Security

Effective: May 2025

QueryCanary was built with the assumption that we're connecting to your most sensitive systems: your production databases. Here's how we take that responsibility seriously.

1. Credential Handling

All database and SSH credentials are encrypted at rest using strong symmetric encryption (AES-256).
We never store plaintext credentials. Decryption keys are stored separately and only used at runtime.
Credentials can be rotated or deleted at any time via the dashboard.

2. Infrastructure

Our application is hosted on Fly.io, which provides per-app isolation and encrypted networking.
All communication between QueryCanary and your databases is attempted over secure channels (SSH tunnels or SSL).

3. Data Access

We store only the results of the checks you define (e.g. “rows with null price: 12”).
We never copy, persist, or index the information not returned by your SQL queries.
Access to infrastructure and database connections is tightly restricted to the owner of the service.

4. Customer Responsibility

You should use read-only users when providing access to QueryCanary.
You should provide scoped down permission sets for QueryCanary, with ideally only access to the specific data you want to query.
We recommend restricting access to non-sensitive schemas and using network controls (VPN, firewalls, bastion hosts).
You can delete or rotate any credential at any time with immediate effect.

5. Incident Response

In the event of a security incident, we will notify affected customers promptly with an assessment and recommended actions.
We maintain internal monitoring, alerting, and audit logs to detect unauthorized access or behavior.

6. Third-Party Services

We rely on trusted infrastructure providers with their own strong security practices, including:

Fly.io — App hosting and isolated containers
SendGrid — Email alert delivery
Stripe — Payment processing

7. Questions?

Need a copy of our architecture, access controls, or responsible disclosure policy?

Email us at support@querycanary.com.