Overview

Springtail is designed with a security-first approach to safeguard customer data. Several key strategies are in place to ensure that data security remains a core focus throughout Springtail’s architecture.

Isolation

Springtail uses hardware isolation to ensure that each customer’s deployment is fully separated from others. Data access is tightly controlled and occurs exclusively through a Virtual Private Cloud (VPC) peered with the customer’s AWS VPC. Each customer deployment includes:

  • PrivateLink endpoint: Enables the Springtail replica to connect securely with the customer’s primary database for data replication.

  • Private interface endpoint: Allows customer applications to connect securely to their Springtail database instances.

  • Restricted routing: Allows access to the customer’s Springtail database only from within the customer’s VPC, providing strict isolation.

Authentication

Springtail enforces authentication on all operations to ensure only authorized users can access data. Two levels of authentication are employed:

  1. Proxy authentication: Springtail’s Proxy performs user authentication based on the users that exist in the Primary database and only allows those users that have CONNECT access to query the replicated database. The proxy uses a function installed on the primary database to determine if the user has CONNECT access to each database. The Proxy caches the set of users and the databases to which they have access, and refreshes this data every few seconds.

  2. Web UI authentication: Access to the Springtail web platform is managed by PropelAuth, a SOC-2 certified authentication provider. PropelAuth supports advanced security features, including 2-factor authentication (2FA) and passwordless login.

Currently, Springtail does not enforce table, row or column level permissions for users on read-queries (update queries are sent to the primary and are validated by the primary). If a table or portion of a table should not be accessed, then that table should not be marked for replication.

Encryption

All data at rest and in-transit across VPC boundaries is encrypted. Springtail utilizes AWS encryption whenever possible and uses SSL for network traffic. All secrets are stored within the AWS secrets manager.

Compliance

Springtail is currently in the process of obtaining SOC-2 certification. As such, Springtail is partnering with an independent security firm to complete regular audits of our service and code base, including penetration testing. In preparation for SOC-2 compliance, Springtail is developing a complete set of compliance documents that are available upon request.

Postgres CompatibilityFAQ