How to Secure Your Database Connection

Use a Dedicated Database User

Never connect the AI platform using your database root account or admin credentials. Create a dedicated user specifically for the AI connection with only the permissions it needs:

• Read-only access: Grant SELECT only if you want to use the AI for querying and analysis without any ability to modify data. This is the safest option for exploration and reporting.
• Read-write access: Grant SELECT, INSERT, UPDATE, and DELETE if you want to edit records through the web UI or use AI to clean data.
• Limited table access: Grant permissions only on specific tables rather than the entire database. If the AI only needs to query your products and orders tables, do not grant access to the users or payments tables.

In MySQL, create a dedicated user with: CREATE USER 'aiplatform'@'%' IDENTIFIED BY 'strongpassword'; GRANT SELECT ON mydatabase.products TO 'aiplatform'@'%';

In PostgreSQL: CREATE USER aiplatform WITH PASSWORD 'strongpassword'; GRANT SELECT ON ALL TABLES IN SCHEMA public TO aiplatform;

Use SSL Encryption

All connections between the platform and your database should use SSL/TLS encryption. This prevents anyone intercepting network traffic from seeing your queries or data. Most managed database providers (AWS RDS, Supabase, Neon, PlanetScale) enable SSL by default. The platform supports SSL connections for both MySQL and PostgreSQL.

If your database requires a specific CA certificate for SSL verification, you can upload it in the connection settings. For AWS RDS, Amazon provides the RDS CA bundle that you can download and use.

Restrict Network Access

Your database should not accept connections from any IP address on the internet. Restrict inbound access to only the IP addresses that need to connect:

• AWS RDS: Configure the security group to allow inbound traffic on your database port (3306 for MySQL, 5432 for PostgreSQL) only from the platform's IP addresses.
• Self-hosted: Configure your firewall (iptables, ufw, or cloud provider firewall) to block all inbound database traffic except from known IPs.
• Managed providers: Most managed database services have an IP allowlist feature in their dashboard. Add the platform's IP addresses to the allowlist.

What the AI Can and Cannot See

The AI SQL assistant can only see tables and columns that the connected database user has permission to access. If you restrict the user to certain tables, the AI's schema scan will only show those tables. It cannot access, query, or even know about tables outside its permissions.

Your database credentials are stored encrypted in your account and are used only to establish the database connection. They are not shared with other users, used for any other purpose, or accessible through the platform's API.

Query results and schema information are used within your session only. The platform does not store copies of your database data, cache query results beyond the current session, or use your data to train AI models.

Additional Security Measures

• Use strong passwords. The database password should be at least 20 characters with a mix of letters, numbers, and symbols. Do not reuse passwords from other services.
• Rotate credentials periodically. Change the database password every 90 days. Update the connection settings in the platform after changing the password.
• Monitor access logs. Most database servers log all connections and queries. Review these logs periodically to ensure only expected activity is occurring.
• Use read-only replicas for AI. If your database supports read replicas (AWS RDS does), connect the AI to a read replica instead of the primary database. This prevents any possibility of write operations affecting your production data and isolates AI query load from your application.