Security
Learn about DBCode's security architecture, data handling practices, and how your data stays private.
DBCode is designed with a local-first, privacy-focused architecture. Your database credentials, queries, and data never leave your computer. The only exceptions are two optional features—Secure Sharing and History Sync—both of which use zero-knowledge encryption where data is encrypted on your device before transmission.
Local-First Architecture
DBCode runs entirely within VS Code on your local machine. Here’s what that means for your data:
Your Data Stays on Your Computer
- Database connections are made directly from your computer to your database servers
- Query results are processed and displayed locally in VS Code
- Connection credentials are optionally stored on your device with multiple security options, or can be entered each session
- Query history and notebooks are saved to your local filesystem
No DBCode Servers in the Middle
Unlike cloud-based database tools, DBCode does not route your database traffic through our servers:
- We never see your database credentials
- We never access your databases
- We never receive your query results
- We have no ability to view your data
Your database connections go directly from VS Code on your machine to your database servers. DBCode is simply the interface that runs locally.
Credential Storage
DBCode offers multiple options for storing database credentials, all managed locally on your device:
- VS Code Secret Storage (default) - Credentials stored in your operating system’s secure keychain
- Encrypted Storage - Credentials encrypted with a passphrase you control
- Session-Only - Credentials kept in memory, cleared when VS Code closes
- No Storage - Enter credentials each time you connect
See Password Storage for detailed information on each option.
Optional Cloud Features
DBCode offers two optional features that transmit encrypted data to cloud storage. Both use zero-knowledge encryption—data is encrypted on your device before transmission, and we cannot decrypt it.
Secure Sharing
Secure Sharing lets you share query results with others using end-to-end encryption:
- Encryption happens on your computer - Data is encrypted using AES-256-GCM before it ever leaves your machine
- Only encrypted data is transmitted - We receive and store data we cannot decrypt
- You control the passphrase - The encryption key is derived from a passphrase that never leaves your computer
- Recipients decrypt locally - Data is decrypted on the recipient’s device, not our servers
- Automatic expiration - Shared data expires and is permanently deleted
Bring Your Own Storage
For organizations with strict data residency requirements, you can configure Secure Sharing to use your own S3-compatible storage:
- Use your own AWS S3 bucket
- Use any S3-compatible storage (MinIO, Backblaze B2, Cloudflare R2, etc.)
- Encrypted data never touches DBCode infrastructure
- Full control over data location and retention
See Secure Sharing for complete details.
History Sync
History Sync lets you sync your query history across devices with end-to-end encryption:
- Client-side encryption - History is encrypted on your device using AES-256-GCM before upload
- Zero-knowledge storage - Only encrypted data and an encrypted key envelope are stored; we cannot decrypt them
- Passphrase protected - Your passphrase never leaves your device and is never stored by us
- Multi-device support - Sync history across all your devices using the same passphrase
See History Sync for complete details.
Summary
| Feature | Data Location | DBCode Access |
|---|---|---|
| Database connections | Your computer | None |
| Query execution | Your computer | None |
| Query results | Your computer | None |
| Credentials | Your computer (optional) | None |
| Notebooks | Your computer | None |
| Secure Sharing (optional) | Cloud storage (encrypted) | Encrypted only - cannot decrypt |
| History Sync (optional) | Cloud storage (encrypted) | Encrypted only - cannot decrypt |
Bottom line: DBCode is a local tool. Your databases, credentials, and data stay on your machine. The only features that transmit data are Secure Sharing and History Sync—both optional, both encrypt data on your device before transmission, and both use zero-knowledge architecture where we cannot decrypt your data.