Security
SaaS Application
Honeydew is as a cloud-based service. All connections to the Honeydew application are encrypted by default using industry-standard cryptographic protocols (TLS 1.2+). Any attempt to connect over an unencrypted channel (HTTP) is automatically redirected to an encrypted channel (HTTPS). To take advantage of HTTPS, your browser must support encryption protection (all versions of Google Chrome, Firefox, and Safari).Application access
Users can use Single Sign-On through Google or Microsoft. Enterprise SSO (e.g. Okta, Entra ID) is available upon request. Honeydew organization administrators can manage user access and permissions through the Honeydew application.Data
Honeydew controls data access through your data warehouse security model. All data processing occurs solely within a customer-owned data warehouse account (Snowflake, Databricks, or Google BigQuery).Honeydew Cloud can be configured without any data access.In this setup, certain UI features (like on-demand data preview)
will be disabled, but core functionality will remain unaffected.
Metadata
All customer metadata managed by Honeydew is stored in a private Git repository owned by the customer.Snowflake
The Honeydew Snowflake Native App enables secure access to Honeydew directly from the Snowflake IDE or a Snowflake Connection. The Snowflake security model (user access and roles) is supported to:- Control access to the Honeydew application.
- Manage user access for those utilizing a Honeydew-based live SQL connection.
Authentication
Honeydew supports multiple authentication methods for Snowflake, including:- Key pair authentication
- OAuth authentication
- Programmatic access tokens (PAT)
- Username and password
Permissions
Honeydew only requires USAGE and SELECT permissions on the Snowflake database. You can also optionally provide Honeydew with permissions to create and manage dynamic datasets as views and tables, as well as to manage preaggregate tables. Additional access control can be achieved using Snowflake Row-level Security (RLS) policies.IP-based access control
If you have IP-based access restrictions in Snowflake, add the Honeydew IP addresses to the allowlist.Databricks
The Honeydew Databricks integration enables secure access to your Databricks data. The Databricks security model (user access and roles) is supported to:- Control access to the Honeydew application.
- Manage user access for those utilizing a Honeydew-based live SQL connection.
Authentication
Honeydew supports multiple authentication methods for Databricks, including:- OAuth (M2M) authentication
- Personal Access Token (PAT) authentication
- OAuth user authentication
Permissions
Honeydew only requires USAGE and SELECT permissions on the Databricks catalog, schema, and tables. You can also optionally provide Honeydew with permissions to create and manage dynamic datasets as views and tables. For Unity Catalog environments, the required permissions include:- USE CATALOG on catalogs used in the semantic layer
- USE SCHEMA on schemas used in the semantic layer
- SELECT on tables/views used in the semantic layer
- CREATE TABLE and CREATE VIEW on the schema where dynamic datasets will be deployed
IP-based access control
If you have IP-based access restrictions in Databricks, add the Honeydew IP addresses to the allowlist.Google BigQuery
The Honeydew Google BigQuery integration enables secure access to your Google BigQuery data. The Google BigQuery security model (IAM roles and permissions) is supported to:- Control access to the Honeydew application.
- Manage user access for those utilizing a Honeydew-based live SQL connection.
Authentication
Honeydew supports multiple authentication methods for Google BigQuery, including:- Service Account Key authentication
- OAuth user authentication
Permissions
Honeydew only requires read permissions on Google BigQuery datasets and tables used in the semantic layer. You can also optionally provide Honeydew with permissions to create and manage dynamic datasets as views and tables. The required permissions include:- BigQuery Job User role (project level) - to run queries
- BigQuery Data Viewer role (dataset level) - read access to tables and views
- BigQuery Metadata Viewer role (dataset level) - read dataset and table metadata
- BigQuery Data Editor role (dataset level) - create and manage tables/views in the deployment dataset
IP-based access control
If you have IP-based access restrictions in Google BigQuery using VPC Service Controls, add the Honeydew IP addresses to the access level allowlist.BI Tools
Honeydew supports a wide range of BI tools, including Tableau, Power BI, Looker, and more. For a complete list, see BI tools integration. Authentication to BI tools is done using OAuth, SSO, or API key, depending on the BI tool.Git Providers
Honeydew supports integration with all leading Git providers, including GitHub, GitLab, Bitbucket, and Azure DevOps. Honeydew uses Connected Application, PAT (programmatic access tokens) or a Service Principal to authenticate with Git providers. See the relevant integration documentation for details.Live SQL connection
If a Live SQL connection is enabled, Honeydew will process queries that go through this live connection. However, Honeydew does not process or store any in-flight data exchanged within the live connection between a BI tool and your data warehouse.Retention of customer credentials
Honeydew securely retains customer credentials for data sources (Snowflake, Databricks, BigQuery) and BI tools, including OAuth tokens, to facilitate secure and continuous extraction/synchronization of metadata. These credentials are securely stored in secret management system, encrypted at rest and in transit.IP Access Control
Honeydew supports IP Access Control, allowing you to restrict access to the Honeydew application and API to specific IP addresses or ranges. This feature is recommended for organizations that require additional security measures. For more details, see the IP Access Control documentation.Compliance
Honeydew is SOC2 Type II compliant and can provide documentation upon request.