Skip to main content

Zero Data Movement

Vigilos never copies, stores, or replicates your data. Every query runs directly against your database, and only the result set is returned to the browser for visualization.
Vigilos requires network access to your database. Your database must be reachable from Vigilos’s infrastructure over the internet or a private network connection. See Database Connections for network requirements.
This architecture means:
  • No data warehousing - your data stays in your existing infrastructure
  • No ETL pipelines - no extraction, transformation, or loading steps
  • No stale data - every query hits your live database in real time
  • No data residency concerns - data never leaves your environment

Data Flow

When a user asks a question, the request flows through several stages:
1

User asks a question

The user types a natural language question in the Ask AI interface and selects a semantic model.
2

AI agent processes the question

The AI agent reads the semantic model metadata (entity names, column descriptions, relationships, measures) and verifies the current database schema to ensure accuracy.
3

Query generation

The agent generates either a visual builder configuration or advanced SQL, depending on the complexity of the question. Column references are validated before query construction.
4

Direct database query

The generated SQL executes directly against your database through the encrypted connection. Vigilos acts as a pass-through - it sends the query and receives the result set.
5

Results rendered in browser

The result set is returned to the user’s browser where it is rendered as an interactive chart, data table, and AI-generated explanation.

Connection Security

Database credentials are protected with multiple layers of security:
  • AES-256 encryption - All credentials (username, password, host) are encrypted before being written to storage. No plaintext credentials are stored at any point.
  • Encryption at rest - Encrypted credentials are stored with disk-level encryption enabled.
  • SSL/TLS connections - Vigilos supports (and recommends) encrypted connections to your database via the secure toggle on each connection.
Connection credentials are encrypted immediately upon submission. Even Vigilos platform administrators cannot view plaintext credentials.

Multi-Tenant Isolation

Vigilos is built for multi-tenant use from the ground up. Full tenant isolation is enforced at every level - every database query, API request, and resource access is automatically scoped to the authenticated user’s organization.
  • Database-level isolation - Security policies are applied to every table in the Vigilos platform database. Every query automatically filters rows to the authenticated user’s organization.
  • Organization membership checks - API requests verify that the authenticated user belongs to the organization that owns the requested resource.
  • Connection isolation - Database connections, semantic models, insights, dashboards, and reports are all scoped to a single organization. Users in one organization cannot access another organization’s resources.

Schema Caching

To reduce load on your external databases, Vigilos caches table and column metadata after the initial schema fetch. The cache stores:
  • Connection ID - which connection the schema belongs to
  • Database - the specific database within the connection
  • Table name and table type (table, view, or materialized view)
  • Columns - name, data type, nullable flag, comment, and primary key indicator
  • Row count - approximate number of rows
  • Table comment - any comment set on the table in the database
Schema caching only stores metadata (table names, column names, types). It does not cache any actual data from your tables. You can refresh the schema cache at any time from the semantic model editor.