Our Commitment to Security


PopSQL is SOC 2 Type II compliant. Our full report is available upon request.


PopSQL has a Data Processing Agreement (DPA) for customers to sign upon request.


  • Hosted on Amazon Web Services (“AWS”) in the United States across multiple availability zones to support fault tolerance, high availability, and disaster recovery.
  • AWS security groups are used to restrict communication between servers, and VPC is used to isolate the production environment from other environments.
  • Only our load balancers are publicly accessible; everything else is in a private subnet.


  • Your data is encrypted at rest using AES 256-bit encryption and protected by TLS in transit.
  • Key management is in place for encryption keys for production services.
  • Your PopSQL password is hashed using bcrypt, and we manage our production secrets with AWS tools.
  • Any attempt to access PopSQL using insecure HTTP protocol is automatically redirected to use secure HTTPS protocol.

Product Security

  • Organization admins can control many aspects of PopSQL, such as:
    • How new members are added: auto join by email domain, join by invitation only, or join via invitation links (docs).
    • How database connections are saved/shared: private on your computer, partially shared in the cloud by requiring members to enter their own username/password, or fully shared with members in the cloud for an easy onboarding experience (docs).
    • Organization admins can disable features organization-wide such as cloud connections, result sharing, public queries/dashboards.
  • Our Enterprise plan offers audit logs, teams and granular permissions, and SAML Single Sign-On (SSO) with SCIM provisioning.
  • If your database is not publicly accessible, you can configure PopSQL to use an SSH tunnel to reach your database. Or if your database has an IP allowlist, we have static IPs.
  • PopSQL enforces complex passwords.


  • PopSQL conducts regular third party vulnerability audits and security penetration tests.
  • All PopSQL employees undergo background checks and are trained on security best practices during onboarding.
  • PopSQL performs daily backups and replication for its core databases across multiple zones in the event of a site disaster.
  • PopSQL tests backup and restore capabilities to ensure successful disaster recovery.
  • PopSQL has established policies and procedures for responding to potential security incidents.

Endpoint Security

  • All company-owned workstations have MDM technology installed. This ensures they're running up-to-date operating system versions, are malware-free, and allow PopSQL IT admins to remotely wipe devices.
  • PopSQL workstations have encrypted hard drives, require strong passwords, and lock when idle.

Contact Security

If you believe you've found a security vulnerability in PopSQL, please get in touch at security@timescale.com.