Security policy

We understand how critical the protection of your data is, and we take the security of SurrealDB code, software, and cloud platform very seriously. If you believe you have found a security vulnerability in SurrealDB, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem.

Need to report a vulnerability?

We would like to keep SurrealDB safe and secure for everyone. Please report any issues or vulnerabilities to security@surrealdb.com, instead of posting a public issue in GitHub. If you have discovered a security vulnerability we would greatly appreciate your help in disclosing it to us in a responsible manner. Publicly disclosing a vulnerability can put the entire SurrealDB community at risk.

When submitting a security vulnerability, please include the SurrealDB version identifier, by running surreal version on the command-line, and details on how the vulnerability can be exploited. We will work with you to assess and understand the scope of the issue and fully address any concerns. Any emails are immediately sent to our engineering staff to ensure that issues are addressed rapidly. Any security emails are treated with the highest priority as the safety and security of our service is our primary concern.

Physical security

SurrealDB Cloud services are hosted on Google Cloud Computing and Amazon Web Services. The data centres are staffed 24x7x365 by security guards, and access is authorised strictly on a least privileged basis.

Both cloud hosting providers are certified with the ISO 9001:2008, ISO 27001:2013, ISO 27017:2015, and ISO 27018:2014 security standards - global standards that outline the requirements for information security management systems. This requires that the hosting provider must systematically evaluate its information security risks, taking into account the impact of company threats and vulnerabilities; must design and implement a comprehensive suite of information security controls and other forms of risk management to address company and architecture security risks; and adopt an overarching management process to ensure that the information security controls meet the information security needs on an ongoing basis. In addition, both hosting providers are certified at PCI DSS Level 1, which means that the application is run on the PCI-compliant technology infrastructure for storing, processing, and transmitting credit card information in the cloud.

Perimeter security

Access to perimeter devices, servers and network hardware is permitted only from defined IP addresses over secure private and public key authentication mechanisms with encryption, or through virtual private networks (VPN) gateways. Access to all servers is secured using automatically-rotating private and public key pairs. All data is encrypted when in transit preventing man-in-the-middle attacks and data snatching.

All servers are tested for vulnerability and intrusion detection quarterly. Security patches and upgrades are applied weekly. The servers and services hosted on them are certified as complying with the PCI Data Security Standard established by the PCI Security Standards Council, which is an open global forum for the development, enhancement, storage, dissemination and implementation of security standards for account data protection. The certification confirms that the services adhere to the PCI DSS Level 4 requirements for security management, policies, procedures, network architecture, software design and other critical protective measures.

Network security

The system is designed with scalability and redundancy in mind. Web load balancers and database servers are distributed globally across geographically dispersed data centres, in different operating regions. Database servers are synced across three geographically dispersed data centres, with multi data centre replication.

A single anycast IP address routes all global requests to the desired data centre region, providing cross-region load balancing, and automatic multi-region failover which gently re-routes traffic if backends become unhealthy. Data enters the hosting network through 80+ distinct global load balancing locations, maximising the distance traveled on the internal network.

Each database server has its own firewall configuration based on its role within the SurrealDB Cloud platform, and only the necessary ports are opened on each server. All outbound connections pass through the stateless access control rules, whilst inbound connections from the internet must pass through a secure highly-available loadbalancer layer, and the stateless access control firewall rules, before then being routed to each server.

Software security

We take the security of the SurrealDB code very seriously. The database is built using the Rust language - a static multi-paradigm, memory-efficient, low-level programming language, focused on speed, security, and performance. The intention is to build SurrealDB with as few moving parts as possible, thereby keeping the attack vector as low as possible.

Email security

SurrealDB supports TLS encryption on all inbound and outbound email. SurrealDB uses Gmail to provide email and communication services. For an explanation of how email encryption works, take a look at this overview from Google.

Data residency

On SurrealDB Cloud, the location of data can be specified. Locations may include London, Ireland, Belgium, Germany, Switzerland, North America, South America, Australia, Canada, or Singapore. Data will not be moved or replicated outside of a specified location.

Data in transit

All data is encrypted when it is being transmitted between client devices and SurrealDB Cloud. SSL/TLS certificates shield data using 256 byte signatures, and either 2048 bit or 4096 bit keys. All connections to Content Delivery Network (CDN) servers and the database layer are secured using TLSv1.3. All TLS/SSL keys for client-to-server communication are changed on an annual basis.

Communications between servers in a database cluster are secured using TLSv1.3.

Data at rest

When at rest, all files are encrypted at multiple different levels. On the storage disk level, all data is encrypted using the 256 bit Advanced Encryption Standard (AES-256), with automatically rotating keys. In the database, each key-value is encrypted separately using the 256 bit Advanced Encryption Standard (AES-256) before being stored in persistent storage. Passwords are stored using pbkdf2, bcrypt, scrypt, or argon2 hashing algorithms.

Data backup

All data is historically stored at the database level, allowing for access and querying of data and changes made at any time. Full-snapshot backups of the SurrealDB Cloud platform (both current and historical) are performed nightly, and backup data is stored offsite, in an encrypted format using the 256 bit Advanced Encryption Standard (AES-256).

Authentication

All access to the services is authenticated using JSON Web Tokens (JWT) digitally signed using the HMAC SHA512 or RSA SHA512 hashing algorithms. All highly-sensitive data such as passwords are stored using a one-way encryption technique. All passwords are salted, before being stored in the database using pbkdf2, bcrypt, scrypt, or argon2 hashing algorithms, and recomputed multiple times. All access is logged against IP addresses and geolocation regions. Authentication can be locked to particular IP Addresses.

Security incidents

Security incidents and downtime incidents are reported to an online status page as soon as incident information is available.

Contact us

Have a question, concern, or comment about SurrealDB security? Please contact SurrealDB Support.