AnalyticsCreator logo dark text
Get trial

English

The Fundamental Security Principle

AnalyticsCreator Does Not Process Operational Data

AnalyticsCreator works exclusively with metadata - never with actual business data.

How It Works:

  1. Reads metadata only: AnalyticsCreator connects to source systems to read schema metadata (table structures, column definitions, data types, relationships)
  2. Generates deployment artifacts: Based on metadata, AnalyticsCreator produces ready-to-deploy packages and code (SSIS packages, Dacpacs, ADF pipelines, PBIP files, OLAP cubes)
  3. Artifacts can be deployed by customer: Generated packages are standard-format deployment artifacts that customers can deploy using their own tools and processes
  4. No data access required: AnalyticsCreator never reads, processes, stores, or transmits business data

Analogy: AnalyticsCreator functions like an advanced IDE or code generator - similar to how Visual Studio generates code without processing the data that code will eventually handle.

1. Data Protection by Design

What AnalyticsCreator Accesses:

Metadata Only (Schema Information):

  • Database table and column names
  • Data types and constraints
  • Primary/foreign key relationships
  • View and stored procedure definitions
  • Cube and dimension structures

Never Accessed:

  • Actual row data
  • Customer records
  • Business transactions
  • Personal information (PII)
  • Sensitive business data

Supported Data Sources:

AnalyticsCreator connects to a broad range of data platforms for metadata extraction:

Database Platforms:

  • Microsoft SQL Server (on-premises and Azure SQL Database)
  • Azure Synapse Analytics
  • Microsoft Fabric
  • Oracle, MySQL, PostgreSQL (via CData or native connectors)
  • 250+ additional data sources through CData integration

File-Based Sources:

  • Excel, CSV, TSV files
  • Parquet, JSON, Arrow formats
  • SQLite databases
  • File analysis via embedded DuckDB engine (local processing - no cloud upload required)

Connection Characteristics:

  • Read-only metadata access (no write permissions required)
  • Standard database connection protocols
  • Support for both on-premises and cloud data platforms
  • File-based sources can be analyzed locally without uploading to cloud services

Security Implications:

Because AnalyticsCreator operates exclusively on metadata, the security surface area is dramatically reduced compared to traditional data processing tools. The generated artifacts (SSIS packages, ADF pipelines, etc.) execute within the customer's environment with the customer's security controls.

2. Connection Security & Encryption

All connections between AnalyticsCreator and customer systems use secure, encrypted channels.

Connection Security Features:

  • TLS 1.2+ encrypted connections for all data platform communications (Azure SQL Database, Synapse, Microsoft Fabric, on-premises SQL Server)
  • Metadata-only queries: Only schema information queries (e.g., INFORMATION_SCHEMA, sys.tables) are executed - never data queries
  • Encrypted credential storage: Connection credentials and sensitive strings are encrypted within the AnalyticsCreator repository
  • Credential protection in generated artifacts: When generating SSIS packages, Dacpacs, or ADF pipelines, encrypted strings remain secured and cannot be reverse-engineered from the deployed packages
  • Read-only access sufficient: AnalyticsCreator requires only read access to system metadata catalogs

Encrypted Strings Management:

AnalyticsCreator provides a dedicated Encrypted Strings feature for secure credential management:

Key Security Capabilities:

  • Secure storage: Connection strings, passwords, authentication tokens, and other sensitive values are encrypted at rest in the repository
  • No plain text exposure: Encrypted values are never exposed in plain text during ETL processing, deployment, or in generated code
  • Reference by name: Components reference encrypted strings by logical name without exposing actual credentials
  • Authorized access only: Only users with appropriate permissions (defined through User Groups) can create, modify, or decrypt entries
  • Protected mode: Critical encrypted strings can be marked as "Protected" to prevent modification even by standard users
  • Audit compliance: Supports GDPR and internal audit requirements by ensuring credentials are never stored in plain text
  • Deployment security: When exporting or deploying projects, encrypted values remain secure in the generated DACPAC or SSIS packages

This encryption approach ensures that sensitive credentials remain protected throughout the entire development, deployment, and production lifecycle.

3. Generated Artifacts & Customer Control

Complete Customer Ownership:

Customers retain full ownership and control over all generated artifacts:

  • SSIS packages for data integration
  • Dacpac files for database deployment
  • ADF pipelines for cloud data orchestration
  • PBIP files (Power BI Projects) for analytics models
  • OLAP cube definitions (Tabular and Multidimensional) for analysis
  • BI artifacts for Tableau and Qlik

Deployment Model & Safety Controls:

AnalyticsCreator is a code generation tool, not a deployment tool. While AnalyticsCreator includes optional deployment capabilities for convenience, customers are free to deploy generated artifacts using their own deployment tools and processes.

Two Deployment Approaches:

Option 1: Deploy Independently (Recommended for Production)

  • Generated artifacts are standard-format packages (Dacpac, SSIS .dtsx, ADF JSON, XMLA)
  • Can be deployed using any standard deployment tools:
    • SQL Server Management Studio (SSMS) for Dacpacs
    • SQL Server Integration Services Catalog for SSIS packages
    • Azure DevOps pipelines for automated deployments
    • Azure Data Factory for ADF pipelines
    • SQL Server Management Studio or PowerShell for OLAP cubes
  • No AnalyticsCreator connectivity required for deployment
  • Integrates with existing CI/CD pipelines and approval workflows
  • Ideal for: Production environments, regulated industries, organizations with established deployment processes

Option 2: Deploy Directly from AnalyticsCreator (Optional)

  • Convenience feature for rapid development and testing
  • AnalyticsCreator can optionally deploy artifacts directly to target environments
  • Useful for development iterations and testing cycles
  • Provides deployment safety controls (see below)
  • Ideal for: Development environments, rapid prototyping, testing scenarios

Deployment Safety Features (When Using AnalyticsCreator's Optional Deployment):

  • Backup before changes: Automatically creates database backup before applying schema updates
  • Drift detection: Blocks deployment if untracked schema differences are detected, preventing overwriting of manual changes
  • Single-user mode deployment: Ensures exclusive database connection during deployment for data integrity
  • Data loss prevention: Configurable option to prevent schema changes that would result in data loss
  • Compatibility validation: Allows or blocks deployment based on SQL Server version compatibility

Environment Management:

  • Deployment packages: Configure separate deployment packages for Development, Test, and Production environments
  • Environment-specific parameters: Use SQLCMD variables and environment variables for configuration differences between environments
  • Separate database layers: Option to deploy data warehouse layers (Staging, Core, Data Mart) to separate physical databases
  • Version control integration: Deployment configurations can be stored in version control for audit trail and rollback capability

Deployment Architecture:

  • Artifacts generated for customer deployment: All code packages are produced in standard formats ready for customer-controlled deployment
  • Customer security controls apply: Deployment occurs through customer's chosen tools and processes under their security policies
  • Authentication flexibility: When using optional AnalyticsCreator deployment, supports Windows Authentication, Azure AD, SQL Server authentication, and service principals
  • Full transparency: All generated code is human-readable and can be reviewed before deployment
  • No runtime dependency: Once deployed, artifacts operate independently without requiring AnalyticsCreator connectivity

Generated Code Characteristics:

  • Standard formats: All artifacts use industry-standard formats (SSIS .dtsx, SQL Server Dacpac, ADF JSON, XMLA for OLAP)
  • No proprietary dependencies: Generated code contains no proprietary runtime components or libraries
  • Portable and maintainable: Code can be maintained manually if needed, without AnalyticsCreator
  • Deterministic generation: Same metadata inputs produce consistent, reproducible outputs
  • Deploy anywhere: Generated artifacts can be deployed to any compatible environment, regardless of whether AnalyticsCreator has access to it

4. Metadata Repository & Cloud Storage Options

Metadata Repository Storage:

Customers can choose where AnalyticsCreator stores project metadata (design configurations, generation templates, documentation):

Option 1: AnalyticsCreator Cloud Repository (Recommended)

  • Project metadata stored securely in AnalyticsCreator's cloud repository hosted in Germany
  • EU data residency compliant with GDPR requirements
  • Encrypted at rest using industry-standard database encryption
  • Encrypted in transit via TLS 1.2+ (HTTPS over port 443)
  • Automated backups and data redundancy
  • Enables team collaboration and shared access
  • Accessible from anywhere with internet connectivity

Option 2: Customer-Hosted Repository

  • Project metadata stored in customer's own SQL Server/Azure SQL environment
  • Complete customer control over storage location and access policies
  • Requires secure connectivity from customer repository to AnalyticsCreator cloud for generation operations
  • Ideal for organizations requiring all metadata to remain within their infrastructure

Data Retention:

  • Customer-controlled retention: Metadata is retained in AnalyticsCreator's cloud repository until the customer actively deletes it or terminates their subscription
  • No automatic deletion: AnalyticsCreator does not automatically delete customer metadata
  • Deletion upon contract termination: When a customer contract ends, metadata can be deleted upon request or according to contractual terms
  • Data export available: Customers can export their metadata and generated artifacts at any time

Important Security Note: Regardless of repository location, metadata must be transmitted to AnalyticsCreator's cloud generation engine over secure HTTPS (port 443, TLS 1.2+) during code generation operations. Only schema metadata is transmitted - never operational business data.

5. Governance & Compliance Alignment

Compliance by Architecture:

AnalyticsCreator's metadata-only approach fundamentally simplifies compliance:

GDPR/DSGVO Considerations:

  • Designed to support GDPR compliance through its metadata-only architecture
  • No processing of personal data by AnalyticsCreator itself
  • Generated artifacts process data within customer environments under customer data protection policies
  • Metadata repository access controls support data governance requirements

Enterprise Governance Alignment:

  • Supports alignment with ISO 27001, SOC 2 readiness through transparent metadata handling and customer-controlled DevOps processes
  • Audit trail capabilities via version control integration
  • Change management through CI/CD pipelines
  • Complete code transparency (no "black box" generation)

Transparent Generation Process:

  • Deterministic code generation: Same metadata inputs produce consistent, reproducible outputs
  • Human-readable artifacts: All generated code can be reviewed and validated
  • Version control integration: Git, Azure DevOps, and GitHub supported for complete change tracking
  • Documentation automation: Self-documenting generated code with lineage tracking

Audit & Compliance Features:

Automated Documentation:

  • Audit-ready documentation: Word and Visio documentation automatically generated from metadata layer
  • Always up-to-date: Documentation stays synchronized with metadata changes
  • Stakeholder transparency: Clear outputs for data stewards, compliance teams, and auditors

Data Lineage & Impact Analysis:

  • Complete data lineage: Visual tracking of data flow from source to consumption
  • Impact analysis: Understand downstream effects of changes before deployment
  • Transparency and trust: Data lineage adds transparency to the framework, enabling users to understand data provenance
  • Compliance support: Demonstrable data lineage simplifies regulatory compliance requirements

Version Control & Change Tracking:

  • Full version history: All metadata changes tracked in Git, Azure DevOps, or GitHub
  • Change attribution: Who made what changes and when
  • DevOps workflow support: Safe promotion of metadata changes across environments
  • Rollback capability: Restore previous versions if needed

Metadata Export & Portability:

  • Export to multiple formats: SQL scripts, JSON files, Excel, and other formats supported
  • Deployment flexibility: Export metadata for deployment across different environments
  • No vendor lock-in: Metadata can be exported and used outside AnalyticsCreator
  • Collaboration support: Share metadata definitions across teams and tools

6. DevOps Integration & Change Management

Enterprise-Grade Deployment Controls:

AnalyticsCreator generates standard-format deployment artifacts that integrate seamlessly with existing DevOps workflows and deployment pipelines.

Change Management Features:

  • Deployment package generation: Define and configure deployment packages that produce all necessary artifacts (Dacpac, SSIS, ADF, OLAP)
  • Environment separation: Create separate deployment configurations for Development, Test, and Production with environment-specific parameters
  • Version management: Track deployment package configurations and generated artifact versions over time
  • Configuration management: Use SQLCMD variables and environment variables for environment-specific parameters
  • Rollback capability: Standard deployment artifacts can be version-controlled for rollback if issues occur

CI/CD Pipeline Integration:

AnalyticsCreator-generated artifacts are designed for seamless integration with standard deployment tools and processes:

  • Automated artifact generation: Generate all deployment artifacts (Dacpac, SSIS, ADF, OLAP) from metadata
  • Standard deployment formats: All artifacts use industry-standard formats compatible with existing deployment tools
  • Version control integration: Git, Azure DevOps, GitHub, and other VCS systems for tracking generated artifacts
  • Deploy without AnalyticsCreator: Generated packages can be deployed using standard tools:
    • SSMS or SqlPackage.exe for Dacpac deployment
    • SSIS Catalog for SSIS package deployment
    • Azure DevOps/GitHub Actions for automated CI/CD pipelines
    • PowerShell or XMLA scripts for OLAP deployment
  • Approval workflows: Integration with existing DevOps approval gates and deployment pipelines
  • Environment promotion: Structured dev → test → production promotion workflows using customer's deployment tools
  • Audit logging: Change tracking through version control and deployment history

Optional Direct Deployment from AnalyticsCreator:

For convenience during development, AnalyticsCreator includes optional deployment capabilities with built-in safety mechanisms:

  • Pre-deployment backup: Automatic database backup before applying schema changes
  • Drift detection and blocking: Prevents deployment if unauthorized schema changes are detected
  • Data loss prevention: Configurable controls to block schema changes that would result in data loss
  • Single-user mode option: Ensures exclusive database access during critical deployment operations
  • Compatibility validation: Verifies SQL Server version compatibility before deployment

Important: These optional deployment features are for convenience only. Production deployments typically use customer-controlled deployment tools and processes for maximum control and integration with existing governance workflows.

Multi-Platform Support:

Generated artifacts support deployment to multiple platforms:

  • SSIS: SQL Server Integration Services packages (.dtsx) deployable to SSIS Catalog
  • ADF: Azure Data Factory pipelines (JSON) deployable via Azure Portal, PowerShell, or ARM templates
  • DACPAC: SQL Server database schemas deployable via SSMS, SqlPackage.exe, or Azure DevOps
  • OLAP: Analysis Services (Tabular and Multidimensional) deployable via XMLA scripts or PowerShell
  • BI artifacts: Power BI (PBIP/TMDL), Tableau, and Qlik artifacts for synchronized BI deployments

7. Cloud Architecture & Secure Connectivity

How AnalyticsCreator Works:

Cloud-Based Generation Service:

  1. Secure connection established: Customer systems connect to AnalyticsCreator's cloud servers over HTTPS (port 443) with TLS 1.2+ encryption
  2. Metadata transmitted securely: Schema metadata is read from customer systems and transmitted to AnalyticsCreator's cloud generation engine via encrypted connection
  3. Generation occurs in the cloud: AnalyticsCreator's cloud servers process the metadata and generate deployment artifacts (SSIS, Dacpac, ADF, PBIP, OLAP cubes)
  4. Artifacts delivered to customer: Generated code packages are transmitted back to the customer environment for deployment and execution

Important: Only metadata travels to AnalyticsCreator's cloud - never operational business data.

Network Security:

  • Port 443 (HTTPS) only: All communication uses standard secure web protocols
  • TLS 1.2+ encryption: End-to-end encryption for all metadata transmission
  • Outbound connections: Customer initiates connections to AnalyticsCreator cloud (no inbound firewall rules required)
  • No persistent connections: Connections established only during metadata reading and artifact generation
  • Standard firewall compatibility: Works with standard enterprise firewall configurations allowing outbound HTTPS

Cloud Infrastructure:

  • Hosted in Germany: AnalyticsCreator's generation engine runs on secure hosting infrastructure in Germany
  • EU data residency: All metadata processing and storage occurs within the European Union
  • GDPR-aligned infrastructure: German hosting provides strong data protection aligned with EU regulations
  • Encrypted at rest: All stored metadata is encrypted using industry-standard database encryption
  • Multi-tenant architecture: Customer repositories are logically isolated with access controls enforced at the application and database level

8. Authentication & Access Control

Supported Authentication Methods:

AnalyticsCreator supports multiple authentication methods for connecting to target deployment environments:

  • Windows Authentication (Integrated): Uses Windows credentials for SQL Server connections
  • Azure Active Directory: Supports Azure AD authentication for Azure SQL Database and Azure Synapse
  • SQL Server Authentication: Standard username/password authentication with encrypted credential storage
  • Service Principals: Azure service principal support for automated deployment scenarios

AnalyticsCreator Desktop Application Login:

  • Users are provided with unique username and password credentials
  • Authentication occurs when logging into the AnalyticsCreator Desktop application
  • Credentials are encrypted during transmission (TLS 1.2+ over HTTPS)
  • Password-based authentication for application access

Role-Based Access Control (User Groups):

AnalyticsCreator implements a User Groups system for managing collaboration and permissions within shared projects:

User Group Roles:

  • Group Owner: Full control over the group, including adding/removing members, changing permissions, and deleting the group
  • Read/Write: Can view and edit project elements within the group but cannot manage user rights or delete the group
  • Read Only: Can view group content but cannot make changes or add new objects

Access Management Features:

  • Project-level permissions: Control who can read/modify design metadata through user group assignments
  • Collaborative workspaces: Multiple users can work on shared projects with appropriate access levels
  • Granular permission control: Assign different rights to different users within the same project
  • Group-based administration: Group Owners manage membership and access rights for their projects

This permission model enables secure team collaboration while ensuring that administrative control and data modification rights are clearly defined and properly enforced.

9. Responsible Disclosure & Security Contact

For any data protection, security concerns, or responsible vulnerability disclosure:

📧 support@analyticscreator.com | Peter Dunker, Principal

AnalyticsCreator's team will respond promptly to responsible disclosures and compliance inquiries.


Key Takeaways

AnalyticsCreator accesses only metadata - never operational business data

Generated artifacts execute in customer environments under customer security controls

Complete transparency: All generated code is human-readable and auditable

Flexible deployment: On-premises, cloud, or hybrid deployment options

Enterprise integration: Works with existing DevOps, version control, and governance processes

Designed to support compliance: GDPR-aligned architecture, supports ISO 27001/SOC 2 readiness

Frequently Asked Questions

How does AnalyticsCreator protect my database credentials?

AnalyticsCreator uses an Encrypted Strings feature that stores all connection credentials, passwords, and authentication tokens in encrypted form within the repository. These values are never exposed in plain text and remain encrypted even in generated packages (SSIS, Dacpac, ADF). Only authorized users with appropriate permissions can decrypt and view these credentials.

Does AnalyticsCreator need access to our production environment?

No. AnalyticsCreator generates standard-format deployment packages (Dacpac, SSIS, ADF, OLAP) that you deploy using your own tools and processes. While AnalyticsCreator includes optional deployment features for convenience during development, production deployments typically use customer-controlled tools (SSMS, Azure DevOps, CI/CD pipelines) without requiring AnalyticsCreator access to production systems.

Can we deploy without AnalyticsCreator?

Yes, absolutely. AnalyticsCreator is a code generation tool, not a deployment tool. All generated artifacts are standard formats (Dacpac, SSIS .dtsx, ADF JSON, XMLA) that can be deployed using industry-standard tools like SQL Server Management Studio, Azure DevOps pipelines, SSIS Catalog, or PowerShell - no AnalyticsCreator connectivity required.

Can AnalyticsCreator be used in air-gapped environments?

AnalyticsCreator requires secure internet connectivity (outbound HTTPS on port 443) to transmit metadata to the cloud generation engine and receive generated artifacts. Organizations requiring air-gapped operations cannot use the current cloud-based architecture.

Where is my metadata processed?

Metadata is processed on AnalyticsCreator's secure cloud infrastructure hosted in Germany. All metadata processing and storage occurs within the European Union, ensuring GDPR-compliant data residency.

Is my metadata mixed with other customers' data?

AnalyticsCreator uses a multi-tenant architecture where multiple customer repositories are stored on shared infrastructure. However, strict logical separation and access controls ensure that each customer's metadata is completely isolated and accessible only to authorized users of that specific customer account. Customers cannot access or view other customers' metadata.

How does AnalyticsCreator support audit and compliance requirements?

AnalyticsCreator provides comprehensive audit support including: automatic generation of audit-ready documentation (Word/Visio), complete data lineage tracking with visual diagrams, full version control integration (Git/Azure DevOps/GitHub) for change tracking, and the ability to export metadata to multiple formats. All changes to models and ETL processes are tracked with attribution and timestamps, supporting regulatory compliance and internal audit requirements.

Can we export our metadata if we stop using AnalyticsCreator?

AnalyticsCreator supports flexible metadata export to multiple formats including SQL scripts, JSON files, and Excel. All generated artifacts (SSIS packages, Dacpac files, ADF pipelines) are standard formats that continue to function independently without AnalyticsCreator. There is no vendor lock-in.

What happens if I stop using AnalyticsCreator?

All generated artifacts (SSIS packages, ADF pipelines, PBIP files, etc.) continue to function normally. They are standard, non-proprietary code with no runtime dependency on AnalyticsCreator.

How does AnalyticsCreator support GDPR compliance?

AnalyticsCreator is designed to support GDPR compliance through its metadata-only architecture. Since it doesn't process personal data, many GDPR data processing requirements don't apply to AnalyticsCreator itself. Generated artifacts process data under your GDPR policies within your environment.