Overview
How Ballast protects your data and credentials.
Ballast is designed with security as a core principle. This page provides an overview of our security model.
Data Protection
Credential Encryption
All source credentials (OAuth tokens, database passwords, API keys) are encrypted:
- AES encryption with 256-bit keys
- Encryption key stored separately from data
- Credentials never logged or exposed in API responses
Data at Rest
Indexed data is stored in:
- PostgreSQL - Primary metadata and content
- Qdrant - Vector embeddings
Both can be configured with encryption at rest in production deployments.
Data in Transit
All connections use TLS:
- HTTPS for all API endpoints
- TLS for database connections (configurable)
- Encrypted connections to Qdrant
Access Control
Authentication
Ballast supports:
- JWT tokens - For web application sessions
- API keys - For programmatic access and MCP
See Authentication for details.
Authorization
Role-based access control at multiple levels:
Organization roles:
- Owner, Admin, Member
Collection roles:
- Owner, Admin, Editor, Viewer
API Key Scoping
API keys can be restricted to:
- Single collection
- All collections in organization
- Include personal sources (user-scoped)
See API Key Scoping for details.
Personal Data Privacy
Personal sources (Gmail, personal Drive) receive additional protection:
- Encrypted with user-specific keys
- Invisible to other users and admins
- Only accessible via user-scoped API keys
See Personal Sources for details.
Infrastructure Security
Self-Hosted Deployments
Enterprise customers control:
- Network isolation
- Encryption keys
- Database security
- Access logs
Cloud Deployments
The managed service includes:
- SOC 2 Type II compliance (planned)
- Regular security audits
- Incident response procedures
Best Practices
- Use collection-scoped API keys when possible
- Rotate credentials regularly
- Enable TLS for all database connections
- Review access logs periodically
- Use personal sources for sensitive personal data