Text2SQL.ai logo

Security And Privacy Measures at Text2SQL.ai

Published on

Text2SQL.ai is designed with data protection and user privacy at its core. We understand that the security of your database information and queries is paramount. Below, we outline the measures we take to safeguard your data and ensure your privacy.

Data Storage and Encryption of Database Connection Information

  • Encrypted at Rest: We encrypt your database connection information at rest using strong encryption standards.
  • Separate Encryption Key Storage: The encryption key is stored on separate servers, adding an extra layer of security.
  • No Employee Visibility: Your confidential connection details are never exposed to any of our employees.

Database Schema Only

  • Schema Storage: We store only the schema (structure) of your database and do not retain actual data.
  • Chat Messages: We also store chat messages related to your SQL queries, so you can review them later.
  • Data Deletion: You can delete databases and chat messages at any time within the application.

Secure Query Execution

  • Isolated Server: All queries generated and run via Text2SQL.ai are executed on a secure, isolated server, separate from our primary application.
  • No Data Exposure: Since we only store schemas, your proprietary or sensitive data remains secure within your own systems.

Query Validation and Safe Mode

Text2SQL.ai includes Safe Mode (also referred to as readonly mode in technical contexts), an advanced query validation system that protects your database from accidental or malicious modifications through AI-generated SQL queries.

How Safe Mode Works

Safe Mode uses Abstract Syntax Tree (AST) parsing powered by industry-standard SQL parsing libraries to analyze the complete structure of every query before execution. This goes far beyond simple keyword matching:

  • Deep Query Analysis: Parses queries into their structural components to detect operations regardless of formatting or obfuscation
  • Dialect-Aware: Supports PostgreSQL, MySQL, SQL Server, Oracle, and other major SQL dialects with dialect-specific validation rules
  • Nested Query Support: Validates operations within subqueries, Common Table Expressions (CTEs), and complex nested structures
  • Instant Validation: Query parsing and validation happen in milliseconds with no noticeable performance impact

Allowed Operations (Read-Only)

When Safe Mode is enabled, the following query types are permitted:

  • SELECT Statements: All variations including joins, aggregations, window functions, and complex analytical queries
  • WITH Clauses (CTEs): Common Table Expressions for building complex read-only queries
  • EXPLAIN: Query execution plan analysis (without ANALYZE that modifies statistics)
  • SHOW Commands: Database metadata and configuration viewing (e.g., SHOW TABLES, SHOW DATABASES)
  • DESCRIBE/DESC: Table and column structure inspection

Blocked Operations (Data Modification & Schema Changes)

Safe Mode prevents any operation that could modify data or database structure:

  • Data Modification Language (DML): INSERT, UPDATE, DELETE, MERGE, REPLACE
  • Data Definition Language (DDL): CREATE, ALTER, DROP, TRUNCATE
  • Transaction Control Language (TCL): BEGIN, COMMIT, ROLLBACK, SAVEPOINT (when used to enable data modifications)
  • Data Control Language (DCL): GRANT, REVOKE
  • Administrative Commands: VACUUM, ANALYZE (operations with side effects), LOAD DATA

When a blocked operation is detected, users receive a clear error message identifying the specific SQL operation that was rejected and guidance on how to proceed if the operation is legitimately needed.

Security Benefits

Safe Mode provides multiple layers of protection:

  1. SQL Injection Prevention: AST parsing detects malicious SQL patterns that might bypass traditional keyword-based filters
  2. Data Integrity Protection: Prevents accidental data loss from misinterpreted natural language requests
  3. Compliance Support: Helps meet regulatory requirements for read-only access and audit trails (GDPR, HIPAA, SOC2)
  4. Multi-Tenant Safety: Provides an additional security barrier for platforms serving multiple users or organizations
  5. API Security: Protects databases when AI SQL generation is exposed through public or external APIs

Default Protection

Safe Mode is enabled by default for all new database connections and API requests, providing immediate protection without requiring configuration. This "secure by default" approach ensures that:

  • New team members can explore data safely without extensive database permissions training
  • External API integrations cannot accidentally modify production data
  • Business intelligence and analytics workflows remain strictly read-only
  • Experimental or AI-generated queries are automatically sandboxed

Controlling Safe Mode

While Safe Mode is enabled by default, you have full control over when it's active:

  • Connection-Level Control: Enable or disable Safe Mode for each database connection in your connection settings
  • API Parameter Control: Specify Safe Mode behavior via API request parameters when using the Text2SQL.ai API
  • Team-Level Defaults: Set organization-wide defaults for new connections (requires team administrator role)
  • Clear Status Indicators: The application clearly displays when Safe Mode is active for each connection

Best Practice: We recommend keeping Safe Mode enabled for exploratory analysis, business intelligence, reporting, and any scenario where users are generating SQL through natural language without deep SQL expertise. Disable Safe Mode only when you have a verified need to execute data modification operations.

For more information about using Safe Mode in your workflows, see our Database Connections documentation.

No AI Training with Your Data

  • OpenAI API: We use the OpenAI API to power our AI features. Because we leverage their API (and do not train our own models with your data), your data is never used for training future models.
  • Strict Privacy: Our contract with OpenAI ensures they also do not use your data for training.

Supabase for Authentication

  • Secure Authentication: We use Supabase for user authentication and storing all necessary information.
  • SOC2 and HIPAA Compliance: Supabase adheres to high security standards, including SOC2 and HIPAA. All data is encrypted by default, both at rest and in transit.

Hosting on Vercel

  • Trusted Platform: Our web application is hosted on Vercel, a reputable and secure hosting platform.
  • High Availability: Vercel ensures reliable service with built-in scalability and security measures.

Ongoing Commitment to Security

We continuously evaluate and update our security practices to keep pace with evolving threats. Your trust is essential to us, and we’re committed to maintaining rigorous security standards.

If you have any questions or concerns, please reach out to our support team via the in-app chat or by email. For more detailed documentation and updates on our privacy measures, visit our documentation.