Security Aspects of Data Quality Monitoring

Alation Cloud Service Applies to Alation Cloud Service instances of Alation

Alation Data Quality uses a large language model via Amazon Bedrock to recommend data-quality checks based on Alation Data Catalog metadata.

Alation Data Quality employs two distinct credential and security models to balance automated monitoring with secure, on-demand data analysis. All communications are secured with AWS PrivateLink and TLS 1.2 encryption.

Credential and Permission Models

Service Account Credentials (Automated Monitoring)

This model is used for automated, system-level tasks.

  • Use Case: Running scheduled monitors and data profiling. The Airflow DQ Pod uses the data source’s default service account to execute all scheduled checks against the data source and profile data.

  • Permissions: For a monitor to run successfully, this service account must have SELECT privileges on all tables and columns being monitored.

Individual User Credentials (Interactive Analysis)

This model is used for on-demand, interactive analysis to ensure user-level permissions are always enforced.

  • Use Cases: Failed Records Analysis and Root Cause Analysis (RCA).

  • Security Principle: These features run using the individual user’s credentials to establish a direct connection to the data source. This approach enforces several key security principles:

    • No Data Leakage: Users can only analyze data they already have permission to access in the source system.

    • Audit Trail: All analysis activities are logged under the user’s account.

    • Privacy: Alation Data Quality does not store these individual user credentials.

AI and LLM Privacy

Alation leverages Large Language Models (LLMs) via Amazon Bedrock for multiple features, each with a specific privacy guarantee. Your data is private, secure, encrypted, and never used for model training.

  • For AI-Powered Check Recommendations: The system suggests checks based on metadata only. It sends column names and data types to Amazon Bedrock but does not directly access the data in your tables for this purpose.

  • For Root Cause Analysis (RCA): RCA uses a privacy-preserving approach to analyze failed records.

    • No customer data is sent to the LLM.

    • All actual data values are completely masked before any analysis occurs.

    • Only the masked, non-sensitive representations are sent to the LLM to identify correlations and patterns.

Data Governance and Sensitivity

Alation Data Quality honors and integrates with your existing data governance policies.

  • Sensitivity Tagging: The Data Profiling feature respects any sensitivity tagging configured within Alation. Columns marked as sensitive or PII will be flagged in the profiling results, ensuring that sensitive data handling follows your organization’s established classification rules.

Geographical Availability

This section outlines the geographical availability, including the regions where these features are supported and the routing of service requests. Alation Data Quality depends directly on AWS Timestream availability. Alation Data Quality is currently unavailable in the following AWS Regions because Amazon Timestream is not available there: Canada (Montreal), Asia Pacific (Singapore), and Asia Pacific (Mumbai).

Alation’s AI features are designed to be globally accessible, but the following considerations apply:

  • Compliance & Data Sovereignty: Global regions support local regulations and privacy laws.

  • Performance & Reliability: Reduced latency for real-time data quality monitoring.

  • Scalability & Resilience: Multi-region deployments support disaster recovery and geo redundancy.

  • Trust & Governance: By deploying Alation Data Quality in supported regions, customers benefit from end-to-end data lineage and agentic quality checks.

To broaden access, Alation employs cross-regional traffic routing to available regions. Service requests are initiated from the Alation Cloud Service VPCs to Amazon’s region-specific infrastructure, with TLS 1.2 encryption ensuring data protection via AWS’s private network. For details on regional availability, refer to Amazon Bedrock endpoints and quotas in AWS documentation.

The following table specifies the supported regions for Alation’s AI features and their corresponding target region routing:

Origin Region

Target Region

us-east-1 (US East, N. Virginia)

us-east-1 (US East, N. Virginia)

us-east-2 (US East, Ohio)

ca-central-1 (Canada, Central)

ca-central-1 (Canada, Central)

us-west-2 (US West, Oregon)

us-west-2 (US West, Oregon)

ap-northeast-1 (Asia Pacific, Tokyo)

ap-southeast-2 (Asia Pacific, Sydney)

ap-southeast-2 (Asia Pacific, Sydney)

eu-central-1 (Europe, Frankfurt)

eu-central-1 (Europe, Frankfurt)

eu-west-1 (Europe, Ireland)

eu-west-1 (Europe, Ireland)