AI
intermediate6 min read

Security Overview

Security Overview

AI for Database is designed with a security-first architecture. Your database credentials and query results are treated as sensitive data at every layer.

Core Security Principles

Read-only by default. AI for Database connects to your database with read-only permissions. The AI cannot modify, delete, or insert data. Even if a prompt injection were attempted, the database user does not have write privileges.

Minimal access. We recommend granting access only to the specific schemas and tables your team needs to query. Use schema filters in the connection settings to limit the AI's visibility.

Zero data retention. Query results pass through our servers but are not stored permanently. Results are cached in memory for the duration of your session and discarded afterward. On Enterprise plans, you can disable caching entirely.

Encryption

In transit: All connections use TLS 1.2 or higher. Database connections, API calls, and browser sessions are all encrypted.

At rest: Database credentials are encrypted using AES-256. Encryption keys are managed through AWS KMS with automatic rotation.

Network Security

IP allowlisting: Our cloud product uses a fixed set of IP addresses for database connections. Allowlist these IPs in your database firewall for an additional layer of security. Find the current IPs in Settings > Connection Info.

SSH tunnels: Connect through a bastion host for databases in private networks. The tunnel encrypts all traffic between AI for Database and your bastion.

VPC peering: On Enterprise plans, connect your AWS VPC directly to ours for private network connectivity with no internet exposure.

AI and Data Privacy

Your database schema and query results are sent to the LLM provider (OpenAI or Anthropic) only during the query translation step. We use enterprise API agreements with both providers that guarantee:

  • Your data is not used to train models.
  • Your data is not logged or stored by the provider beyond the API call.
  • All API traffic is encrypted with TLS.

On the self-hosted plan, you can use your own API keys or run a local model, ensuring data never leaves your infrastructure.

Compliance

AI for Database is SOC 2 Type II compliant and undergoes annual penetration testing. We also support:

  • GDPR -- data processing agreements available
  • HIPAA -- BAA available on Enterprise plans
  • CCPA -- compliant with California privacy requirements
PreviousAlert ConditionsNextPermissions