Security
How we protect your data and privacy.
Security is the cornerstone of DBStudio. Our "Security by Design" approach ensures that you retain full control over your most sensitive asset: your data.
1. Secure Credential Management
Your database credentials (host, port, username, password) are encrypted locally and transmitted securely to DBStudio's servers for storage.
- The CLI agent reads these values from your local configuration or environment and encrypts them before transmission.
- All secrets are stored in an encrypted format, ensuring that your raw database credentials are never exposed in plain text.
- The server uses these credentials to authorize and orchestrate the secure bridge between your local agent and the web dashboard.
2. Encrypted Tunnels
All communication between your local agent and our web dashboard is encrypted using TLS 1.3. Even if someone were to intercept the bridge traffic, the data would be unreadable.
3. Data Privacy (The "No Storage" Policy)
DBStudio is a client, not a database host.
- We do not store your query results. Result sets are processed in memory and streamed directly to your browser.
- We do store metadata (query history, schema snapshots) to power version history, but these can be purged at any time.
4. Role-Based Access Control (RBAC)
For Team Workspaces, admins can precisely control who can view schema, execute queries, or manage connections. This prevents accidental data leaks or destructive actions by unauthorized team members.
5. API Keys
API keys are used to authenticate your local CLI agent and CI/CD pipelines.
- Encryption at Rest: All API keys are encrypted using AES-256 before being stored in our database, ensuring that even in the event of a data breach, the keys remain protected.
- Rotation and Revocation: You can rotate or revoke API keys at any time through the DBStudio settings. Rotating a key immediately invalidates the previous one and generates a new secret, allowing for seamless security updates without downtime.