Administration

Security overview

Sema is designed to read metadata, not exfiltrate data.

Read-only SQL firewall — generated SQL is validated and executed read-only.
Encryption at rest — per-workspace LLM keys are Fernet-encrypted.
Bearer-token auth with brute-force lockout and append-only audit logging.
Sensitivity-aware RBAC over restricted columns.

All docs

Quickstart SaaS quickstart Healthcare quickstart FinServ quickstart Retail quickstart Logistics quickstart Manufacturing quickstart Connectors Data health Glossary Conversational query Reports Alerts Signal registry Roles & permissions Billing & plans Security overview Troubleshooting