Security

Cloud Platform

DBToAgent runs on Google Kubernetes Engine (GKE) in the us-central1 region. Our infrastructure leverages Google Cloud's enterprise-grade security, including:

• Kubernetes network policies for pod-to-pod isolation
• Private cluster networking with limited public access
• Automatic security patching for nodes and containers
• Google Cloud IAM for service-level access control
• Container Registry vulnerability scanning

Network Security

• TLS 1.2+ for all connections — API, web, and database
• Kubernetes Ingress with SSL termination via managed certificates
• CORS policies restricting API access to authorized origins
• Rate limiting to prevent abuse and DDoS
• Static egress IP for predictable, whitelistable database connections (Enterprise)

• Passwords are hashed using bcrypt with salt — we never store plain-text passwords
• JWT tokens with configurable expiration for session management
• Google OAuth 2.0 available as a passwordless login option
• Per-agent table permissions with three levels: read-only, read-write, and blocked
• SQL query parser independently validates every query against permission rules before execution — regardless of what the AI generates
• SSO integration available for Enterprise customers

Your Database Data

• Query results are streamed directly to your browser — they are not stored on our servers
• We cache only schema metadata (table names, column names, data types) to optimize agent performance
• AI Insights analyze aggregate patterns only — individual records are not exported or stored
• Database credentials are encrypted at rest and never exposed in logs or error messages

Session Storage Options

You control where your conversation data lives:

• Cloud storage — Sessions stored in our managed database (default)
• Your database — Sessions stored alongside your data in your own database
• Separate database — Sessions stored in a different database you control

Self-Hosted LLM

Enterprise customers can configure a self-hosted LLM so that no chat data ever leaves their infrastructure. Combined with the "your database" session storage option, this means zero data leaves your network.

• Destructive query prevention: DROP, TRUNCATE, ALTER, and other DDL statements are blocked by default, even with write permissions
• Query validation: Every AI-generated SQL query is parsed and validated before execution
• Table access enforcement: Blocked tables are invisible to the AI — it cannot reference them in prompts, queries, or responses
• Context isolation: Each agent has its own isolated context. Multi-tenant data is strictly separated at the application level

• Infrastructure runs on SOC 2 Type II certified Google Cloud Platform
• Payment processing via PCI DSS Level 1 compliant Stripe
• Self-hosted and on-premise deployment options for organizations with strict regulatory requirements
• Data residency: all processing in US-based data centers (custom regions available for Enterprise)

In the unlikely event of a security incident:

• Affected customers will be notified within 72 hours
• We will provide a detailed incident report including scope, impact, and remediation steps
• Ongoing status updates will be provided until the incident is fully resolved

If you discover a security vulnerability, please report it responsibly:

• Email: security@dbtoagent.com
• We will acknowledge receipt within 24 hours
• We commit to investigating and addressing all valid reports promptly
• We ask that you not publicly disclose the vulnerability until we have had a chance to address it