Security at DB AI Magic

Every database connection string you store is sealed with AES-256-GCM using a per-organisation data encryption key. The key hierarchy is rooted in a managed KMS — we never persist the master key in our application database.

Credentials are decrypted only in-memory at the moment a query runs, and discarded as soon as the request finishes. Plaintext credentials are never written to disk or logs.

• In transit: TLS 1.2+ everywhere. HSTS on all our domains. WebSocket traffic uses the same TLS endpoints.
• At rest: AES-256 on all managed storage (database volumes, object storage, backups).
• Backups: rolling encrypted backups retained for 30 days. Restore drills run quarterly.

• Sign-in via Google OAuth 2.0 (super admins and admins) or email + password for employees.
• JWT access tokens with 15-minute lifetimes, rotated via refresh tokens stored server-side.
• Refresh tokens are bound to a session ID and revocable per-device.
• SSO via SAML / OIDC is on the roadmap (see /roadmap).

Permissions are enforced server-side at every endpoint. Employees receive granular, per-connection scopes (read, write, schema, export) stored as JSONB on their user record and re-checked on every request. Admins can audit every permission change via an immutable audit log.

• Hosted on a Tier-1 cloud provider with SOC 2 Type II, ISO 27001 and PCI DSS certifications.
• Workloads run in private subnets; production database has no public network ingress.
• All production change is gated by code review and CI; no direct SSH to production.
• Secrets stored in a managed secret manager, rotated automatically.

AI Chat runs in read-only mode by default. The query executor blocks INSERT, UPDATE, DELETE, DROP, ALTER and equivalents at the adapter layer, before the SQL ever reaches your database. Our AI provider does not train on your prompts.

• Application logs are shipped to a hosted log platform with 90-day retention.
• Anomalies (auth failures, permission denials, unusual-region sign-ins) trigger alerts to our on-call rotation.
• Audit logs of admin actions are immutable and exportable as CSV.

We follow a documented incident response runbook: detect, contain, eradicate, recover, post-mortem. If an incident materially affects you, we'll notify the relevant account admin within 72 hours, and publish a post-mortem on /status.

Security researchers: please report findings to security@dbide.app using the PGP key on that page. We'll acknowledge within 24 hours and won't pursue legal action against good-faith research that follows our disclosure policy.

Current subprocessors and the regions they operate in:

• Cloud hosting — application, database, object storage (us-east-1, eu-west-1).
• Email delivery — transactional and scheduled-report email (global).
• Error monitoring — application exceptions and traces (eu-central-1).
• AI model provider — natural language to SQL inference (us-east-1).

We'll update this list when it changes and give customers on annual plans 30 days' notice of a material new subprocessor.