Docs

Security

Security Overview

DBA SaaS is built with a security-first approach. Our fundamental design principle is that we never access your actual data. The platform collects only database metadata, performance metrics, and parameterized query patterns -- never table contents, row values, or personally identifiable information stored in your database.

This architecture means that even in the unlikely event of a security breach on our side, your business data remains protected in your infrastructure.

Data Protection

What We Collect

The DBA SaaS agent collects only the information needed to analyze performance and provide recommendations:

  • Query patterns — parameterized SQL statements (with all literal values replaced by placeholders). We see SELECT * FROM users WHERE id = $1, never the actual values.
  • Execution plans — query plans from pg_stat_statements showing how PostgreSQL processes queries
  • System metrics — CPU usage, memory, disk I/O, network throughput of the database server
  • PostgreSQL statistics — data from pg_stat_activity, pg_stat_user_tables, pg_stat_bgwriter, and related views
  • Configuration parameters — PostgreSQL settings relevant to performance tuning

What We Never Collect

  • Table data or row values
  • Query parameter values (bind variables)
  • Personally identifiable information (PII)
  • Authentication credentials stored in your database
  • Application-level data of any kind

Encryption

  • In transit — all communication between the agent and DBA SaaS cloud uses TLS 1.3. Older TLS versions are not supported.
  • At rest — all stored data is encrypted using AES-256. Encryption keys are managed through a dedicated key management service with automatic rotation.

Data Residency

DBA SaaS offers data residency in two regions:

  • United States — data processed and stored in US-East (Virginia)
  • European Union — data processed and stored in EU-West (Frankfurt)

You select your data region during account setup. Data never leaves your selected region. Enterprise customers can request additional regions.

Agent Security

Read-Only Database Access

The DBA SaaS agent requires only the pg_monitor role, which provides read-only access to PostgreSQL statistics and monitoring views. The agent cannot modify data, execute DDL statements, or alter any database configuration.

Recommended setup:

  • Create a dedicated dbasaas database user
  • Grant only the pg_monitor role
  • Do not grant CREATE, INSERT, UPDATE, DELETE, or superuser privileges

Minimal Permissions Required

The agent needs access to the following, all of which are included in the pg_monitor role:

  • pg_stat_activity — current session information
  • pg_stat_statements — query statistics (if the extension is installed)
  • pg_stat_user_tables — table-level statistics
  • pg_settings — current configuration values (read-only)

Agent-to-Cloud Communication

The agent communicates with DBA SaaS using outbound HTTPS only. No inbound ports need to be opened on your servers or firewalls. The agent initiates all connections, pushing data to our collection endpoints.

  • Outbound HTTPS (port 443) to api.dbasaas.com
  • No inbound connections required
  • Certificate pinning to prevent man-in-the-middle attacks
  • Automatic reconnection with exponential backoff

Platform Security

SOC 2 Type II Compliance

DBA SaaS maintains SOC 2 Type II compliance, independently audited annually. Our controls cover security, availability, and confidentiality. Audit reports are available to Enterprise customers under NDA.

Single Sign-On (SSO)

Enterprise plans support SSO integration through:

  • SAML 2.0 — compatible with Okta, Azure AD, OneLogin, and other SAML identity providers
  • OpenID Connect (OIDC) — compatible with Google Workspace, Auth0, and other OIDC providers

Role-Based Access Control (RBAC)

Control who can access what within your DBA SaaS organization:

  • Owner — full access including billing, user management, and all agents
  • Admin — manage agents, pools, and team members. Cannot modify billing.
  • Member — view agents, metrics, and issues. Can acknowledge and resolve issues.
  • Viewer — read-only access to dashboards and metrics. Cannot modify any settings.

Roles can be scoped to specific agent pools, allowing teams to manage only the databases they are responsible for.

Audit Logging

All administrative actions are logged with full attribution:

  • User authentication events (login, logout, failed attempts)
  • Agent registration and deregistration
  • Pool creation, modification, and deletion
  • Role and permission changes
  • API token creation and revocation

Audit logs are retained for 90 days on Pro plans and 1 year on Enterprise plans. Logs can be exported to your SIEM or log management platform.

Vulnerability Disclosure Program

We welcome responsible disclosure of security vulnerabilities. If you discover a potential security issue, please report it to our security team. We commit to acknowledging reports within 24 hours and providing a resolution timeline within 72 hours. We do not pursue legal action against researchers who act in good faith.

Secure Deployment Guide

Network Isolation Recommendations

For maximum security, deploy the DBA SaaS agent in a network segment with the following properties:

  • The agent should have network access to your PostgreSQL instance on the database port (default: 5432)
  • The agent should have outbound HTTPS access to api.dbasaas.com on port 443
  • No other inbound or outbound access is required
  • Use a dedicated security group or firewall zone for the agent

Firewall Rules for Agent

Minimal firewall configuration:

  • Outbound allow — TCP 443 to api.dbasaas.com (resolved IPs are published in our status page)
  • Outbound allow — TCP 5432 (or your custom port) to your PostgreSQL server
  • Inbound deny — all. The agent does not accept any incoming connections.

Running Agent in Docker with Minimal Privileges

For containerized deployments, run the agent with restricted capabilities:

  • Use the official dbasaas/agent Docker image
  • Run as a non-root user (the image defaults to UID 1000)
  • Drop all Linux capabilities with --cap-drop=ALL
  • Set the filesystem to read-only with --read-only, mounting only /var/log/dbasaas and /etc/dbasaas as writable volumes
  • Set memory limits appropriate to your deployment (the agent typically uses less than 128 MB)
  • Use --network=host only if the agent needs to reach PostgreSQL on localhost; otherwise, use a dedicated Docker network

Pass configuration through environment variables (DBASAAS_API_KEY, DBASAAS_CONNECTION_STRING) or mount the configuration file as a read-only volume.