Security
FluentDB's strongest security property is architectural: your data, credentials, and queries live on your Mac, so there's no central honeypot to attack.
Local-first by design
The most effective way to protect sensitive data is to never centralize it. FluentDB runs entirely on your Mac. Your connections, credentials, query history, and results stay on your device and move only between your machine and the databases you explicitly connect to. We do not operate a cloud that mirrors your data, and there is no FluentDB account system, which means no central credential store for an attacker to target.
Credential storage
Database hostnames, usernames, passwords, and connection strings are stored in the macOS Keychain, protected by the operating system's encryption and access controls. They are never transmitted to us and are not written to plain-text configuration files.
Data in transit
- Connections to your databases use TLS wherever the database and your configuration support it.
- License activation and update checks are made over HTTPS and carry only a license key, an anonymous device identifier, and basic version information.
- Payments are processed by Stripe, a PCI-DSS Level 1 certified provider; we never see or store full card details.
- Our website is served over HTTPS through our hosting provider, Vercel.
Guardrails against destructive changes
FluentDB includes safeguards to reduce the risk of accidental or AI-driven mistakes:
- Read-only mode: flip a connection to read-only with a single click so no statement can modify your data.
- Manual approval: require explicit confirmation before any statement that touches the database is executed, with the exact SQL shown first.
- Full query history: every statement the app runs is logged locally, so you always know what touched your data and when.
These are safeguards, not guarantees, you remain in control of, and responsible for, the statements you run, and we recommend keeping your own backups.
AI and your data
AI features use an API key that you supply. By default the AI works from your schema (table and column names), not your rows, and requests go directly from your Mac to the provider you chose, or stay entirely on your machine if you run a local model with Ollama. Your data is never routed through our servers and is never used to train a model. You decide what, if anything, leaves your machine.
Application integrity
FluentDB is distributed as a code-signed, Apple-notarized macOS application, so macOS Gatekeeper can verify the integrity and origin of each release before it runs. Update checks are delivered over HTTPS.
Data minimization
We hold as little as possible: an email address and billing details for your purchase (through Stripe) and anonymous device identifiers for licensing. We have no accounts, store no databases, and keep no copies of your queries. See our Privacy Policy for the full picture.
Reporting a vulnerability
We welcome responsible disclosure. If you believe you've found a security issue in FluentDB, please email support@fluentdb.aiwith “Security” in the subject line and steps to reproduce. Please give us a reasonable opportunity to investigate and fix the issue before disclosing it publicly. We will acknowledge your report and keep you updated on our progress.
Contact
For any security question, reach us at support@fluentdb.ai or write to Westlabs LLC, 704 Wallace Street, Clovis, New Mexico 88101, United States.