Enterprise-grade security, built in

Every database credential you provide is encrypted at rest using AES-256-GCM, the gold standard in symmetric encryption. Credentials are encrypted before storage and decrypted only in memory when establishing a database connection. Encryption keys are managed separately from encrypted data and rotated regularly.

• 256-bit key length — the same standard used by governments and financial institutions
• GCM mode provides both confidentiality and integrity verification
• Keys stored in a separate key management system
• Regular key rotation without service disruption
• Credentials never logged in plaintext at any layer

Every SQL query generated by the AI is validated at the Abstract Syntax Tree (AST) level before execution. We use sqlparse and sqlglot to parse queries and verify they contain only SELECT statements. Any query containing INSERT, UPDATE, DELETE, DROP, ALTER, TRUNCATE, CREATE, or any other write operation is rejected before it reaches your database.

• AST-level parsing — not regex or string matching
• Powered by sqlparse and sqlglot for maximum coverage
• Blocks all DML/DDL operations: INSERT, UPDATE, DELETE, DROP, ALTER, TRUNCATE, CREATE
• Prevents SQL injection through parameterized execution
• Validates subqueries and CTEs recursively

Query results are streamed directly from your database to your browser using Server-Sent Events (SSE). We do not store, cache, or log the actual data returned by your queries. Once your session ends, the data exists only in your browser — we have no copy.

• Real-time streaming via SSE — no intermediate storage
• Results exist only in your browser session
• No server-side caching of query results
• No data logging or export to external services
• AI sees only table metadata (names, types) — not your actual rows

All communication is encrypted in transit using TLS 1.2 or higher. Connections between our servers and your databases also use encrypted channels. Our infrastructure runs on SOC 2-compliant cloud providers with network isolation, firewalls, and intrusion detection.

• TLS 1.2+ for all browser-to-server communication
• Encrypted connections to your databases
• Network isolation and firewall rules
• DDoS protection and rate limiting
• Regular security patching and updates

Access to the Service is protected by secure authentication (Google OAuth or email/password with bcrypt hashing). Each user can only access their own database connections and query history. Internal access to production systems is strictly limited and audited.

• OAuth 2.0 and bcrypt password hashing
• Per-user isolation of database connections and data
• Role-based access control for team features
• Session management with secure, httpOnly cookies
• Audit trail for all database connection changes

We are actively working toward SOC 2 Type II certification. Our security practices are designed to meet the Trust Services Criteria for security, availability, and confidentiality. We conduct regular security reviews and penetration testing.

• Security practices aligned with SOC 2 Trust Services Criteria
• Regular internal security reviews and risk assessments
• Third-party penetration testing
• Incident response plan and procedures
• Working toward formal SOC 2 Type II certification