runQL’s data credential model protects your data even if the worst happens.

July 23, 2025

A Story of What Could Go Wrong

Imagine your company is using a SaaS tool that stores each of your employees database credentials on the SaaS provider’s servers (this is quite common). Everything is fine until one weekend, the SaaS provider is breached.

Attackers get access to the SaaS servers and don’t even need to steal the database credentials and decrypt them - they just use the SaaS system itself to access your internal data!

The Result?

Sensitive data is leaked and the trust of your clients is impacted, ultimately hurting your sales and reputation.

Now, What if Your Company Used runQL?

Imagine the same kind of breach happened. The attackers reached the servers… but in this case they found nothing. They couldn’t access any of your internal data!

Why? Because runQL never stores individual database credentials on our servers!

The Result?

No data access. No leaked credentials. No trust lost.

How runQL Keeps You Safe (Without Slowing You Down)

We take a different approach that's more secure for you. All your individual user credentials for databases are stored locally on your employees machines and always encrypted.

Desktop App

All access keys are encrypted locally on the desktop via the MacOS Keychain or via encryption using the Windows DAPI. Which means that not even a disk scan could reveal credentials.

Why it matters?
✅ No one can access your data from our servers, even in a breach
✅ Your employees' credentials are encrypted and stored on their machine

Browser Client

Credentials are encrypted with AES-256-CBC using a per-user key on the server, but only stored at rest in the browser. This means that credentials that are taken from the client (browser) or in transit are unusable (encrypted). runQL servers have no ability to run queries requiring credentials except when the client provides credentials.

Why it matters?
✅ Even if the browser or network is compromised, credentials are useless
✅ Nothing stored at rest on runQL servers
✅ You stay in full control of access

Optional Session Storage

For even tighter control, you also have the option to only store the credentials in memory for the current session. When the app or browser is closed the credentials are discarded.

Why it matters?
✅ Perfect for consultants, shared laptops, or high-sensitivity health, insurance and government environments
✅ Zero persistence = zero footprint

All Data Access is Logged and Auditable

Whether using individual or shared credentials, every query is logged per user, showing who accessed what and when.

Why it matters?
✅ Gives security leaders and auditors full transparency
✅ Enables compliance with SOC 2, HIPAA, GDPR
✅ Supports internal accountability and governance

What This Means for Your Leadership Team

For CTOs
  • Zero trust by default
  • Local-first encryption = reduced attack surface
  • Aligns with modern SaaS security architecture
  • Auditable by design
  • Designed for compliance from the ground up
For CEOs
  • No risk of brand-damaging data breaches via credential exposure
  • Trust and transparency for you and your customers
  • Faster decisions with no security tradeoffs

🚀 Security That Moves as Fast as You Do

runQL lets your teams query, analyze, and collaborate - without compromising on your data security.

— The runQL Team