Security

TLS

All database connections are encrypted with TLS. Certificates are provisioned automatically via Let's Encrypt and renewed before expiry — no manual certificate management required.

Connect using your system's CA bundle:

# PostgreSQL
sslmode=verify-full

# MySQL
--ssl-mode=REQUIRED

# MongoDB
tls=true

# Valkey
--tls (port 6380)

Encryption at Rest

All storage volumes are encrypted with AES-256 by default. This includes database storage, backup storage, and system volumes. Backups are additionally encrypted with AES-256-GCM before upload to object storage. All stored credentials and tokens are encrypted with AES-256-GCM. See TLS & Encryption for details.

Authentication

The FoundryDB API uses HTTP Basic Auth. Use strong, unique passwords and rotate them regularly via the API:

curl -u admin:password -X PATCH \
  https://api.foundrydb.com/managed-services/{id}/database-users/{username} \
  -H "Content-Type: application/json" \
  -d '{"password": "new_password"}'

Network Access Control

Services reject all connections by default. Explicitly whitelist the IP ranges that need access:

curl -u admin:password -X PATCH https://api.foundrydb.com/managed-services/{id} \
  -H "Content-Type: application/json" \
  -d '{"allowed_cidrs": ["203.0.113.10/32", "198.51.100.0/24"]}'

Use the narrowest CIDR ranges possible. Avoid 0.0.0.0/0.

Database Users

Each service supports multiple database users with separate credentials:

# Create a read-only user
curl -u admin:password -X POST \
  https://api.foundrydb.com/managed-services/{id}/database-users \
  -H "Content-Type: application/json" \
  -d '{"username": "readonly", "role": "readonly"}'

Credentials are never stored in plaintext. Use the reveal-password endpoint to retrieve them once.

Audit Logs

All API actions are logged with timestamp, actor, and IP address. Access audit logs:

curl -u admin:password "https://api.foundrydb.com/audit-logs?service_id={id}&limit=100"