What data can be tokenized with BYOT?

Contact names, emails, phone numbers, addresses, and account IDs. Anything that identifies a person — we only need the pattern, not the name.

How does Bring Your Own Tokenization work?

1) Download our tokenization specification or install the SDK. 2) Tokenize sensitive fields in your pipeline before upload. 3) Enable 'I pre-tokenize my data' in Settings. 4) Upload as normal — Gran Minerva processes your tokens. 5) De-tokenize on your end when you need real names back.

Privacy-Preserving Architecture

We tokenize customer PII before persistence and encrypt it with per-tenant KMS keys. Built for security-first teams that need credibility with customers and auditors.

Your customer data is tokenized before storage

We never see PII — emails, phone numbers, and sensitive fields are encrypted at ingestion

Tokenize before persistenceEncrypted with per-tenant KMS keysAudit & control

Tokenize Before Persistence

Sensitive fields are transformed before storage. Inputs like email and phone never land as plaintext.

Encrypted PII at Rest

Customer PII is tokenized via Cloud DLP, encrypted with per-tenant KMS keys. Your team accesses real values via authorized client-side detokenization.

Audit & Control

Logs for key actions, BYOK and regional residency. Least-privilege access across services.

Data Protection

Tokenize before persistence — emails, phones, IDs, cards via Cloud DLP
AES-256 encryption at rest with per-tenant KMS keys, TLS 1.3 in transit
Client-side de-tokenization for authorized users only
Automated data retention policies and right to deletion via crypto-shredding

Compliance & Standards

SOC 2 Type II audit in progress
GDPR and CCPA compliant data handling
Annual penetration testing and security audits
99.9% uptime target
Public subprocessor list with 30-day change notice (Subprocessors)

Infrastructure Security

Zero-Trust Network

All services authenticated and authorized at every layer

DDoS Protection

Google Cloud Armor protection with managed WAF rules

Audit Logging

Immutable logs with 90-day retention standard

Access Control & Authentication

Passwordless magic link authentication via Firebase Auth — no passwords to steal or phish
Single Sign-On (SSO) via SAML 2.0 included on all plans
Role-based access control with custom permission sets
API keys with granular scopes and automatic rotation
Session management with configurable timeout policies

Your Data, Your Control

Choose how your data is protected — or protect it yourself.

Platform Protection

Every piece of customer PII is tokenized before it reaches analytics or AI
Per-tenant encryption keys (AES-256) with automatic rotation
Zero PII in storage, logs, or AI prompts
SOC 2 Type II audit in progress

Bring Your Own Tokenization

Only on Gran Minerva

Tokenize sensitive fields yourself before uploading
We never see raw PII — only your tokens
You maintain the token-to-PII mapping in your environment
Open specification + SDK (Python and Node.js) available
Your keys, your control, your rules

Both paths deliver the same accurate drift detection. The only difference is who holds the keys.

No other customer intelligence platform offers self-tokenization. Not Gainsight. Not ChurnZero. Not Totango. This is unique to Gran Minerva.

Your Data

You Tokenize

Upload Tokens

We Analyze

You De-tokenize

SOC 2 Type II (in progress)

Google Cloud Partner

AES-256

Zero PII

Contact names, emails, phone numbers, addresses, account IDs. Anything that identifies a person — we only need the pattern, not the name.

Usage metrics (logins, feature usage, session counts), financial values (MRR, contract value), NPS/CSAT scores, dates and timestamps, company demographics (industry, size, region).

Download our tokenization specification (or install the SDK)
Tokenize sensitive fields in your pipeline before upload
Enable "I pre-tokenize my data" in Settings
Upload as normal — Gran Minerva processes your tokens
De-tokenize on your end when you need real names back

Languages: Python 3.8+ and Node.js 18+. Vault support: Local encrypted file, env vars, HashiCorp Vault, AWS/GCP/Azure secret managers. Open source (when released). Deterministic tokens for accurate record matching.

Read the BYOT SpecificationComing SoonDownload the SDKComing Soon

Enterprise Security Options

Available on Custom plans

BYOK

Bring your own encryption keys

Data Residency

Choose your data location

Private Deploy

VPC or on-premise options

Custom SLA

99.95%+ uptime guarantee

Pilot, Exit, and Data Continuity

We provide explicit pilot terms, exportability commitments, and continuity guidance so you can adopt with low operational risk.

30-day pilot success criteria documented at kickoff.
On request, export packages include account-level scores, evidence references, and action history.
Data continuity FAQ and handoff runbook maintained by Support for all active customers.
Pilot exit path includes secure export and tenant decommission guidance.

Responsible Disclosure

Report potential vulnerabilities to security@granminerva.com. See security.txt for details.

Ready to see our security in action?

Create your free account with full security features enabled.

See Your At-Risk Revenue Privacy policy