Security & Compliance

Enterprise-grade security with GDPR compliance

Last updated: March 2026

Security Measures

Authentication

  • Email and password authentication with secure hashing
  • Session-based authentication with secure cookie management

Access Controls

  • Role-based access control (RBAC) with admin and member roles
  • CASL-based fine-grained permissions
  • Organisation-scoped data isolation
  • Group-based visibility controls for dashboards and notebooks

Application Security

  • Secure session cookies with HttpOnly, Secure, and SameSite attributes
  • Security headers including HSTS and Content Security Policy (CSP)
  • Rate limiting to prevent abuse

Incident Response

  • Data breach notification to supervisory authorities within 72 hours
  • Prompt notification to affected individuals for high-risk breaches
  • Documented incident response procedures

Data Handling

We never store your data

Drizby connects directly to your databases and all queries pass through in real time. We never copy, cache, or store raw data from your database connections. The only data Drizby stores is its own application state: dashboard configurations, saved notebook queries and AI commentary, and user/group/team data. Notebooks store the queries themselves and may include summarised data in AI-generated markdown commentary, but never store raw query results. Your business data stays in your database at all times.

Bring your own AI key

AI features use your own API key for Claude, OpenAI, or Gemini. Queries go directly from your Drizby instance to your chosen AI provider. We never proxy, log, or have access to your AI interactions.

Dedicated Cloud instances

Every Drizby Cloud customer gets their own isolated instance. Your data is never shared, co-mingled, or accessible to other tenants. Each instance runs in its own container with its own storage.

Encryption at Rest

Application data (dashboard configs, notebooks, user data) is encrypted at rest. Self-hosted deployments use SQLite with optional ENCRYPTION_SECRET for secrets and filesystem-level encryption as configured by the operator. Drizby Cloud runs on UpCloud infrastructure with encrypted block storage.

Encryption in Transit

All communications are encrypted using TLS 1.2 or 1.3. HTTPS is enforced for all connections. HSTS headers ensure browsers always use secure connections.

Self-Hosted Option

With Drizby's self-hosted deployment, all data remains entirely on your infrastructure. No data is transmitted to Drizby or any third party. You maintain full control over your data, backups, and security configuration.

Compliance

Drizby Cloud leverages infrastructure providers with industry-leading compliance certifications:

UpCloud

Cloud infrastructure and server hosting for Cloud deployments (Helsinki, Finland)

ISO 27001 ISO 27017 ISO 27018 SOC 2

Stripe

Payment processing for Cloud subscriptions

PCI DSS Level 1 SOC 2

GDPR Compliance

Drizby is fully compliant with the EU General Data Protection Regulation. We implement data protection by design and by default, maintain records of processing activities, and uphold all data subject rights. See our Privacy Policy for full details.

MCP Security

Drizby's Model Context Protocol (MCP) server includes dedicated security measures for AI client integrations:

  • OAuth 2.1 Authentication: MCP clients authenticate using the OAuth 2.1 protocol with PKCE, ensuring secure authorisation flows.
  • Per-User Security Context: Every MCP request is executed within the authenticated user's security context, enforcing the same RBAC and data visibility rules as the web interface.
  • Token Management and Revocation: Access tokens are short-lived and refresh tokens can be revoked at any time through the settings interface. All tokens are securely stored and transmitted.

Vulnerability Reporting

We take security vulnerabilities seriously. If you discover a security issue in Drizby, please report it responsibly:

Security Team: security@guidemode.dev

Please include a detailed description of the vulnerability, steps to reproduce, and any potential impact. We will acknowledge receipt within 48 hours and aim to provide an initial assessment within 5 business days.

We kindly ask that you do not publicly disclose vulnerabilities until we have had reasonable time to address them.

Open Source Transparency

Drizby is open-source software released under the MIT License. This means:

  • Full Code Visibility: The entire application codebase is publicly available for review on GitHub.
  • Self-Hosted Control: Deploy Drizby on your own infrastructure and maintain complete control over your data, security configuration, and network access.
  • Community Auditing: The open-source model allows security researchers and the community to inspect, audit, and contribute to the security of the platform.
  • No Vendor Lock-In: Your data and configuration are portable. You are never dependent on a third party to access your own analytics infrastructure.