Security

Understand SerenDB's security features, compliance certifications, and best practices for protecting your data.

Overview

Security is fundamental to SerenDB's architecture. This section covers how we protect your data, compliance certifications, and best practices for securing your applications.

Security Features

Data Encryption

Encryption at Rest

• All data encrypted on disk using AES-256

• Automatic key management

• No configuration required

• Applies to databases, backups, and replicas

Encryption in Transit

• TLS 1.2+ for all connections

• Certificate verification supported

• Secure websocket connections

• HTTPS for management API

Network Security

IP Allow Lists

Restrict database access to specific IP addresses or ranges.

Benefits:

• Prevent unauthorized access

• Compliance requirements

• Defense in depth

• Geographic restrictions

See: IP Allow

Private Networking

Connect SerenDB to your private network infrastructure.

Features:

• VPC peering

• AWS PrivateLink

• No public internet exposure

• Enhanced security posture

See: Private Networking

Access Control

Authentication

• Password authentication

• Passwordless authentication with WebAuth

• SSO integration (Enterprise)

• API key management

Authorization

• PostgreSQL role-based access control (RBAC)

• Fine-grained user permissions

• Organization and project-level access

• Read-only roles

See: Database Access | User Permissions

Row-Level Security (RLS)

Implement granular data access control at the row level.

Use cases:

• Multi-tenant applications

• User data isolation

• Privacy compliance

• Data API security

See: Row-Level Security | RLS Tutorial

Protected Branches

Prevent accidental deletion or modification of critical branches.

Features:

• Prevent deletion

• Prevent compute configuration changes

• Protect production data

• Audit trail

See: Protected Branches

Compliance & Certifications

SOC 2 Type II

SerenDB is SOC 2 Type II certified, demonstrating:

• Security controls

• Availability guarantees

• Confidentiality measures

• Processing integrity

• Privacy protections

HIPAA Compliance

HIPAA-eligible architecture for healthcare applications.

Requirements:

• Business Associate Agreement (BAA) available

• Encryption at rest and in transit

• Access controls and audit logging

• Enterprise plan required

See: HIPAA

GDPR Compliance

Built with privacy regulations in mind:

• Data processing agreements

• Right to erasure support

• Data portability

• EU data residency options

Security Best Practices

Application Security

Connection Security

1. Use TLS: Always enable SSL/TLS for connections

2. Verify certificates: Enable certificate verification

3. Secure credentials: Use environment variables, never commit secrets

4. Rotate passwords: Regularly update database passwords

5. Minimum privileges: Grant only necessary permissions

API Security

1. Protect API keys: Store securely, rotate regularly

2. Use scoped keys: Create keys with minimum required permissions

3. Monitor usage: Track API key usage for anomalies

4. Expire unused keys: Remove keys no longer needed

Application Code

1. Parameterized queries: Prevent SQL injection

2. Input validation: Sanitize all user input

3. Error handling: Don't expose sensitive information in errors

4. Audit logging: Log security-relevant events

5. Dependency scanning: Keep dependencies updated

Database Security

User Management

1. Separate users: Different users for different applications

2. Read-only users: For analytics and reporting

3. No superuser access: Use regular roles when possible

4. Regular audits: Review user access periodically

Data Protection

1. Implement RLS: For multi-tenant applications

2. Encrypt sensitive data: Application-level encryption for PII

3. Mask sensitive data: In non-production environments

4. Regular backups: Ensure disaster recovery capability

5. Test restores: Verify backup integrity

Network Security

Access Control

1. Use IP Allow: Restrict access by IP

2. VPN or PrivateLink: For production workloads

3. Minimal exposure: Don't expose databases publicly

4. Firewall rules: Layer network security

Monitoring

1. Connection logs: Monitor connection attempts

2. Query patterns: Identify suspicious activity

3. Failed authentications: Alert on repeated failures

4. Resource usage: Detect abnormal patterns

Incident Response

Security Monitoring

SerenDB continuously monitors for:

• Unusual access patterns

• Failed authentication attempts

• Performance anomalies

• Infrastructure security events

Reporting Security Issues

If you discover a security vulnerability:

1. Do not open a public issue

2. Email security team (see contact info)

3. Provide detailed description

4. Include steps to reproduce

5. Allow time for remediation

See: Security Reporting

Security Updates

• Regular platform updates

• Automatic security patches

• PostgreSQL security updates

• Extension security fixes

AI-Specific Security

When using SerenDB with AI applications:

1. Sanitize embeddings: Prevent embedding injection

2. Rate limit AI queries: Prevent abuse

3. Audit AI access: Log AI agent queries

4. Isolate AI data: Separate AI workloads when needed

See: AI Use in SerenDB

Acceptable Use Policy

Review our acceptable use policy to understand:

• Permitted uses

• Prohibited activities

• Resource limits

• Enforcement procedures

See: Acceptable Use Policy

Compliance Resources

• Security Overview: Comprehensive security architecture

• Compliance: Certifications and standards

• HIPAA: Healthcare-specific compliance

Security Checklist

Before going to production:

• Enable TLS for all connections

• Implement IP Allow or Private Networking

• Configure strong passwords

• Set up proper user roles and permissions

• Implement Row-Level Security if multi-tenant

• Enable protected branches for production

• Set up monitoring and alerting

• Review and test backup procedures

• Implement connection pooling

• Enable query logging for audit trail

• Review compliance requirements

• Train team on security best practices

Security is a shared responsibility. SerenDB provides the platform security, while you're responsible for application-level security and access management.