Trust

Security

Last updated: July 6, 2026

1. Credential encryption

Datasource credentials are never stored in plain text. Every connection string, password, and API key is encrypted at rest with AES-256-GCM before it touches our database, and decrypted only in memory for the duration of a query. Credentials are never written to logs.

2. Encryption in transit

All traffic between your browser, our API, and your connected datasources is encrypted with TLS. In production, Caddy terminates TLS at the edge and automatically manages certificate renewal.

3. Query validation

InsightBase never runs an AI-generated query against your database without first validating it — Postgres-family queries go through EXPLAIN, MongoDB queries through a zero-row dry run. A query that fails validation is retried with the error fed back to the model, up to three times, before it is ever executed for real.

4. Tenant isolation

InsightBase is multi-tenant by design: every database query on user data is scoped by organization ID at the query level, not just the application level. One organization’s dashboards, datasources, and schema data are never reachable from another organization’s session.

5. Access control

Access tokens are short-lived JWTs; refresh tokens are single-use and rotated on every renewal, stored server-side in Redis and never exposed as anything but an httpOnly cookie. Within an organization, roles (owner, admin, member) gate who can invite members, manage datasources, or change billing.

6. Embedding & sharing

Dashboards shared via embed token or iframe use a separate, scoped credential that only grants read access to the specific dashboard it was issued for, with an optional expiry. Revoking a token takes effect immediately.

7. Infrastructure

The application runs as isolated containers behind a reverse proxy that handles TLS termination. Datasource connections are pooled per-connection and never shared across organizations.

8. Reporting a vulnerability

If you believe you’ve found a security issue, please email security@insightbase.io with details — we aim to acknowledge reports within one business day and do not take legal action against good-faith reporting.