Security
How Simpl protects your database connections and data.
Overview
Security is fundamental to Simpl. We've designed the system with multiple layers of protection to keep your database credentials and data safe.
Connection Security
Credential Encryption
Your database connection strings are encrypted at rest using industry-standard encryption:
| Aspect | Implementation |
|---|---|
| Algorithm | AES-256-GCM |
| Key Size | 256 bits |
| IV | Unique per connection |
| Authentication | GCM authenticated encryption |
This means your credentials are:
- Encrypted before being stored
- Decrypted only when establishing connections
- Protected even if our database were compromised
Connection Testing
Before saving a connection, Simpl tests it to verify:
- Network connectivity
- Authentication credentials
- Database accessibility
This happens in a secure, isolated context without storing credentials until confirmed.
Query Security
SQL Injection Prevention
Simpl uses multiple layers to prevent SQL injection:
- Identifier allow-listing - Table and column names are validated against the cached schema
- PostgreSQL identifier quoting - All identifiers use proper quoting (
"schema"."table") - Parameterized queries - All user values are passed as parameters, never concatenated
Example
When you filter for name = "John":
-- What Simpl executes (safe)
SELECT * FROM "users" WHERE "name" = $1
-- Parameters: ['John']
-- NOT this (unsafe)
SELECT * FROM users WHERE name = 'John'
Query Timeouts
All queries have a 10-second timeout to prevent:
- Runaway queries from affecting database performance
- Denial-of-service through complex queries
- Connection pool exhaustion
Access Control
Database Credentials
Simpl connects using the credentials you provide. Access is limited by:
- Your database user's privileges
- PostgreSQL's built-in access control
- Your database's network policies
Recommendation
Create a dedicated database user for Simpl with:
-- Example: Read-only access
CREATE USER simpl_readonly WITH PASSWORD 'secure_password';
GRANT CONNECT ON DATABASE mydb TO simpl_readonly;
GRANT USAGE ON SCHEMA public TO simpl_readonly;
GRANT SELECT ON ALL TABLES IN SCHEMA public TO simpl_readonly;
For editing capability:
-- Example: Read-write access
CREATE USER simpl_readwrite WITH PASSWORD 'secure_password';
GRANT CONNECT ON DATABASE mydb TO simpl_readwrite;
GRANT USAGE ON SCHEMA public TO simpl_readwrite;
GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA public TO simpl_readwrite;
User Isolation
Each Simpl user can only access:
- Connections they've created
- Data accessible through those connections
- Their own layout configurations
Data Handling
What We Store
Simpl stores:
| Data | Purpose | Protection |
|---|---|---|
| Connection strings | Database access | AES-256 encrypted |
| Schema cache | Performance | Refreshed hourly |
| Layout configs | User preferences | Per-user isolation |
| User accounts | Authentication | Managed by auth provider |
What We Don't Store
Simpl does NOT store:
- Your actual database data (we query on demand)
- Query results (fetched and displayed, not cached)
- Audit logs of your changes (use database-level auditing)
Data in Transit
All communication is encrypted:
- HTTPS for all web traffic
- TLS for database connections (when supported)
- No data sent to third parties
Network Security
Database Connection
For maximum security, consider:
- SSL/TLS connections - Add
?sslmode=requireto your connection string - IP allowlisting - Restrict database access to known IPs
- VPN/Private networks - Use private database endpoints
SSL Connection Example
postgresql://user:pass@host:5432/db?sslmode=require
SSL modes:
| Mode | Description |
|---|---|
require | Encrypt connection, don't verify certificate |
verify-ca | Verify server certificate is signed by trusted CA |
verify-full | Verify certificate and hostname |
Infrastructure Security
Hosting
Simpl is hosted on secure, modern infrastructure:
- Regular security updates
- Network isolation
- Monitoring and alerting
Encryption at Rest
All data stored by Simpl is encrypted at rest:
- Database encryption
- Backup encryption
- File storage encryption
Best Practices
For Connection Credentials
- Use dedicated users - Don't use superuser/admin accounts
- Limit privileges - Grant only necessary permissions
- Rotate passwords - Update credentials periodically
- Use SSL - Enable encrypted connections
For Database Configuration
- Enable SSL - Require encrypted connections
- Allowlist IPs - Restrict network access
- Audit logging - Enable PostgreSQL logging
- Regular backups - Maintain backup strategy
For Your Team
- Individual accounts - Don't share Simpl logins
- Review access - Audit who has database connections
- Remove stale connections - Delete unused connections
Compliance
Data Privacy
Simpl is designed with privacy in mind:
- We don't access your database data except to serve your requests
- We don't share connection information with third parties
- We don't analyze or mine your database contents
Data Residency
Consider your data residency requirements:
- Simpl servers are located in [region]
- Database queries traverse the network to your database location
- Schema metadata is cached on our servers
Incident Response
If You Suspect a Breach
- Rotate credentials - Change your database password immediately
- Remove connection - Delete the connection from Simpl
- Audit access - Check your database logs
- Contact us - Reach out at security@simpl.sh
Reporting Security Issues
If you discover a security vulnerability:
- Email: security@simpl.sh
- Include details of the vulnerability
- Allow reasonable time for response before disclosure
Questions
For security-related questions:
- Email: security@simpl.sh
- Response within 48 hours for security inquiries
Next Steps
- Return to the documentation hub
- Set up your first connection
- Contact support for help