Grafibase
Security & Compliance

Security at Grafibase

Security is foundational to Grafibase, not an afterthought. AES-256 encryption, role-based access controls, comprehensive audit logging, and MFA support — built in from day one.

AES-256
Encryption
SOC 2 Type II
In Progress
GDPR
Compliant
HIPAA
In Progress

Enterprise-Grade Security

Built into every layer of our platform

Encryption at Rest

All database credentials encrypted with AES-256-GCM using secure key derivation. Your sensitive data is protected with industry-leading encryption.

Authentication Options

Email/password with bcrypt hashing, Google OAuth, WebAuthn passkeys, and TOTP-based MFA compatible with all major authenticator apps.

Access Control

5 hierarchical roles (Viewer, Editor, Analyst, Admin, Owner) with fine-grained permissions across 10 protected resource types.

Audit Logs

40+ action types tracked with 7-year retention. Authentication, data changes, and security events — all logged with IP and user agent.

SSO/SAML (Business)

Enterprise single sign-on with your identity provider. Integrate with Okta, Azure AD, or Google Workspace.

Session Security

15-minute idle timeout, 5 concurrent session limit, and suspicious activity detection. Sessions auto-expire with full audit history.

Data Protection

Your data never leaves your control

We don't store your actual data. Queries run directly against your databases, and only credentials are stored (encrypted).

Query results are cached temporarily, never stored permanently. This means your sensitive data stays where it belongs — in your infrastructure.

How we handle your data:

Your Database
Data stays in your infrastructure
Grafibase (queries)
We run your queries and return results
Your Visualization
Beautiful dashboards powered by your data
Data stays in your DB
Only credentials stored
Temporary cache only
AES-256-GCM encryption

Role-Based Access Control

5 roles to match how your team works — from view-only to full control

Viewer

View dashboards and content

Editor

Create and edit visualizations

Analyst

Manage data sources and AI

Admin

Manage team and settings

Owner

Full organization control

Less access
More access
Infrastructure

Enterprise Infrastructure

Built for reliability, scale, and security from the ground up.

  • Enterprise-grade cloud hosting
  • Managed database with automatic backups
  • Global CDN for fast access worldwide
  • Automatic failover and redundancy

99.9% uptime SLA

Security Checklist

Comprehensive protection

Multiple layers of security ensure your data is always protected.

  • HTTPS everywhere
  • TLS 1.3 for data in transit
  • AES-256-GCM encryption at rest
  • Multi-tier rate limiting
  • Read-only query enforcement
  • Parameterized queries (SQL injection prevention)
  • Input validation with Zod schemas
  • Suspicious activity detection
  • Automated security scanning
  • Regular dependency updates

Compliance & Certifications

Meeting the highest standards for data protection

GDPR
Compliant
SOC 2 Type II
In Progress
HIPAA
In Progress
CCPA
Compliant

GDPR Compliant

Full implementation of GDPR data subject rights:

  • • Right of Access — full data export in JSON format
  • • Right to Erasure — scheduled deletion with 30-day grace period
  • • Consent management — 8 tracked consent types with version history

HIPAA (In Progress)

We're implementing HIPAA-compliant controls for healthcare organizations. Contact us to discuss your requirements.

SOC 2 Type II (In Progress)

We're actively pursuing SOC 2 Type II certification. Contact us for our current security documentation or to discuss your compliance requirements.

Audit Log
John Doe
Added data source
2 min ago
192.168.1.1
Jane Smith
Created board
15 min ago
192.168.1.2
Bob Johnson
Invited team member
1 hour ago
192.168.1.3
Alice Williams
Updated settings
3 hours ago
192.168.1.4
Audit Logs

Complete Visibility

Business Plan

Track every action in your organization with detailed audit trails.

  • Authentication events (login, logout, MFA)
  • Organization and member changes
  • Data source operations and queries
  • Content changes (boards, blocks, collections)
  • Security events and permission denials

7-year retention — meets HIPAA and SOC 2 requirements

Security FAQ

Common questions about security and data protection

Encrypted with AES-256-GCM using a secure encryption key stored in our environment. We never store plaintext credentials, and our encryption follows industry best practices.

No. Queries run directly against your database. Only query results are cached temporarily with a configurable TTL (time-to-live). Your actual data never persists in our systems.

Yes, as long as your database is accessible from the internet. We recommend using IP allowlisting for additional security. You can add Grafibase's IP addresses to your database firewall rules.

Only users you invite with appropriate roles. Grafibase staff cannot access your data without explicit permission for support purposes. All support access is logged in audit trails.

Yes! We welcome responsible security researchers. Email security@grafibase.com for details about our bug bounty program and responsible disclosure policy.

You can export all your dashboards and configurations. Since we don't store your actual data (it stays in your database), you maintain full control. We'll delete your account data within 30 days of cancellation.