Security
SaaS Application
Honeydew is as a cloud-based service. All connections to the Honeydew application are encrypted by default using industry-standard cryptographic protocols (TLS 1.2+). Any attempt to connect over an unencrypted channel (HTTP) is automatically redirected to an encrypted channel (HTTPS). To take advantage of HTTPS, your browser must support encryption protection (all versions of Google Chrome, Firefox, and Safari).Application access
Users can use Single Sign-On through Google or Microsoft. Enterprise SSO (e.g. Okta, Entra ID) is available upon request. Honeydew organization administrators can manage user access and permissions through the Honeydew application.Data
Honeydew controls data access through the Snowflake security model. All data processing occurs solely within a customer-owned Snowflake account.Honeydew Cloud can be configured without any data access.In this setup, certain UI features (like on-demand data preview) will be disabled, but core functionality will remain unaffected.
Metadata
All customer metadata managed by Honeydew is stored in a private Git repository owned by the customer.Snowflake
The Honeydew Snowflake Native App enables secure access to Honeydew directly from the Snowflake IDE or a Snowflake Connection. The Snowflake security model (user access and roles) is supported to:- Control access to the Honeydew application.
- Manage user access for those utilizing a Honeydew-based live SQL connection.
Authentication
Honeydew supports multiple authentication methods for Snowflake, including:- Key pair authentication
- OAuth authentication
- Programmatic access tokens (PAT)
- Username and password
Permissions
Honeydew only requires USAGE and SELECT permissions on the Snowflake database. You can also optionally provide Honeydew with permissions to create and manage dynamic datasets as views and tables, as well as to manage preaggregate tables. Additional access control can be achieved using Snowflake Row-level Security (RLS) policies.IP-based access control
If you have IP-based access restrictions in Snowflake, add the Honeydew IP addresses to the allowlist.BI Tools
Honeydew supports a wide range of BI tools, including Tableau, Power BI, Looker, and more. For a complete list, see BI tools integration. Authentication to BI tools is done using OAuth, SSO, or API key, depending on the BI tool.Git Providers
Honeydew supports integration with all leading Git providers, including GitHub, GitLab, Bitbucket, and Azure DevOps. Honeydew uses Connected Application, PAT (programmatic access tokens) or a Service Principal to authenticate with Git providers. See the relevant integration documentation for details.Live SQL connection
If a Live SQL connection is enabled, Honeydew will process queries that go through this live connection. However, Honeydew does not process or store any in-flight data exchanged within the live connection between a BI tool and Snowflake.Retention of customer credentials
Honeydew securely retains customer credentials for Snowflake and BI tools, including OAuth tokens, to facilitate secure and continuous extraction/synchronization of metadata. These credentials are securely stored in secret management system, encrypted at rest and in transit.IP Access Control
Honeydew supports IP Access Control, allowing you to restrict access to the Honeydew application and API to specific IP addresses or ranges. This feature is recommended for organizations that require additional security measures. For more details, see the IP Access Control documentation.Compliance
Honeydew is SOC2 Type II compliant and can provide documentation upon request.