Security

Last Updated: March 26, 2025

Keeping your database environment and source code secure is critically important to us. This page outlines how we approach security for dba.

Please submit potential vulnerabilities and security-related questions to security@dba.ai.

Please note that we are still in the journey of growing our product and improving our security posture. If you're working in a highly sensitive environment, you should be careful when using dba (or any other AI tool).

Certifications and Third-Party Assessments

dba is SOC 2 Type 1 certified. Please email hi@dba.ai to request a copy of the report.

We commit to doing at-least-annual penetration testing by reputable third parties. Please email hi@dba.ai to request an executive summary of the latest report.

Infrastructure Security

We depend on the following subprocessors, organized from most critical to least. Note that data is sent to our servers to power all of dba's AI features.

• AWS Sees database and code data Our front-end and API application infrastructure are hosted on AWS. All servers are in the US.
• Tembo Cloud Stores metadata about system state Our API stores its data in Postgres databases supplied by Tembo Cloud, a powerful Postgres service that the dba team has seperately created and operates.
• Anthropic Sees database and code data We rely on many of Anthropic's models to give AI responses. We have a zero data retention agreement with Anthropic.
• LangFuse Sees database and code data We use Langfuse for traces, evals, prompt management and metrics to debug and improve our LLM processes.
• Sentry Sees no database or code data We use Sentry for exception tracking.
• Slack Sees no database or code data We use Slack as an internal communication tool. We may send snippets of prompts in our internal chats for debugging.
• Linear Sees no database or code data We use Linear as an internal communication tool. We may send snippets of prompts in our internal issues for debugging.
• Plausible Sees no database or code data We use Plausible for user analytics. No code data is stored with Plausible; only event data such as "number of page views" or "user actions".
• Stripe Sees no database or code data We use Stripe to handle billing. Stripe will store your personal data (name, credit card, address).
• Clerk Sees no database or code data We use Clerk to handle auth. Clerk may store some personal data (name, email address).

None of our infrastructure is in China. We do not directly use any Chinese company as a subprocessor, and to our knowledge none of our subprocessors do either.

We assign infrastructure access to team members on a least-privilege basis. We enforce multi-factor authentication for AWS. We restrict access to resources using both network-level controls and secrets.

AI Requests

To provide its features, dba makes AI requests to our server. This happens for many different reasons. For example, we send AI requests when you ask questions in chat, and we also send AI requests in the background for building up context or looking for issues to show you.

An AI request generally includes context such as your recently viewed files, your conversation history, and relevant pieces of code based on language server information. This code data is sent to our infrastructure on AWS, and then to the appropriate language model inference provider. Note that the requests always hit our infrastructure on AWS even if you have configured your own API key in the settings.

We currently do not have the ability to direct-route from dba to your enterprise deployment of OpenAI/Azure/Anthropic. We may be able to provide a self-hosted server deployment option.

You own all the code generated by dba.

Account Deletion

You can delete your account at any time in the Settings dashboard (click "Advanced" and then "Delete Account"). This will delete all data associated with your account. We guarantee complete removal of your data within 30 days (we immediately delete the data, but some of our databases and cloud storage have backups of no more than 30 days).

It's worth noting that if any of your data was used in model training (which would only happen if you were not on privacy mode at the time), our existing trained models will not be immediately retrained. However, any future models that are trained will not be trained on your data, since that data will have been deleted.

Vulnerability Disclosures

If you believe you have found a vulnerability in dba, please email security@dba.ai.

We commit to acknowledging vulnerability reports within 5 business days, and addressing them as soon as we are able to. We will publish the results in the form of security advisories on our GitHub security page. Critical incidents will be communicated both on the GitHub security page and via email to all users.