PgBeam sits in the critical path between your application and your database. We take that responsibility seriously.
All connections use TLS 1.2 or higher. Client-to-proxy and proxy-to-database connections are encrypted in transit. SNI-based routing ensures traffic reaches the correct project without exposing data.
PgBeam never stores your database user passwords. Application credentials are passed through transparently to your upstream PostgreSQL database, which performs authentication directly. PgBeam only stores the origin database connection details you configure in the dashboard.
All persistent data is stored on encrypted AWS infrastructure. Database credentials for origin connections are encrypted at the application level before storage.
PgBeam operates data planes in 6 AWS regions: us-east-1, us-west-2, eu-west-1, ap-south-1, ap-southeast-1, and ap-northeast-1. Cached query results stay within the region where they were generated. You control which regions your traffic routes through.
Organization-based RBAC with owner and member roles. Scoped API keys for programmatic access. Session management with automatic expiration. SSO via SAML and OIDC for enterprise accounts.
PgBeam processes queries in memory for routing and caching decisions. Query content is not logged in production. Cached results are stored in-memory (L1) and in regional shared caches (L2) with configurable TTLs.
We are actively working toward these milestones as PgBeam moves from Technical Preview to General Availability.
If you discover a security vulnerability, please email security@pgbeam.com. We take all reports seriously and will respond promptly.