Supported engines
PostgreSQL
Versions 11+. Read-only credentials recommended.
MySQL
Versions 5.7+ and MySQL 8. Compatible with MariaDB.
Snowflake
Username + password authentication.
Azure SQL
Azure SQL Database and Managed Instance.
What Summand needs
A user with read-only access to the schemas and tables you intend to analyze. Specifically:SELECTon the target tablesUSAGEon the schemas (Postgres / Snowflake)INFORMATION_SCHEMAaccess for schema discovery
INFORMATION_SCHEMA, and never executes user-supplied SQL.
Network access
Summand connects from a fixed set of egress IPs — share these with your network team to allowlist:52.x.x.x/30(production)54.x.x.x/30(production failover)
Live IP ranges are listed in the in-product Settings → Connectivity panel for your account. The values above are illustrative — always copy the live ones from there.
- PrivateLink (AWS) — Summand creates a VPC endpoint in your account.
- VPC peering (AWS, GCP) — for ongoing high-throughput workloads.
- SSH tunnel — supported but not recommended for production.
Setup
1
Create a read-only user in your database
Use the SQL appropriate for your engine. For Postgres:
2
Add the connector in Summand
From the Connectors page, click Add connector → PostgreSQL (or MySQL / Snowflake). Provide host, port, database, and the read-only credentials. Summand validates connectivity before saving.
3
Pick tables
Summand discovers all tables you have
SELECT on. Choose which ones to enable as datasets. You can enable more later from the connector page.Each enabled table becomes a dataset. Baseline column-stats run automatically. From there, chat, create views, or set up experiments — there’s no per-dataset configuration step.Refresh
Click Refresh on a dataset to re-run analysis against the current state of the source table. Refresh:- Streams the table to Summand’s curated Parquet store
- Fits a fresh EBM and re-runs surprise finding
- Writes a new semantic-layer version
- Switches the UI to the new version on success
Credential handling
- Database passwords are encrypted with AWS KMS and stored in AWS Secrets Manager.
- Plaintext credentials are never logged.
- Connection strings are never exposed in the UI or API responses.
- You can rotate credentials at any time from Settings → Connectors → Edit.