App Security
How Simpl Desktop protects your database connections and data.
Overview
As a native desktop application, Simpl takes a fundamentally different approach to security: your credentials never leave your machine. There are no servers storing your connection strings, and your database queries go directly from your computer to your database.
The Desktop Advantage
Your Credentials Stay Local
Unlike web-based database tools, Simpl Desktop stores everything locally:
| Aspect | How It Works |
|---|---|
| Connection strings | Stored only on your device |
| Encryption | OS secure storage (safeStorage) when available |
| Database queries | Direct connection from your computer |
| Our servers | Never see your credentials or data |
This means:
- No server-side storage - We can't leak what we don't have
- No network hops - Your queries go directly to your database
- Full control - Your data stays under your control
Local Encryption
How Credentials Are Protected
Even on your local machine, your connection strings are encrypted using your operating system's secure credential storage.
When available, Simpl uses Electron's safeStorage API, which leverages your OS-level encryption:
| Platform | Storage Method |
|---|---|
| macOS | Keychain |
| Windows | DPAPI (Data Protection API) |
| Linux | Secret Service API (e.g., gnome-keyring) |
If safeStorage is unavailable on your system, Simpl falls back to file-based AES-256-GCM encryption with a locally-stored key.
| Aspect | Implementation |
|---|---|
| Primary | OS secure storage (safeStorage) |
| Fallback | AES-256-GCM with unique IV per connection |
| Key Size | 256 bits |
Your credentials are:
- Encrypted before being stored on disk
- Decrypted only when establishing connections
- Never transmitted to any external servers
Query Security
SQL Injection Prevention
Simpl uses multiple layers to prevent SQL injection:
- Identifier allow-listing - Table and column names are validated against the introspected schema
- PostgreSQL identifier quoting - All identifiers use proper quoting (
"schema"."table") - Parameterized queries - All user values are passed as parameters, never concatenated
Example
When you filter for name = "John":
-- What Simpl executes (safe)
SELECT * FROM "users" WHERE "name" = $1
-- Parameters: ['John']
-- NOT this (unsafe)
SELECT * FROM users WHERE name = 'John'
Query Timeouts
All queries have a 10-second timeout to prevent:
- Runaway queries from affecting database performance
- Connection pool exhaustion
- Hanging connections
Direct Database Connections
No Middlemen
When you connect to a database with Simpl:
- Your computer connects directly to your database server
- No proxy servers or intermediaries
- No data passes through our infrastructure
- Connection uses your database's native security (SSL/TLS)
Network Security
For maximum security, configure your database connection with:
- SSL/TLS connections - Add
?sslmode=requireto your connection string - IP allowlisting - Restrict database access to known IPs
- VPN/Private networks - Use private database endpoints when available
SSL Connection Example
postgresql://user:pass@host:5432/db?sslmode=require
SSL modes:
| Mode | Description |
|---|---|
require | Encrypt connection, don't verify certificate |
verify-ca | Verify server certificate is signed by trusted CA |
verify-full | Verify certificate and hostname |
Access Control
Database Credentials
Simpl connects using the credentials you provide. Access is limited by:
- Your database user's privileges
- PostgreSQL's built-in access control
- Your database's network policies
Recommendation
Create a dedicated database user for Simpl with appropriate permissions:
-- Example: Read-only access
CREATE USER simpl_readonly WITH PASSWORD 'secure_password';
GRANT CONNECT ON DATABASE mydb TO simpl_readonly;
GRANT USAGE ON SCHEMA public TO simpl_readonly;
GRANT SELECT ON ALL TABLES IN SCHEMA public TO simpl_readonly;
For editing capability:
-- Example: Read-write access
CREATE USER simpl_readwrite WITH PASSWORD 'secure_password';
GRANT CONNECT ON DATABASE mydb TO simpl_readwrite;
GRANT USAGE ON SCHEMA public TO simpl_readwrite;
GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA public TO simpl_readwrite;
What We Store
On Your Machine
| Data | Purpose | Protection |
|---|---|---|
| Connection strings | Database access | OS secure storage (safeStorage) |
| Schema cache | Performance | Local storage |
| Layout configs | User preferences | Local storage |
On Our Servers
| Data | Purpose |
|---|---|
| License key | Verify your purchase |
| Email address | Account management |
We do NOT store:
- Your database credentials
- Your database data
- Your query history
- Any information about your database contents
Best Practices
For Connection Credentials
- Use dedicated users - Don't use superuser/admin accounts
- Limit privileges - Grant only necessary permissions
- Rotate passwords - Update credentials periodically
- Use SSL - Enable encrypted connections
For Database Configuration
- Enable SSL - Require encrypted connections
- Allowlist IPs - Restrict network access
- Audit logging - Enable PostgreSQL logging
- Regular backups - Maintain backup strategy
Privacy
Data Privacy
Simpl Desktop is designed with privacy at its core:
- We never access your database data
- We can't see your connection information
- We don't analyze or mine your database contents
- Your queries are executed locally, not through our servers
Questions
For security-related questions:
- Email: hello@simpl.sh
Next Steps
- Return to the documentation hub
- Set up your first connection
- Contact support for help