How we protect your data and access only what’s needed.
We only read BigQuery metadata (job history, table names, sizes). We never read the contents of your tables. This keeps the security surface minimal.
Service account keys are encrypted at rest. Optionally we store them in Google Secret Manager. Credentials are never logged or returned in API responses.
BigQuery Metadata Viewer, BigQuery Resource Viewer (for job history), and optionally Billing Viewer. No other roles are required.