Security

Applies to: Dataedo 23.x versions, Article available also for: 24.x (current), 10.x
You are looking at documentation for an older release.
Switch to the documentation for Dataedo 24.x (current).

This article discusses the security of Dataedo solution.

Where (meta)data is stored?

All data gathered by Dataedo is stored in a repository - this is a database hosted in your environment and not shared outside your organization.

Server repository

Server repository can be SQL Server on premises, SQL Server on cloud or Azure SQL Database. In any case this database is provided by you and under your control. We do not have access to it at no time.

Is any data sent outside your environment?

We send a minimum amount of data to our servers.

Launch logs

We send to our database information about the fact that program was launched and user successfully logged into their repository. This information contains:

  • IP address
  • Trial/license key ID
  • Key type
  • Program version

This report can be blocked with firewall without negative impact on the programs.

Usage tracking

Usage tracking is our custom solution for Product Analytics. Find out more in Usage tracking article.

Crash reports

Whenever our application crashes we ask the user to send us a report. No report is sent without user confirmation.

This information includes:

  • Crash message and stack trace
  • Repository database edition and version
  • OS version
  • DBMS and version of the documented database
  • IP address
  • User email (if provided)

Potentially sensitive information included in crash reports

Crash reports can potentially contain sensitive information within message or stack trace. We recommend reviewing them before sending. Those may be (list is not complete):

  • Repository or export file path on the disk (may contain user login)
  • Database or host name

Access control

Server repository

Access to data in server repository, whether using UI or directly connecting to the database, is secured with SQL Server authentication and authorization.

Exports

Exports have no built in access control. Anybody with access to the files can access its content.

User administration

Administrators of SQL Server instance that hosts Dataedo repository, or owners of repository database are automatically administrators of users. More on this here.

Impact on documented data sources

Changes to schema

Dataedo does not modify the schema of documented databases.

Changes to data

Dataedo does not modify the data of documented databases.

Changes to metadata

Dataedo can modify comments/descriptions/extended properties of tables, columns and other database objects but does it only as an explicit operation initiated by user (see Exporting descriptions to database).

Offline work

Dataedo allows working on documentation being offline from documented databases. This allows minimizing access to actual databases to specified users that will connect and import metadata, and leaving other users with access only to Dataedo repository.

Is actual data being extracted?

Dataedo by default does not extract and save actual data. There is a Data Profiling functionality that user may run to scan data in specific tables and columns to analyze summaries, with option to save those summaries in the repository. This feature by default does not allow to save any data into repository and can be disabled completely.

Learn more about Data Profiling security considerations

Potentially sensitive metadata

You need to be aware that metadata imported from your databases (which includes mostly table and column names) may contain sensitive information, such as:

  • Table, column descriptions
  • Stored procedures code (may contain sensitive information in code comments)

Security recommendations

Use database repository

From the security perspective, it is advised to use server repository rather than a file repository.

Use Windows authentication

It is advised to use Windows authentication over other options.

Read only accounts

To increase security and safety of your databases use read only user accounts with minimum access levels to read metadata from your documented databases.

Use named Dataedo users

Do not use shared Dataedo user accounts and always create named users.

Use encrypted database connection (repository)

Whenever possible use encrypted connection to read metadata from your databases.

Do not save passwords to connections

Even though it is very convenient to save passwords for your connections in Dataedo repository, we don't recommend that. Passwords are stored in encrypted form, but it creates an unnecessary security vulnerability.

Secure HTML (and other) exports

When using a database repository, all data stored by Dataedo is secured with a login/password. However, the exported documentation to HTML, PDF, or Excel is not secured with login/password.

Please secure it with additional measures if you want to limit access only to specific end users.

Limit users with access to documented databases

Not everyone needs to have access to the source databases to create a documentation in Dataedo. At least one person needs to connect to data sources and import metadata to Dataedo repository and other users may work on it. Limit users that have access to documented databases to the ones that really need it.

Virus scanning

Each release executable is scanned before publishing with Virustotal. Here are details on how it works.