Trust & Security

How we handle your data

SegmentStream offers two data storage options. You choose during setup:

Self-hosted storage — you provide your own Google BigQuery project. SegmentStream connects to it, reads from it, and writes analytics results back to it. We do not maintain a separate copy of your marketing data. You retain full control of the infrastructure.

SegmentStream-hosted storage — we provide a managed data warehouse for you. Your data is stored in an isolated dataset on Google Cloud Platform in the region you select (EU or US). You retain full ownership of your data and can export or migrate to your own infrastructure at any time.

Regardless of which option you choose:

• We are a data processor, not a controller. Under GDPR and equivalent frameworks, we process data on your behalf and under your instructions. Our Data Processing Agreement formalises this relationship.
• Your data is isolated. Each customer's data is stored in a separate dataset. There is no commingling of data between customers.
• Ad platform credentials are used for read-only data collection. When you connect ad platforms (Google Ads, Meta, etc.), we collect cost and performance data and load it into your warehouse. We do not modify your ad accounts.
• Data portability. You can migrate from SegmentStream-hosted storage to your own infrastructure at any time. We support data transfer to your own Google BigQuery project.
• Deletion. If you request account deletion, all data in SegmentStream-hosted storage is removed from active systems immediately. Complete purge from all underlying storage (including Google Cloud's built-in recovery mechanisms) occurs within 14 days.
• Sub-processors are disclosed. A full list of sub-processors is available in Annex D of our Data Processing Agreement.

Compliance

Our legal and data protection framework covers the major regulatory regimes:

• GDPR — EU General Data Protection Regulation
• UK GDPR — UK Data Protection Act 2018
• CCPA — California Consumer Privacy Act
• PIPEDA — Canadian Personal Information Protection and Electronic Documents Act
• LGPD — Brazilian General Data Protection Law
• Swiss DPA — Swiss Federal Data Protection Act

Standard Contractual Clauses (SCCs) are included in our DPA for international data transfers where required.

Security

• Automated security monitoring and compliance tracking via Drata
• Encryption in transit (TLS) and at rest
• Role-based access controls with least-privilege principles
• Regular access reviews and audit logging
• Infrastructure hosted on Google Cloud Platform

How we use platform interaction data

SegmentStream works through an AI agent that connects to your data via the MCP protocol. When you or your team interact with the agent — asking questions, running reports, connecting data sources — we log those interactions (prompts, tool calls, agent responses, and session metadata).

We use this data for two purposes:

• Debugging and support. When you report an issue — for example, the agent set up a project incorrectly or used a tool in an unexpected way — our team investigates the specific session logs to diagnose the problem and resolve it.
• Product improvement. We review interaction patterns to identify where the agent makes mistakes, misinterprets requests, or uses tools incorrectly, and then improve the agent's behaviour for all users.

What we do not do:

• We do not use your marketing data (the data in your BigQuery) to train AI models or improve our product. Your warehouse data is processed solely to answer your questions and run your reports.
• We do not share your interaction logs with other customers.
• We do not sell any data.

This is documented in Sections 3.2.4 and 4.2.4 of our Privacy Policy.

Confidentiality

Our Terms of Service include mutual confidentiality obligations (Section 8). This means:

• All information you share with us — including Customer Data, business plans, and technical details — is protected under contractual confidentiality.
• We will not disclose your confidential information to third parties except to employees and contractors who need to know and are bound by equivalent obligations.
• These obligations survive termination for three years.

This eliminates the need for a separate NDA in most cases. Custom legal agreements are available for enterprise paid plans.

Legal documents

• Terms of Service — your agreement with SegmentStream, including confidentiality obligations
• Privacy Policy — how we collect and use personal data
• Data Processing Agreement — GDPR-compliant DPA with SCCs, sub-processor list, and security measures
• Cookie Policy — cookies used on this website

Frequently asked questions

Do you sign NDAs?

Our Terms of Service include mutual confidentiality obligations that cover all information exchanged between us. For most use cases — including Research Preview — this provides equivalent protection to a standalone NDA. Custom legal agreements are available for enterprise paid plans.

Where is my data stored?

If you use self-hosted storage, your marketing data stays in your own BigQuery project. If you use SegmentStream-hosted storage, your data is stored in an isolated dataset on Google Cloud Platform in the region you selected (EU or US). In both cases, SegmentStream's application infrastructure runs on Google Cloud Platform. For details on data processing locations and sub-processors, see Annex C and Annex D of our Data Processing Agreement.

Can I migrate from hosted to self-hosted storage?

Yes. You can migrate your data from SegmentStream-hosted storage to your own Google BigQuery project at any time. Contact us and we will arrange the transfer.

What happens to my data if I cancel?

For self-hosted storage, your data remains in your own BigQuery project — we simply disconnect. For SegmentStream-hosted storage, we will provide a window to export your data, after which it is deleted from our systems. Data is removed from active systems immediately upon deletion, with complete purge from all underlying storage within 14 days.

Who are your sub-processors?

A full list is maintained in Annex D of our Data Processing Agreement, including each sub-processor's purpose, location, and the data they process.

Do you have SOC 2?

We maintain continuous compliance monitoring through Drata. Our current security posture is available at our Drata Trust Center.

What should I send to my legal or procurement team?

Share this page along with our Terms of Service and Data Processing Agreement. These documents cover confidentiality, data processing, security measures, sub-processors, and international transfer mechanisms — everything a legal or procurement review typically requires.

Is the Research Preview subject to the same protections?

Yes. All Customer Data processed during the Research Preview is subject to our Data Processing Agreement and the same security, confidentiality, and data protection obligations that apply to our paid services. This is stated explicitly in Section 7 of our Terms of Service.