Skip to main content

Security

FoundryDB layers security across every tier: network access control, TLS encryption in transit, AES-256 encryption at rest, role-based access control, and scoped API tokens. Each layer is independent; a compromise of one does not bypass the others.

TLS

All database connections are encrypted with TLS. Certificates are provisioned automatically via Let's Encrypt and renewed before expiry. No manual certificate management is required.

Connect using your system's CA bundle:

# PostgreSQL
sslmode=verify-full

# MySQL
--ssl-mode=REQUIRED

# MongoDB
tls=true

# Valkey
--tls (port 6380)

Encryption at Rest

All storage volumes are encrypted with AES-256 by default. This includes database storage, backup storage, and system volumes. Backups are additionally encrypted with AES-256-GCM before upload to object storage. All stored credentials and tokens are encrypted with AES-256-GCM. See TLS & Encryption for details.

Authentication

The FoundryDB API uses HTTP Basic Auth. Use strong, unique passwords and rotate them regularly via the API:

curl -u admin:password -X PATCH \
https://api.foundrydb.com/managed-services/{id}/database-users/{username} \
-H "Content-Type: application/json" \
-d '{"password": "new_password"}'

Network Access Control

Services reject all connections by default. The network model rests on two complementary rules:

  1. Cloud-edge allowlist: inbound public connections are accepted only if the source IP matches the service's allowed_cidrs list. Everything else is dropped before reaching the database.
  2. Private SDN for internal traffic: replication, east-west attachments, and platform-internal communication travel over a private software-defined network that is never exposed to the public internet.
Allowlist, default-deny, and the private SDN path
Allowlist accepts · default-deny drops · SDN stays internal
Allowed clientin allowed_cidrs✓ accept →Firewalldefault-deny→ TLS :5432Serviceexposed port✕ other IP dropped⇢ SDN peer bypasses edge
Accepted (IP in allowlist)Dropped (default-deny)Cloud-edge firewallPrivate SDN (dashed)

Explicitly allow the IP ranges that need access:

curl -u admin:password -X PATCH https://api.foundrydb.com/managed-services/{id} \
-H "Content-Type: application/json" \
-d '{"allowed_cidrs": ["203.0.113.10/32", "198.51.100.0/24"]}'

Use the narrowest CIDR ranges possible. Avoid 0.0.0.0/0. See Network Security for the full allowlist reference.

Database Users

Each service supports multiple database users with separate credentials:

# Create a read-only user
curl -u admin:password -X POST \
https://api.foundrydb.com/managed-services/{id}/database-users \
-H "Content-Type: application/json" \
-d '{"username": "readonly", "role": "readonly"}'

Credentials are never stored in plaintext. Use the reveal-password endpoint to retrieve them once.

Role-Based Access Control

Organization membership is governed by four roles: owner, admin, developer, and viewer. Each role determines which API endpoints a member can call and which dashboard sections they can access. See Members and Roles for the full permission matrix.

API Token Scopes

API tokens can be restricted to a precise set of permissions using family:level scopes, so a CI pipeline or monitoring system only gets the access it needs. Scope families are services, backups, pipelines, webhooks, and billing. Levels are cumulative: write includes read; admin includes write. A request whose required scope exceeds the token's grants is rejected with 403 insufficient_scope. Organization owners can review and revoke member tokens. See API Token Scopes for the full scope reference and example recipes.

Compliance Reports

Any organization member can request a signed compliance report summarizing security posture, encryption status, backups, and EU residency across every service. The report is signed with an Ed25519 key and can be independently verified and used as audit evidence. Supported frameworks: SOC 2, GDPR Article 30 ROPA, DORA, and EU AI Act. See Signed Compliance Reports for the schema and verification steps.

Audit Logs

All API actions are logged with timestamp, actor, and IP address. Access audit logs:

curl -u admin:password "https://api.foundrydb.com/audit-logs?service_id={id}&limit=100"

Security Model Summary

LayerMechanism
NetworkCloud-edge allowlist (allowed_cidrs), default-deny baseline, private SDN for internal traffic
TransportTLS 1.2/1.3 on all database connections and API calls, auto-renewed Let's Encrypt certificates
StorageAES-256 block-level encryption on all volumes; AES-256-GCM for backups and credentials
AuthenticationHTTP Basic Auth for the API; database users have per-service credentials
AuthorizationFour-role RBAC for members; family:level scoped API tokens
AuditabilityImmutable audit log for every API action; signed compliance reports for formal evidence