Beekeeper Studio is a desktop application. Your database credentials, queries, and results stay on your machine - they never touch our servers.
The most important thing to understand about our security posture: the vast majority of your sensitive data never touches our infrastructure.
Beekeeper Studio connects directly from your computer to your database. No proxy servers. No middleware. No data routing through third parties.
The desktop app has zero telemetry on your database activity. We have no visibility into what you're doing.
Beekeeper Studio works with no internet connection. All database operations run entirely on your machine.
Security practices built into the application itself - protecting every user regardless of plan.
Dual-licensed under GPLv3 and a commercial license. Our source code is public and community-auditable - you can verify exactly what runs on your machine.
View on GitHub →Automated Dependabot scanning on all repositories. Critical vulnerabilities patched within 7 days, high within 30.
Vulnerability Policy →Windows binaries use an EV certificate, macOS builds are notarized with Apple, and Linux packages are GPG-signed. Your OS can verify authenticity automatically.
Binary Distribution Policy →Database credentials never leave your machine. No cloud sync of passwords - your secrets stay local.
Security Docs →Anonymized usage statistics are opt-in. No query content or database data is ever collected.
Privacy Policy →All cloud features can be disabled for environments with strict security postures. Beekeeper Studio works with no internet connection - including offline license validation.
Configuration Docs →IT administrators can enforce machine-wide policies via a system.config.ini file - disable cloud features, enforce PIN lock, control AI Shell access, and more.
Published policies for change management, code review, and business continuity. Vulnerability scanning with defined SLAs for patching critical, high, and medium issues.
Change Management Policy →Supports Azure Entra ID authentication via the Azure CLI and AWS IAM via the AWS CLI. Connect through SSH tunnels and SSH jump hosts for layered network security.
Connection Docs →For our optional cloud services (accounts, billing, workspace sync), we maintain these security practices:
TLS everywhere. AES-256 encryption at rest. Sensitive fields (like saved passwords) are also application-encrypted before reaching the database. We never store payment card numbers.
Information Security Policy →MFA required on all production systems. Super admin actions are logged and alerted in real time. Background checks for all employees.
Access Review Policy →Published incident response plan with 72-hour breach notification commitment. Cyber liability insurance ($1MM coverage).
Incident Response Plan →Daily automated backups with 90-day retention. Quarterly restore tests verify recovery procedures work.
Disaster Recovery Plan →Security events logged with real-time alerting. Failed logins, admin access, and privilege changes monitored 24/7.
Logging & Monitoring Policy →Our cloud footprint is deliberately small. We don't operate data centers, manage VMs, or maintain network infrastructure.
For a full list of services that process data on our behalf, see our Subprocessor List.
We publish our security policies because we believe transparency builds trust. These are the same policies our team follows day-to-day.
If you have security questions, need to report a vulnerability, or want to discuss compliance requirements:
support@beekeeperstudio.io