DBAudit

Security

Last updated: May 2026

DBAudit is a tool that connects to production databases. That means we handle credentials that matter, and we treat them accordingly. This page describes how the product is built to handle your data, what we log, and how to reach us with security concerns.

1. What happens to your credentials

When you submit an audit, your credentials are encrypted with AES-256-GCM before being written to the database - the plaintext is never persisted. This includes API keys, connection strings, and any optional test account passwords you provide. As soon as the job completes or fails, the encrypted payload is deleted. We retain scan metadata such as project name, project URL, project ref, timestamps, and report data so your dashboard history can work. Saved database presets encrypt the stored connection identifiers and API keys (such as project URL, anon key, or Firebase Web API key) at rest.

Error messages produced during a scan are sanitized before storage to strip any credential values that could appear in failure output.

2. Data isolation

Every query against audit jobs and reports is filtered by your user ID, not just the resource ID. The resource ID comes from the client; the user ID comes from the server-side session. Both must match for any read or write to proceed. Knowing another user's job identifier does not grant access to it.

3. Service providers

DBAudit uses a small set of third-party providers to operate the service:

  • Cloud hosting: production application and database infrastructure.
  • Transactional email: account verification, auth, and contact delivery.
  • Bot protection: abuse signals applied to signup.
  • Payment processing: billing and subscription management.

The full sub-processor list with provider names is available in our Privacy Policy.

4. What we don't claim

  • We are not SOC 2 certified or audited by a third party at this time.
  • Data residency guarantees are subject to our infrastructure provider's region configuration, which we do not publish a specific commitment on.
  • We are not a HIPAA business associate.

5. Responsible disclosure

If you find a security issue in DBAudit, please report it through our contact page or directly to our support address. Include a description of the issue, the steps to reproduce, and the potential impact. We ask that you do not run destructive tests against production infrastructure without prior coordination.

We will acknowledge valid reports and work to address confirmed issues. We do not currently operate a formal bug bounty program.

DBAudit is an independent product and is not affiliated with, endorsed by, or sponsored by Supabase or Firebase.