menu
save_alt Download
Trust & Security

Your data stays
on your machine.

Beekeeper Studio is a desktop application. By default, your database credentials, queries, and results stay on your computer - they never touch our servers. Cloud sync is opt-in, and even then your query results and database contents never leave your machine.

01 · Architecture

Your data stays on your machine.

By default, none of your sensitive data touches our infrastructure - Beekeeper Studio runs entirely on your computer. The one exception is opt-in cloud workspace sync, covered below. Here's what that means concretely.

computer

Direct connection, no middleware

Beekeeper Studio connects straight from your computer to your database. No proxy servers. No data routing through third parties.

  • No proxy or relay servers in between
  • Queries run directly against your DB
  • Results fetched straight to your machine
  • Browsing & editing happens locally
  • Import / export reads & writes your disk
block

What we never see

Zero telemetry on database activity. The queries you run and the data you touch are never reported to us.

  • No query logging
  • No result caching
  • No database contents
  • No schema knowledge
wifi_off

Fully offline capable

Beekeeper Studio works with no internet connection. Every database operation runs entirely on your machine - including license validation if you need it.

  • All cloud features can be disabled
  • Air-gapped friendly
  • Offline license validation
  • Enterprise-policy enforceable
cloud_sync
Optional

Choosing a cloud workspace

Workspace sync is opt-in. By default you work in a Local Workspace and nothing syncs. Switch to a cloud workspace and your connections and saved queries sync across your devices and team - everything else stays exactly where it was.

Syncs to our cloud
  • Connection settings and folders
  • Saved queries and preferences
Never syncs, on any plan
  • Query results
  • The data inside your databases

Synced workspace data is encrypted at rest, and saved passwords get an extra layer of field-level encryption (AES-GCM, 256-bit) before they ever reach our servers. All traffic runs over TLS. How cloud workspaces work

02 · Desktop App

Desktop application security

Security practices built into the application itself - protecting every user regardless of plan.

code

Open Source

Dual-licensed under GPLv3 and a commercial license. Our source is public and community-auditable - you can verify exactly what runs on your machine.

View on GitHub arrow_forward
bug_report

Dependency Scanning

Automated Dependabot scanning on every repo. Critical vulnerabilities patched within 7 days, high within 30.

Vulnerability Policy arrow_forward
verified

Code Signing

Windows binaries use an EV certificate, macOS builds are notarized with Apple, and Linux packages are GPG-signed. Your OS can verify authenticity automatically.

Binary Distribution Policy arrow_forward
vpn_key

Encrypted Credentials

By default, database credentials are encrypted and stored on your own machine. Opt into a cloud workspace and saved passwords are field-level encrypted (AES-GCM, 256-bit) before they sync.

Security Docs arrow_forward
do_not_disturb

Opt-In Telemetry Only

Anonymized usage statistics are opt-in. No query content or database data is ever collected.

Privacy Policy arrow_forward
wifi_off

Fully Offline Capable

All cloud features can be disabled for environments with strict security postures. Works with no internet - including offline license validation.

Configuration Docs arrow_forward
admin_panel_settings

Enterprise Config Management

IT admins enforce machine-wide policies via system.config.ini - disable cloud, enforce PIN lock, control AI Shell access, and more.

Configuration Docs arrow_forward
policy

SDLC & Audit Policies

Published policies for change management, code review, and business continuity. Vulnerability scanning with defined SLAs for critical, high, and medium issues.

Change Management Policy arrow_forward
security

Enterprise Auth & Connections

Azure Entra ID auth via the Azure CLI and AWS IAM via the AWS CLI. Connect through SSH tunnels and SSH jump hosts for layered network security.

Connection Docs arrow_forward
03 · Cloud Services

Cloud service security

For our optional cloud services - accounts, billing, and workspace sync - we maintain these practices.

lock

Encryption

TLS everywhere. AES-256 at rest. Sensitive fields (like saved passwords) get an extra layer of field-level encryption (AES-GCM, 256-bit) before reaching the database. We never store payment card numbers.

Information Security Policy arrow_forward
verified_user

Access Control

MFA required on all production systems. Super-admin actions are logged and alerted in real time. Background checks for all employees.

Access Review Policy arrow_forward
notification_important

Incident Response

Published response plan with a 72-hour breach notification commitment. Cyber-liability insurance of $1MM coverage.

Incident Response Plan arrow_forward
backup

Backup & Recovery

Daily automated backups with 90-day retention. Quarterly restore tests verify recovery procedures work.

Disaster Recovery Plan arrow_forward
visibility

Monitoring

Security events logged with real-time alerting. Failed logins, admin access, and privilege changes monitored 24/7.

Logging & Monitoring Policy arrow_forward
04 · Sub-processors

Our infrastructure

Our cloud footprint is deliberately small. We don't operate data centers, manage VMs, or maintain network infrastructure of our own.

Hosting Heroku Managed platform. No self-managed servers.
Database Heroku Postgres Encrypted at rest. Daily backups, 90-day retention.
Payments Stripe PCI-DSS compliant. We never store card numbers.
Monitoring Honeybadger + Papertrail Errors & logs with real-time alerting.
Code GitHub Private repos with branch protection & code review.

For a full list of services that process data on our behalf, see our Subprocessor List.

05 · Compliance

Regulatory compliance

We support customers operating under these privacy and data-protection frameworks. Click through for our statement on each.

check_circleGDPR EU check_circleCCPA California check_circleCOPPA check_circleFERPA check_circleNDPA check_circleVirginia CDPA check_circleColorado Privacy Act check_circleUtah Consumer Privacy Act
06 · Documentation

Read our policies

We publish our security policies because we believe transparency builds trust. These are the same documents our team follows day-to-day.

gavelPrivacy & Legal

shieldSecurity Policies

07 · Talk to us

Questions about security or compliance?

Whether you have questions, need to report a vulnerability, or want to discuss compliance requirements for your organization - we're easy to reach.

mailEmail support descriptionPre-signed DPA
Direct channels
mail support@beekeeperstudio.io
bug_report Report a vulnerability - same address, tag it [security]
forum Community Slack
schedule Initial response within 1 business day