Skip to main content

Security

This article discusses the security of the Dataedo solution.

Where (meta)data is stored?

All data gathered by Dataedo is stored in a repository - this is a database hosted in your environment and not shared outside your organization.

Server repository

The server repository can be SQL Server on-premises, SQL Server on the cloud, or Azure SQL Database. In any case, this database is provided by you and under your control. We do not have access to it at any time.

Is any data sent outside your environment?

We send a minimum amount of data to our servers.

Launch logs

We send to our database information about the fact that the program was launched and the user successfully logged into their repository. This information contains:

  • IP address
  • Trial/license key ID
  • Key type
  • Program version

This report can be blocked with a firewall without a negative impact on the programs.

Usage tracking

Usage tracking is our custom solution for Product Analytics. Find out more in the Usage tracking article.

Crash reports

Whenever our application crashes, we ask the user to send us a report. No report is sent without user confirmation.

This information includes:

  • Crash message and stack trace
  • Repository database edition and version
  • OS version
  • DBMS and version of the documented database
  • IP address
  • User email (if provided)
Crash report
Crash report details

Potentially sensitive information included in crash reports

Crash reports can potentially contain sensitive information within the message or stack trace. We recommend reviewing them before sending. Those may be (list is not complete):

  • Repository or export file path on the disk (may contain user login)
  • Database or host name

Access control

Server repository

Access to data in the server repository, whether using UI or directly connecting to the database, is secured with SQL Server authentication and authorization.

Exports

Exports have no built-in access control. Anybody with access to the files can access its content.

User administration

Administrators of the SQL Server instance that hosts the Dataedo repository, or owners of the repository database, are automatically administrators of users. More on this here.

Impact on documented data sources

Changes to schema

Dataedo does not modify the schema of documented databases.

Changes to data

Dataedo does not modify the data of documented databases.

Changes to metadata

Dataedo can modify comments/descriptions/extended properties of tables, columns, and other database objects but does it only as an explicit operation initiated by the user (see Exporting descriptions to database).

Offline work

Dataedo allows working on documentation being offline from documented databases. This allows minimizing access to actual databases to specified users that will connect and import metadata, and leaving other users with access only to the Dataedo repository.

Is actual data being extracted?

Dataedo by default does not extract and save actual data. There is a Data Profiling functionality that users may run to scan data in specific tables and columns to analyze summaries, with the option to save those summaries in the repository. This feature by default does not allow saving any data into the repository and can be disabled completely.

Learn more about Data Profiling security considerations

Potentially sensitive metadata

You need to be aware that metadata imported from your databases (which includes mostly table and column names) may contain sensitive information, such as:

  • Table, column descriptions
  • Stored procedures code (may contain sensitive information in code comments)

Security recommendations

Use database repository

From the security perspective, it is advised to use a server repository rather than a file repository.

Use Windows authentication

It is advised to use Windows authentication over other options.

Windows authentication

Read-only accounts

To increase the security and safety of your databases, use read-only user accounts with minimum access levels to read metadata from your documented databases.

Use named Dataedo users

Do not use shared Dataedo user accounts and always create named users.

Use encrypted database connection (repository)

Whenever possible, use an encrypted connection to read metadata from your databases.

Do not save passwords to connections

Even though it is very convenient to save passwords for your connections in the Dataedo repository, we don't recommend that. Passwords are stored in encrypted form, but it creates an unnecessary security vulnerability.

Password

Secure HTML (and other) exports

When using a database repository, all data stored by Dataedo is secured with a login/password. However, the exported documentation to HTML, PDF, or Excel is not secured with a login/password.

Please secure it with additional measures if you want to limit access only to specific end users.

Limit users with access to documented databases

Not everyone needs to have access to the source databases to create documentation in Dataedo. At least one person needs to connect to data sources and import metadata to the Dataedo repository and other users may work on it. Limit users that have access to documented databases to the ones that really need it.

Virus scanning

Each release executable is scanned before publishing with Virustotal. Here are details on how it works.

Tags:
Last updated on
On this page
Dataedo LogoDataedo Logo
If you have any questions or need assistance, feel free to reach out to the Dataedo support team.
Dataedo support