Skip to main content
At a Glance: DataBrain uses bank-level AES-256 encryption, supports enterprise SSO and MFA, provides fine-grained access controls, and maintains SOC 2 Type II, ISO 27001, GDPR, and HIPAA compliance.
DataBrain implements comprehensive security measures across every layer to protect your data, users, and platform. Security is built into our DNA so you can focus on building great analytics with confidence.

​
πŸ† Compliance & Certifications

DataBrain Cloud is certified and compliant with major security and privacy standards:

SOC 2 Type II

Independently audited for security, availability, and confidentiality

ISO 27001/27002

International standards for information security management systems

GDPR

EU and UK General Data Protection Regulation compliant

HIPAA

Healthcare data protection compliance (with BAA available)
Additional Standards Supported:
  • CCPA - California Consumer Privacy Act
  • FERPA - Family Educational Rights and Privacy Act
  • GLBA - Gramm-Leach-Bliley Act
Self-Hosted Deployments: Compliance depends on your infrastructure configuration. DataBrain provides all the security features and controls needed to achieve these compliance standards.

​
πŸ”’ Data Protection

​
Encryption - Bank-Level Security

Industry Standard: We use the same AES-256 encryption used by banks and government agencies to protect your data.
Everything is encrypted when stored:
  • User credentials and passwords (hashed and salted)
  • Database connection strings and credentials
  • API keys and authentication tokens
  • Dashboard and metric configurations
  • Audit logs and activity records
Your data is encrypted on disk, in backups, and in our databases. Even if storage media is compromised, data remains protected.
All communications are encrypted:
  • Login and authentication requests
  • Dashboard and metric data transfers
  • API requests and responses
  • File uploads and downloads
  • WebSocket connections for real-time updates
We enforce HTTPS for all connections and use TLS 1.2 or higher with strong cipher suites.
Your passwords are never stored in plain text:
  • One-way hashing using industry-standard algorithms
  • Unique salt per password (even identical passwords have different hashes)
  • Cannot be decrypted by anyone, including DataBrain staff
  • Password resets create new passwords rather than retrieving old ones
This means your password is secure even if our database is compromised.

​
Database Connection Security

  • πŸ” SSL/TLS Encryption
  • 🌐 VPC Peering
  • πŸ‘οΈ Read-Only Access
All database connections are encrypted:βœ… PostgreSQL, MySQL, SQL Server with SSL/TLS
βœ… Snowflake and BigQuery (encrypted by default)
βœ… Redshift, Databricks, and all supported databases
DataBrain automatically uses encrypted connections when available

​
Multi-Tenant Data Isolation

Complete data separation for SaaS applications and multi-client environments:

Row-Level Security

Users see only their authorized data

Automatic Filtering

Applied automatically to all queries

Client Isolation

Complete separation by client ID
In a SaaS application:
  1. Generate guest token with unique client ID
  2. DataBrain automatically filters all data by that client
  3. Client A sees only Client A’s data
  4. Client B sees only Client B’s data
  5. Zero cross-client data access - complete isolation
No code changes required - filtering happens automatically at the database level.
Fine-grained data access control:
  • Filter data based on user attributes (role, department, region, etc.)
  • Applied automatically to all queries
  • Transparent to end users
  • Centrally managed and configured
Perfect for hierarchical access (managers see team data, directors see department data, etc.)

​
πŸ‘€ User Authentication

Choose the authentication method that fits your security requirements:

Email & Password

Traditional authentication with strong password policies and account protection

Single Sign-On (SSO)

Enterprise SSO with SAML, OIDC, Google Workspace, and Microsoft 365

One-Time Password (OTP)

Passwordless authentication via secure email codes

Multi-Factor Authentication

Additional security layer with authenticator apps, SMS, or email

​
Single Sign-On (SSO)

Connect DataBrain with your existing identity provider for centralized user management:
  • SAML 2.0
  • OpenID Connect
  • Google & Microsoft
Enterprise Identity Providers:βœ… Okta
βœ… Azure Active Directory
βœ… OneLogin
βœ… Auth0
βœ… Any SAML 2.0 compliant providerPerfect for large organizations with existing identity infrastructure.

​
Multi-Factor Authentication (MFA)

Highly Recommended: Enable MFA for all administrator accounts. MFA blocks 99.9% of automated attacks.
Time-based one-time passwords (TOTP):
  • Google Authenticator
  • Microsoft Authenticator
  • Authy
  • Any TOTP-compatible app
Works offline and can’t be intercepted. This is the most secure option.
Receive verification codes via text:
  • Works on any mobile phone
  • No app installation required
  • Good for occasional use
More convenient but less secure than authenticator apps.
Get verification codes via email:
  • No additional device required
  • Good for backup method
  • Delivered to your registered email
Convenient option for secondary authentication.

​
Session Management

Automatic session security keeps your account protected:
Sessions automatically refresh while you’re active - no interruptions to your work.
Automatic logout after 30 minutes of inactivity protects your account on shared devices.
Stay logged in on trusted devices for up to 7 days (optional feature).
Don’t use β€œRemember Me” on public or shared computers
View and manage active sessions across all your devices. Remotely log out from any device.

​
πŸ” Access Control & Permissions

DataBrain uses role-based access control (RBAC) to ensure users have appropriate access:
Principle of Least Privilege: Always grant the minimum permissions needed. Start with Viewer role and escalate only when necessary.

​
User Roles

  • πŸ‘οΈ Viewer
  • ✏️ Editor
  • βš™οΈ Admin
Perfect for: Stakeholders, executives, business usersβœ… Can Do:
  • View dashboards and metrics
  • Filter and explore data
  • Download reports and exports
  • Apply dashboard filters
❌ Cannot Do:
  • Create or edit content
  • Modify configurations
  • Manage users or settings
Use this role for users who only need to view and analyze data.

​
Custom Roles

Create custom roles for specific use cases:
  • Department-specific access - β€œSales Analyst” role with sales dashboard access only
  • Client-facing roles - Limited viewer with export restrictions
  • Temporary project access - Time-limited elevated permissions
  • Specialized workflows - Custom permission combinations
Document each custom role’s purpose and regularly review assignments.
Follow these guidelines:βœ… Start with standard roles (Viewer, Editor, Admin)
βœ… Grant minimum necessary permissions
βœ… Review permissions quarterly
βœ… Remove inactive accounts after 30 days
βœ… Document custom role purposes
βœ… Test permission changes before deployment

​
🎫 Token Management

DataBrain uses secure tokens for API access and embedded analytics:

API Tokens

For Backend Integration
  • Long-lived tokens for server applications
  • Scoped permissions (read, write, admin)
  • Production and test environments
  • Can be revoked instantly

Guest Tokens

For Embedded Dashboards
  • Short-lived tokens for end users
  • Automatic client data filtering
  • Domain whitelisting
  • Usage tracking and analytics

​
API Tokens

Security Critical: Never expose API tokens in frontend code, GitHub, or client-side applications. Always generate tokens on your backend server.
Step-by-step process:
  1. Navigate to Data Apps β†’ Select your app
  2. Click Generate API Token
  3. Set descriptive name (e.g., β€œProduction Dashboard API”)
  4. Choose scopes (read, write, delete)
  5. Set expiration date (recommended: 1 year)
  6. Copy token immediately - it won’t be shown again!
  7. Store securely in password manager or secrets vault
Use descriptive names like prod-dashboard-2024 to track token purposes
Grant only necessary permissions:
  • Read - View dashboards and metrics (for embedding)
  • Write - Create and modify content (for integrations)
  • Delete - Remove resources (use sparingly)
  • Admin - Full access (only for administrative tools)
Most embedding scenarios only need read permissions.
Keep your tokens secure:βœ… Store tokens in environment variables
βœ… Use separate tokens for dev/staging/production
βœ… Rotate tokens every 6 months
βœ… Revoke unused tokens immediately
βœ… Monitor token usage for anomalies
βœ… Never commit tokens to version control
If a token is compromised, revoke it immediately and generate a new one

​
Guest Tokens

For secure embedded analytics in customer-facing applications:
Built-in protection:
  • Domain Whitelisting - Only works on approved domains
  • Client Filtering - Automatic data filtering by client ID
  • Expiration Control - Set time limits (recommended: 1 year with auto-renewal)
  • Usage Tracking - Monitor access for billing and security
These features ensure each customer sees only their data.
Where to use guest tokens:βœ… Customer portals with personalized dashboards
βœ… Partner dashboards with specific metrics
βœ… Mobile app analytics integrations
βœ… Public reports on websites
βœ… Embedded analytics in SaaS applications
Generate guest tokens on your backend, not in frontend JavaScript
Restrict where dashboards can be embedded:
  • Specify exact domains: https://app.yourcompany.com
  • Support subdomains: https://*.yourcompany.com (use carefully)
  • Never use wildcard * for all domains
  • Always use HTTPS in production
Even if someone steals your guest token, they can’t use it on unauthorized domains.

​
πŸ›‘οΈ Platform Security

​
API Protection

Every API request is secured with multiple protection layers:

Authentication Required

All requests must be authenticated with valid tokens

HTTPS Only

TLS 1.2+ encryption enforced for all connections

Rate Limiting

Automatic protection against abuse and DDoS
Industry-standard HTTP security headers applied to all responses:
  • Strict-Transport-Security - Forces HTTPS connections
  • X-Frame-Options - Prevents clickjacking attacks
  • X-Content-Type-Options - Prevents MIME type sniffing
  • Content-Security-Policy - Controls resource loading
  • X-XSS-Protection - Enables browser XSS filters
These headers provide defense-in-depth protection against common web vulnerabilities.
Protects against abuse and ensures fair usage:
Request TypeTime WindowLimit
Login/Authentication1 minute30 requests
General API Calls2 minutes500 requests
Data Queries2 minutes500 requests
Need higher limits for your use case? Contact support to discuss custom rate limits.
Complete visibility into system activity:What’s logged:
  • User login/logout events
  • Permission changes
  • Data access patterns
  • API token usage
  • Configuration changes
  • Failed authentication attempts
Benefits:
  • Security monitoring and threat detection
  • Compliance and audit requirements
  • Troubleshooting and debugging
  • Usage analytics
Only administrators can access audit logs via Settings β†’ Audit Logs.

​
πŸ“Š Embedded Analytics Security

Secure your embedded dashboards with built-in protection:

​
Domain Whitelisting

Critical Security Control: Always restrict which domains can embed your dashboards. Never use wildcard * for all domains.
How to configure:
  1. Specify exact allowed domains in guest token settings
  2. Use HTTPS only (never HTTP in production)
  3. Be specific - avoid broad wildcards when possible
Examples: βœ… Good: https://app.yourcompany.com
βœ… Good: https://dashboard.yourcompany.com
⚠️ Use carefully: https://*.yourcompany.com (all subdomains)
❌ Never: * (all domains)
Test your configuration: Approved domains should load dashboards, unauthorized domains should be blocked

​
Client Data Isolation

Automatic data separation for multi-tenant applications:
Complete data isolation in 4 simple steps:
  1. Generate guest token with unique client ID on your backend
  2. Embed dashboard in your application with that token
  3. DataBrain filters all data automatically by client ID
  4. Client sees only their data - zero cross-client access
Zero configuration needed - filtering happens automatically at the database level
Why automatic client filtering matters:βœ… No manual filtering code needed
βœ… Impossible to bypass (enforced at database level)
βœ… Works across all queries automatically
βœ… Scales to thousands of clients
βœ… Complete data isolation guaranteedPerfect for SaaS applications where each customer needs isolated data.

​
πŸ–₯️ Self-Hosted Security

Additional security measures for self-hosted deployments:
Your Responsibility: For self-hosted installations, you’re responsible for infrastructure security. Follow these best practices to maintain a secure deployment.
Secure your server infrastructure:βœ… Keep OS and software updated with latest security patches
βœ… Configure firewall rules (allow only necessary ports)
βœ… Disable unnecessary services and features
βœ… Use SSH key authentication (disable password auth)
βœ… Implement fail2ban to block brute force attempts
βœ… Set up automatic security updates
βœ… Use strong, unique passwords for all accounts
Run security audits quarterly to identify vulnerabilities
Enforce encrypted connections:βœ… Use valid certificates from trusted CA (Let’s Encrypt is free)
βœ… Enable automatic certificate renewal
βœ… Support TLS 1.2 or higher only
βœ… Disable weak cipher suites
βœ… Enable HSTS header
βœ… Test SSL configuration regularly
Never use self-signed certificates in production
Protect your database:βœ… Use strong, unique passwords (20+ characters)
βœ… Enable SSL/TLS for all connections
βœ… Limit network access (whitelist IPs only)
βœ… Use read-only credentials for DataBrain
βœ… Encrypt data at rest
βœ… Set up automated daily backups
βœ… Test backup restoration monthly
Store database backups in a separate location from primary database
Stay informed about security events:System Monitoring:
  • CPU, memory, and disk usage
  • Network traffic patterns
  • Application error rates
  • Service health checks
Security Monitoring:
  • Failed login attempts
  • Unusual access patterns
  • Configuration changes
  • Certificate expiration
Set up email/SMS alerts for critical events.
Implement reliable backups:What to backup:
  • Database (all data)
  • Application files and configurations
  • User uploads and assets
  • SSL certificates
Backup schedule:
  • Full backup: Weekly
  • Incremental: Daily
  • Test restores: Monthly
Storage:
  • Encrypt all backups
  • Store off-site (different location/region)
  • Retain for 30+ days
  • Document restore procedures

Guest Token API

Learn how to generate secure guest tokens for embedded analytics

Proxy Authentication

Enhanced security by managing tokens on your backend server

Multi-Tenant Access Control

Implement complete data isolation for multi-tenant applications

API Documentation

Complete API reference with authentication examples

​
πŸ’¬ Need Help?

Security Questions

Contact DataBrain support for security assistance or to report security vulnerabilities

Compliance Discussions

Reach out to discuss SOC 2, HIPAA, GDPR, or other compliance requirements
Found a Security Issue?Report security vulnerabilities responsibly:
  • Contact DataBrain support immediately (cloud deployments)
  • Contact your security team (self-hosted deployments)
  • Do NOT publicly disclose vulnerabilities
  • Do NOT attempt to exploit vulnerabilities
Last Updated: December 2025 | Version: 2.0