Skip to main content

Storing API Credentials Securely

DataGrail's Security ensures that both your and your customers' data are protected throughout the entire privacy management process. As such, DataGrail takes a multi-layered approach to securing API credentials to customers’ software systems. This article will explain what measures are taken to ensure security within the platform.

First, the production PostgreSQL database that DataGrail uses is encrypted using AES-256 encryption. DataGrail makes use of Amazon Web Service’s (AWS) Relational Database Service to perform this encryption.

In addition, the API secrets to each SaaS system are individually encrypted at the field-level. The encryption keys are generated and stored within AWS Secrets Manager.

Finally, DataGrail’s front end servers that are exposed to users are only able to write API secrets, not retrieve them. The worker servers that access customer systems are granted the ability to decrypt API secrets but are not user-facing.

This design affords a number of security properties.

If DataGrail’s database were ever to be compromised, customer API secrets remain securely encrypted and indecipherable to attackers. Similarly, if an encryption key in AWS Secrets Manger were inadvertently exposed, it is of no value without access to the encrypted secret stored in DataGrail’s PostgreSQL database.

Our worker servers with access to decrypt API secrets are separated from the areas of our architecture that are exposed to user interaction and the internet, thus keeping API secrets safe.


Need help?
If you have any questions, please reach out to your dedicated CSM or contact us at

Disclaimer: The information contained in this message does not constitute as legal advice. We would advise seeking professional counsel before acting on or interpreting any material.