We understand that connecting a third-party tool to your Sisense environment requires trust. Here is exactly what ControlHub does and does not do with your data.
The Short Version
No customer data is stored on our servers. ControlHub can back up over 15 types of Sisense assets — but only the ones you choose. Every asset type and individual asset is selectively included or excluded by you. What we back up is asset definitions (dashboard structures, datamodel schemas, connection metadata) — not your actual data. We never see, store, or have access to the data inside your databases, CSVs, or Excel files.
What We Store
What We Never Store
Dashboard definitions (JSON structure)
Database contents or query results
Datamodel schemas (field names, relationships)
CSV or Excel file data
Connection metadata (name, type, server address)
Connection passwords or secrets
Jupyter Notebooks
Sisense user emails or personal data
Plugin, theme, and branding configurations
SSO certificates or shared secrets
Your Backups, Your Git Repository
Keep full control over where your backup data is stored.
Bring your own Git repository. You can connect ControlHub to your own Git server (Gitea, GitHub, GitLab, Bitbucket, or any Git host). Your backups are stored in a repository you own and control — ControlHub never needs to hold your data.
You control access. Your repository, your permissions, your retention policies. Revoke ControlHub's access at any time and your backup history remains yours.
Full version history in Git. Every backup is a Git commit. You can browse, diff, and restore from any point in time using standard Git tooling — with or without ControlHub.
Default option available. If you prefer not to manage your own repository, ControlHub provides managed storage with dedicated per-client folders and no cross-client access.
What Gets Backed Up
Only metadata and definitions — never your actual data.
When ControlHub backs up your Sisense instance, it saves the structure and configuration of your assets to a Git repository. This includes:
Dashboard definitions (layout, widgets, filters — as JSON)
Datamodel schemas (tables, columns, relationships — as JSON)
Connection metadata (name, type, server — passwords and secrets are stripped)
Explicitly excluded from all backups: Sisense user email addresses, connection passwords and secrets (parameters and protectedParameters), SSO shared secrets and certificates, email service credentials, and all other sensitive fields. These are replaced with [REDACTED] or excluded entirely before anything is written to Git.
The actual data your dashboards display — database records, query results — is never downloaded or stored by ControlHub. During migrations, CSV and Excel source files may be transferred between instances at your request (with optional de-identification), but they are never retained on our servers. We back up the blueprint, not the building.
No User PII Stored
We do not back up Sisense user accounts or personal information.
ControlHub does not back up or store Sisense user profiles, email addresses, passwords, or any other personally identifiable information from your Sisense user directory. User data stays in your Sisense instance — we never pull it.
Asset definitions do contain internal Sisense user IDs (opaque database identifiers like 5f3a2b1c...) for ownership and folder mapping purposes. These are not personally identifiable — they are internal system references that cannot be used to determine a user's name or email without access to the Sisense instance itself.
How We Handle Your Credentials
The credentials you provide to connect your Sisense instance.
Encrypted at rest using Fernet symmetric encryption (from the cryptography library) — an industry-standard approach. The encryption key is stored as an environment variable, never in code.
Never logged. Plaintext credentials are never written to log files, error messages, or audit trails.
Used only for operations you authorise. Credentials are decrypted in memory only when performing a backup, restore, or migration that you have explicitly triggered or scheduled.
Secure transfer during migrations. When you choose to migrate connections between Sisense instances, credentials are decrypted on the source instance, transferred in memory, and immediately re-encrypted by the destination instance using its own encryption key. Credentials are never logged, never written to disk, and never stored in Git — they exist only in memory for the duration of the transfer.
Your Sisense API token or username/password is encrypted the moment it is saved and is only ever decrypted in memory for the specific operation you requested. Connection credentials migrated between instances are re-encrypted by the destination — they are never persisted in plaintext.
Data De-identification for Migrations
Optional PII protection when migrating data files between environments.
When migrating assets between Sisense instances, you may need to transfer CSV or Excel source files. ControlHub offers optional de-identification to protect sensitive data:
Column-level control. Choose exactly which columns contain PII (names, email addresses, phone numbers, etc.) and which to leave untouched.
Hash-based replacement. Selected values are replaced with deterministic hashes — maintaining referential integrity while removing identifiable information.
Applied to copies only. De-identification is performed on a copy of the file during transfer. Your source data is never modified.
Configurable per file. Each CSV or Excel file in a migration can have its own de-identification rules.
This is particularly useful when migrating from production to development environments, where real customer data should not be present.
Multi-tenant Isolation
Your data is rigorously separated from other customers.
All database queries are filtered by client ID. There is no mechanism for one customer to access another customer's data, instances, or configuration.
Unauthorised access returns 404, not 403. If a request targets a resource belonging to another client, the system responds as if it does not exist — preventing information leakage about other tenants.
Audit Trail
Every significant action is logged immutably.
Immutable, append-only audit log of all significant actions — backups, restores, migrations, configuration changes, user logins.
Captures: who performed the action, what was affected, when it happened, the IP address, and whether an admin was impersonating a user.
365-day retention by default.
Git commit history provides an additional, independent audit trail of every change to every backed-up asset over time.
Questions?
If you have security questions that aren't answered here, we're happy to discuss them. We can also provide details for your organisation's security review process.
Our Data Processing Agreement is available for review and is automatically accepted when you create an account.