Security
FoundryDB layers security across every tier: network access control, TLS encryption in transit, AES-256 encryption at rest, role-based access control, and scoped API tokens. Each layer is independent; a compromise of one does not bypass the others.
TLS
All database connections are encrypted with TLS. Certificates are provisioned automatically via Let's Encrypt and renewed before expiry. No manual certificate management is required.
Connect using your system's CA bundle:
# PostgreSQL
sslmode=verify-full
# MySQL
--ssl-mode=REQUIRED
# MongoDB
tls=true
# Valkey
--tls (port 6380)
Encryption at Rest
All storage volumes are encrypted with AES-256 by default. This includes database storage, backup storage, and system volumes. Backups are additionally encrypted with AES-256-GCM before upload to object storage. All stored credentials and tokens are encrypted with AES-256-GCM. See TLS & Encryption for details.
Authentication
The FoundryDB API uses HTTP Basic Auth. Use strong, unique passwords and rotate them regularly via the API:
curl -u admin:password -X PATCH \
https://api.foundrydb.com/managed-services/{id}/database-users/{username} \
-H "Content-Type: application/json" \
-d '{"password": "new_password"}'
Network Access Control
Services reject all connections by default. The network model rests on two complementary rules:
- Cloud-edge allowlist: inbound public connections are accepted only if the source IP matches the service's
allowed_cidrslist. Everything else is dropped before reaching the database. - Private SDN for internal traffic: replication, east-west attachments, and platform-internal communication travel over a private software-defined network that is never exposed to the public internet.
Explicitly allow the IP ranges that need access:
curl -u admin:password -X PATCH https://api.foundrydb.com/managed-services/{id} \
-H "Content-Type: application/json" \
-d '{"allowed_cidrs": ["203.0.113.10/32", "198.51.100.0/24"]}'
Use the narrowest CIDR ranges possible. Avoid 0.0.0.0/0. See Network Security for the full allowlist reference.
Database Users
Each service supports multiple database users with separate credentials:
# Create a read-only user
curl -u admin:password -X POST \
https://api.foundrydb.com/managed-services/{id}/database-users \
-H "Content-Type: application/json" \
-d '{"username": "readonly", "role": "readonly"}'
Credentials are never stored in plaintext. Use the reveal-password endpoint to retrieve them once.
Role-Based Access Control
Organization membership is governed by four roles: owner, admin, developer, and viewer. Each role determines which API endpoints a member can call and which dashboard sections they can access. See Members and Roles for the full permission matrix.
API Token Scopes
API tokens can be restricted to a precise set of permissions using family:level scopes, so a CI pipeline or monitoring system only gets the access it needs. Scope families are services, backups, pipelines, webhooks, and billing. Levels are cumulative: write includes read; admin includes write. A request whose required scope exceeds the token's grants is rejected with 403 insufficient_scope. Organization owners can review and revoke member tokens. See API Token Scopes for the full scope reference and example recipes.
Compliance Reports
Any organization member can request a signed compliance report summarizing security posture, encryption status, backups, and EU residency across every service. The report is signed with an Ed25519 key and can be independently verified and used as audit evidence. Supported frameworks: SOC 2, GDPR Article 30 ROPA, DORA, and EU AI Act. See Signed Compliance Reports for the schema and verification steps.
Audit Logs
All API actions are logged with timestamp, actor, and IP address. Access audit logs:
curl -u admin:password "https://api.foundrydb.com/audit-logs?service_id={id}&limit=100"
Security Model Summary
| Layer | Mechanism |
|---|---|
| Network | Cloud-edge allowlist (allowed_cidrs), default-deny baseline, private SDN for internal traffic |
| Transport | TLS 1.2/1.3 on all database connections and API calls, auto-renewed Let's Encrypt certificates |
| Storage | AES-256 block-level encryption on all volumes; AES-256-GCM for backups and credentials |
| Authentication | HTTP Basic Auth for the API; database users have per-service credentials |
| Authorization | Four-role RBAC for members; family:level scoped API tokens |
| Auditability | Immutable audit log for every API action; signed compliance reports for formal evidence |