Security & Privacy

Your data security and privacy are our top priority. We've built AutoDBA with security-first principles from the ground up.

Zero Trust Data

No raw data leaves your network without explicit consent

Open Source

Diagnostic script is 100% open source for full transparency

Read-Only Access

SQL Server login requires read-only permissions only

Encryption

TLS 1.3 encryption for all data in transit and at rest

What Data We Collect

Data We Collect (When You Explicitly Upload)

SQL Server Configuration
Version, edition, settings, and configuration parameters
Performance Metrics
Wait statistics, query plans, index usage, memory usage, and CPU metrics
Database Metadata
Table structures, index definitions, schema information (no data)
Error Logs
SQL Server error log entries (personally identifiable information removed)
Execution Plans
Query execution plans for analysis (table names and statistics, no actual data)

Data We Never Collect

Table Row Data
We never collect actual database records or row data
Query Text (Most)
Only anonymized query patterns are collected for analysis
Passwords & Credentials
Never collected or stored. The script uses read-only login credentials you provide
Personally Identifiable Information
No SSNs, email addresses, names, or other PII beyond your organization name
Connection Strings
Server names and connection details are anonymized in reports
User Information
We don't collect information about SQL Server users or their activities

Technical Security Measures

Encryption in Transit

All communication between your SQL Server and AutoDBA is encrypted using TLS 1.3 (or higher). This includes:

HTTPS for all web API requests
Encrypted snapshots in transit
Encrypted report delivery

Encryption at Rest

Stored snapshots and reports are encrypted using AES-256 encryption. Database backups are encrypted separately.

Database Security

Our infrastructure uses industry-standard security practices:

Database encryption with key rotation every 90 days
Row-level security to ensure customers see only their data
Regular automated backups with redundant storage
Write-ahead logging for data integrity

Infrastructure & Access Control

We maintain strict access controls and infrastructure security:

Hosted on secure cloud infrastructure (AWS with SOC 2 Type II compliance)
Private VPC with no public internet exposure for databases
Secrets management using AWS Secrets Manager
Multi-factor authentication (MFA) required for all staff
API key rotation and token expiration
Rate limiting and DDoS protection

Application Security

Our application is built with security best practices:

Input validation and SQL injection prevention
Cross-site scripting (XSS) protection
Cross-site request forgery (CSRF) tokens
Security headers (CSP, X-Frame-Options, etc.)
Regular security audits and penetration testing
Dependency scanning for vulnerabilities

Required Permissions

SQL Server Login Requirements

The AutoDBA diagnostic script requires a SQL Server login with read-only access. Here are the specific permissions needed:

-- Create a read-only login for AutoDBA
CREATE LOGIN AutoDBA_ReadOnly WITH PASSWORD = 'StrongPassword123!';

-- Create a database user
CREATE USER AutoDBA_ReadOnly FOR LOGIN AutoDBA_ReadOnly;

-- Grant required permissions (read-only)
GRANT VIEW ANY DEFINITION TO AutoDBA_ReadOnly;
GRANT VIEW SERVER STATE TO AutoDBA_ReadOnly;

-- Per-database permissions
ALTER ROLE db_datareader ADD MEMBER AutoDBA_ReadOnly;

-- Grant permission to read extended events (optional, for enhanced analysis)
GRANT ALTER ANY EVENT SESSION TO AutoDBA_ReadOnly;

What these permissions allow:

Reading schema information and metadata
Viewing performance metrics and wait statistics
Reading database statistics and index information
Viewing execution plans
Reading error logs

What these permissions do NOT allow:

Modifying any database objects or data
Creating, altering, or dropping tables, indexes, or stored procedures
Accessing data in user tables
Controlling server-level security or roles
Shutting down the server or modifying configuration

Compliance & Certifications

GDPR Compliant

AutoDBA fully complies with the General Data Protection Regulation (GDPR). We:

Collect only necessary data with explicit consent
Provide data portability and deletion on request
Have a Data Processing Agreement (DPA) available
Maintain records of processing activities

CCPA Compliant

AutoDBA complies with the California Consumer Privacy Act (CCPA) and CPRA. We:

Respect consumer privacy rights
Provide access and deletion mechanisms
Disclose data collection and use practices
Do not sell personal information

SOC 2 Type II

Our infrastructure is hosted on AWS, which is SOC 2 Type II certified. AutoDBA maintains:

Security controls and monitoring
Availability and operational excellence
Processing integrity of systems
Confidentiality of data

HIPAA Ready

While not all AutoDBA deployments are HIPAA-covered, we provide infrastructure that:

Supports encrypted data handling
Maintains audit logs for compliance
Enables Business Associate Agreements (BAAs)
Provides tools for data integrity verification

Security Incident Response

We take security seriously and are committed to transparency in case of any security incident. Our incident response procedure includes:

Detection & Containment

Continuous monitoring for suspicious activity
Immediate incident isolation
Forensic investigation

Notification & Recovery

Customer notification within 48 hours
Detailed incident report
Remediation and prevention measures

For security incidents or responsible disclosure, please contact our security team at security@autodba.io.