Skip to content
English
Contact us
  • There are no suggestions because the search field is empty.

Security Center - Overview

Security Center — Overview

Introduction

Exponam Analyst Intelligence is an Excel add-in installed on users’ desktops. It connects business users directly to governed enterprise cloud data platforms — currently Databricks (production), with native connectors for Snowflake and Azure Fabric in active development.

From a cybersecurity perspective, the most important things to understand:

  • Data never leaves your environment. No data ever transits any non-client environment, server, or machine.
  • Exponam never has access to or possession of any client data or client credentials. No Exponam service or server ever acts as an intermediary in any data flow.
  • The only information Exponam possesses pertaining to a client is the contact information of client personnel involved in communication with Exponam (such as email).
  • No license validation calls. The only external network call is a periodic update check made by the publicly available ClickOnce installer.

Architecture and Data Flow

Exponam Analyst Intelligence provides two distinct connection paths for retrieving data. Both paths share the same security posture: no Exponam server is involved, all communication is end-to-end TLS encrypted, and governance is enforced by the source platform.

SQL Endpoint Path

The SQL endpoint path executes queries against the cloud platform’s SQL compute engine (e.g., a Databricks SQL warehouse). This path supports the full range of SQL syntax and powers the natural language query, direct SQL, and ML model execution capabilities.

sql_endpoint_architecture

Data flow:

  1. The user authenticates via standard enterprise SSO credentials for the cloud platform. No additional credential files, tokens, or Exponam-specific configuration is required.
  2. Query generation. The user writes SQL directly, or describes a question in natural language. If using natural language, the question and schema metadata are sent to an LLM to generate a SQL query (see AI and LLM Privacy below). The generated SQL is visible, editable, and auditable before execution.
  3. Query execution. The SQL query is submitted to the cloud platform’s SQL warehouse, where it is executed with full platform governance applied (Unity Catalog, RBAC, row-level and column-level security).
  4. Result delivery. The governed result set is returned via the warehouse API directly to the add-in on the user’s machine. No intermediate server is involved.
  5. Excel import. Data is written to the Excel worksheet as static values. Refresh is user-controlled — configurable automatic intervals, manual on demand, or pause/resume per dataset. A workbook recalculation does not trigger a data re-fetch.

Compute is consumed on the cloud platform according to its standard pricing (e.g., Databricks DBUs, Snowflake credits).

Delta Sharing Path (Databricks Only)

The Delta Sharing path retrieves data directly from cloud object storage, bypassing the SQL compute engine entirely. This path is specific to Databricks and requires Delta Sharing to be enabled in the environment.

delta_sharing_architecture

Data flow:

  1. The user provides a .share credential file (v1 bearer token or v2 OIDC credential) to the add-in.
  2. The add-in sends a data request to the Databricks Delta Sharing REST API.
  3. Authentication and authorization. The Delta Sharing service validates the request against Unity Catalog. If the user’s Recipient has access to the requested Share, a set of short-lived presigned URLs pointing to Parquet files in cloud object storage (AWS S3, Azure ADLS, or Google Cloud Storage) is returned.
  4. Direct download. The add-in downloads compressed Parquet data directly from cloud storage via the temporary presigned URLs. No intermediate server is involved.
  5. Excel import. Data is decompressed and written to the Excel worksheet(s).

Because data is retrieved directly from cloud storage via presigned URLs, this path incurs zero Databricks compute (DBU) charges. All communication is end-to-end TLS encrypted — between Delta Sharing and the client, and between cloud storage and the client. Presigned URLs are temporary and scoped to the governed perimeter.

AI and LLM Privacy

Natural language query translates plain-English questions into governed SQL. This requires a large language model (LLM). Exponam Analyst Intelligence provides two options, giving organizations full control over how — and whether — any information leaves their environment.

Local LLM. The LLM runs entirely on the analyst’s machine. No data, no schema metadata, and no query tokens leave the user’s network. This option is designed for regulated industries and organizations with strict data residency or compliance requirements.

Commercial LLM. For organizations with existing commercial model agreements (e.g., GPT, Claude), the add-in connects to the provider’s API. Only schema metadata (table names, column names, data types) is sent to the external API — never row-level data. The generated SQL is returned to the add-in for user review before execution.

In both cases, the generated SQL query is visible, editable, and auditable. No query is executed without the user’s review.

Authentication

Authentication differs by connection path.

SQL Endpoint Path

Users authenticate using their standard enterprise SSO credentials for the cloud platform (e.g., Databricks workspace credentials). Access is governed by the platform’s identity and access management. No additional credential files, tokens, or Exponam-specific configuration is required.

Delta Sharing Path (Databricks Only)

The Delta Sharing path supports two authentication paradigms available within the Databricks Delta Sharing platform:

  1. v1 — Bearer token. .share files containing embedded tokens are distributed to users. These credentials may be scoped by IP address/range and configured for defined durations within Unity Catalog.
  2. v2 — OIDC federation. .share files are tied to an enterprise identity provider (e.g., Microsoft Entra ID, Okta). User identity is affirmed through standard OIDC/OAuth 2.0 flows. This option provides enterprise SSO integration, automatic credential rotation, and centralized identity governance.

For detailed authentication configuration instructions, see Managing User Authentication and Access.

Data Security

Exponam Analyst Intelligence’s security posture is grounded in a single architectural principle: Exponam never has access to, custody of, or visibility into any customer data or credentials. No Exponam server is involved in any data flow. No Exponam service or server ever acts as an intermediary. The only information Exponam possesses about a customer is the contact information of personnel involved in communication with Exponam.

Data Protection

  • Data at rest is secured by the cloud platform’s native encryption (e.g., Databricks encryption, Snowflake encryption). Exponam does not store, cache, or retain any data.
  • Data in flight is secured by HTTPS/TLS encryption between the cloud platform and the add-in. On the Delta Sharing path, this includes end-to-end TLS between Delta Sharing and the client, and between cloud storage and the client.
  • Data access rights are managed by the cloud platform’s governance framework. Exponam does not maintain a parallel permission layer — if a user can see the data in the platform, they can see it in Excel. If they cannot, they cannot.

Refresh and Compute Behavior

Data is imported into Excel cells as static values. Refresh is managed entirely through the Exponam ribbon: users can configure automatic refresh intervals, trigger manual refresh, or pause and resume per dataset. A workbook recalculation or any other standard Excel event does not trigger a data re-fetch. There are no unexpected compute charges.

Governance and Logging

All governance and audit logging is managed within the cloud platform’s native administration tools (e.g., Databricks Unity Catalog, Snowflake access history). Comprehensive logs track every user’s request for data and every response. Because Exponam Analyst Intelligence uses the platform’s native governance model, no additional administration, permission mappings, or audit infrastructure is required.

Attestations, Development, and Security Policies

As Exponam does not act as a service provider for or as a custodian of data, SOC 2, ISO 27001, and PCI AOC/ROC attestations and assessments are not applicable to the current product architecture.

As a privately held, self-funded software manufacturer, SOC 1 reviews have not been conducted. They may be conducted in the future.

Exponam adheres to NIST SP 800-218 guidelines for Secure Software Development to ensure that secure, up-to-date coding practices are followed. See our NIST 800-218 Attestation and associated policy documentation below.

Related Documentation

©2026 Exponam, LLC