophisticated understanding of both optimization and security requirements. The metadata-only approach allows us to benefit from AI-driven optimizations without any data privacy concerns.”

Head of Data Infrastructure,
Major Financial Institution

Ready to Securely Optimize Snowflake & Databricks?

Join industry leaders who trust Keebo with their most sensitive data environments

Request Demo