Security
SchemaStack is built with security at its core. This page describes how we protect your account, your metadata, and your data.
Your Data Stays Yours
SchemaStack never stores your business data. We connect to your database and only store metadata — entity definitions, view configurations, and permissions. Your data remains in your infrastructure, under your control.
For details, see Data Ownership.
Infrastructure
Encryption in Transit
All connections between your browser, our API, and your database are encrypted with TLS. API requests are served exclusively over HTTPS.
Encryption at Rest
Sensitive data stored by SchemaStack is encrypted before it reaches the database:
- TOTP secrets are encrypted with AES-256-GCM
- Database credentials for workspace connections are encrypted at rest and masked in API responses
- Backup codes are hashed with BCrypt (one-way, cannot be reversed)
Hosting
SchemaStack runs on AWS infrastructure in the EU (Frankfurt, eu-central-1). Services are deployed across managed compute (Lambda, Fargate) with no shared tenancy.
Authentication
Passwords
Passwords are hashed using BCrypt with a work factor of 12. Each password is salted individually. Plaintext passwords are never stored or logged.
JSON Web Tokens (JWT)
API authentication uses short-lived, signed JWT tokens issued over RSA key pairs. Tokens carry scoped claims — including organization context — and are validated on every request.
Two-Factor Authentication (2FA)
Users can enable TOTP-based two-factor authentication using any standard authenticator app. During setup, 10 single-use backup codes are generated and stored as BCrypt hashes. TOTP secrets are encrypted with AES-256-GCM before storage.
OAuth Single Sign-On
Sign in with Google or GitHub. OAuth tokens are used only for identity verification and are never persisted.
New Device Alerts
When a login occurs from an unrecognized device, a security alert email is sent with device type, IP address, and approximate location.
Session Management
Each login creates a tracked session with device information, IP address, and timestamps. You can view all active sessions and revoke any session instantly from your account settings. Revoked sessions are terminated immediately.
Access Control
SchemaStack enforces role-based access control (RBAC) across four levels:
| Level | Roles | Purpose |
|---|---|---|
| Organization | Owner, Admin, Member | Control over billing, members, and workspaces |
| Workspace | Admin, Editor, Viewer, Member | Schema management and data access |
| View | Admin, Editor, Viewer | Fine-grained view permissions |
| Column | Read, Write, Hidden | Per-column visibility and edit control |
Permissions are evaluated from the most specific level up. A view-level role overrides the workspace-level role, allowing both promotions and restrictions. Every API request is checked against the user's role and membership before processing.
View Settings
Each view has three flags that control what non-admin users can do with data:
| Setting | Effect when enabled |
|---|---|
| Addable | Editors can insert new rows |
| Editable | Editors can edit, delete, and bulk-update rows |
| Exportable | Editors and Viewers can export data |
View Admins bypass these settings entirely. When a setting is disabled, the corresponding actions are blocked at the API level — not just hidden in the UI.
| Action | Admin | Editor | Viewer |
|---|---|---|---|
| View data | always | always | always |
| Add rows | always | requires Addable | denied |
| Edit / delete rows | always | requires Editable | denied |
| Bulk update / delete | always | requires Editable | denied |
| Export | always | requires Exportable | requires Exportable |
Multi-Organization Isolation
Users who belong to multiple organizations see only the data for the organization selected in their current token. Cross-organization data access is blocked at the API layer and covered by automated security tests.
API Security
API Keys
Workspace API keys use a sk_ prefix and are generated from 256 bits of randomness. Only a SHA-256 hash is stored — the plaintext key is shown once at creation and cannot be retrieved afterward. Keys support optional expiration dates, read-only or read-write scopes, and can be rotated or revoked at any time.
Input Validation
All API inputs are validated using Jakarta Bean Validation before reaching business logic. Database queries use parameterized statements (Hibernate ORM and JDBC PreparedStatement) throughout — raw string concatenation is never used in queries.
Rate Limiting
Request rates are configurable per subscription tier, per workspace, and per entity. Body size limits are enforced at the HTTP layer.
CORS
Cross-origin requests are restricted to explicitly configured origins per workspace. Preflight requests are handled automatically.
Webhook Verification
Inbound webhooks (payment provider callbacks) are verified using HMAC-SHA256 signature validation before processing.
Account & Data Protection
Email Verification
Account registration requires email verification via a 6-digit code with a 10-minute expiry and a maximum of 5 attempts.
Password Reset
Password resets use single-use, time-limited tokens delivered by email. Tokens expire after 1 hour.
Account Deletion
Account deletion follows a two-step confirmation flow: password verification followed by email confirmation. A 7-day grace period allows recovery before permanent deletion.
Privacy & Compliance
GDPR
- Data separation — your business data never enters SchemaStack infrastructure, simplifying data processing agreements.
- Consent tracking — all consent actions (terms of service, privacy policy, marketing) are logged with timestamp, IP address, and policy version.
- Right to deletion — account deletion is self-service with a clear grace period.
- Data residency — your data stays wherever your database is hosted. SchemaStack metadata is stored in the EU.
Audit Logging
Consent changes, session events, and administrative actions are recorded with full context for compliance purposes.
Responsible Disclosure
If you discover a security vulnerability, please report it to [email protected]. We take all reports seriously and will respond promptly.