dbexpertAI

Security

Read-only. On-prem. Zero risk to production.

Every architectural decision in dbexpertAI answers to one constraint: connecting us to your database must be a no-risk action. Here is exactly what that means.

read-only

The agent cannot write

You create the credentials; they carry read permissions only. There is no code path in the agent that issues writes — safety by construction, not by configuration.

on-prem

Data stays home

The agent runs inside your network and detection paths execute locally. Table contents are never shipped out — in any configuration. At most, the analysis result leaves, and only if you opt into the SaaS layer.

deterministic

Auditable behavior

Detection paths are written-down diagnostic logic, not model weights. What the agent checks, in what order, is documented and reviewable — same input, same output.

The objection this page exists to kill

"You want to connect what to production?" is the right first question for any database tool. Our answer: an agent that (1) holds credentials which physically cannot mutate state, (2) runs on hardware you control, inside your perimeter, and (3) at most sends out conclusions — never contents. The blast radius of a compromised or misbehaving dbexpertAI agent is bounded by what a read-only user can see — and that bound is one REVOKE away from zero, entirely in your hands.

Deployment shape

One agent per network segment, deployed as a container or a systemd service. No inbound ports, no VPN peering, no agents on your application hosts, no schema changes, no query instrumentation.

Two shapes, and you choose:

Security FAQ

Asked by every security review

Can the agent write to my database?

No. The agent authenticates with read-only credentials that you create and control. Write access is not a permission we ask you to withhold — it is one the agent never has. Revoke the user and the agent is fully disconnected.

Does my data leave my network?

Your database contents — table rows, business data — never leave, in any configuration. Detection paths execute on-prem, where the data lives. The only thing that can leave is the analysis result itself (root cause, evidence summary, resolution steps), and only if you opt into the SaaS layer. Run the agent standalone and nothing leaves your perimeter at all.

What is the SaaS layer, and is it optional?

Entirely optional. It is what gives you chat, phone notifications, and access to your diagnoses from anywhere rather than only from inside your network. Enabling it means analysis results — never table contents — are transmitted to it. Decline it and dbexpertAI runs fully self-contained.

How are analysis results protected, and where are they hosted?

Encrypted in transit and at rest. Hosting can be pinned to your country for data-residency requirements. Talk to us about the specifics for your jurisdiction — regional hosting is arranged per customer.

What does the agent actually read?

System catalogs, statistics views, performance counters, configuration, and log-derived signals — the operational surface a DBA reads during an investigation. Detection paths target operational state, not your business rows.

Can diagnostics load my production database?

Detection paths are lightweight catalog and statistics reads, budgeted per cycle. They are the same queries a careful DBA runs on production systems — reading pg_stat_* views does not take locks on your tables.

Who sees my diagnoses?

Your team. We do not resell, aggregate, or train on your operational data.

Run it past your security team.

Send them this page. If they have a question it doesn't answer, we'll answer it directly — and add it here.

First database free. For life.

Runs on Windows, macOS and Ubuntu — inside your network, read-only. Enterprise fleet or want humans in the loop? Talk to us.