Security

Read-only. Encrypted.
Your data stays yours.

Yeah, connecting a database to a Discord bot raises eyebrows. Here's how we built it so you don't have to worry.

🛡️

Read-only connections

warpcore can never modify, insert, update, or delete data. We enforce read-only mode at the PostgreSQL connection level using default_transaction_read_only. Even if a query tries to write, PostgreSQL itself rejects it.

🔒

Encrypted credentials

Connection strings are encrypted with AES-256 before we store them. Keys live in a dedicated KMS. Credentials are never logged in plaintext and warpcore employees can't access them.

👁️

No data storage

Query results go straight to Discord and we throw them away. We don't cache your data, don't index it, and don't feed it to AI training. Your rows pass through our servers but never stay.

Architecture

How data flows

When a user runs /queryin Discord, here's what happens:

  1. Discord sends the command to warpcore's servers via webhook
  2. warpcore decrypts the database credentials from the encrypted vault
  3. A read-only SSL connection is established to your database
  4. The query is executed with a timeout and row limit
  5. Results are formatted and sent back to Discord as an embed
  6. The database connection is closed. No results are stored.

For natural language queries, an additional step sends the schema (table/column names — not your data) to the AI model to generate SQL.

Discord

User types /query

HTTPS
wc

warpcore

Vault
Engine
AES-256SELECT onlyNo storage
SSL/TLS
🐘

PostgreSQL

Your database

Security in detail

🔐Encryption

  • Database credentials encrypted with AES-256-GCM at rest
  • All connections to your database use SSL/TLS (minimum TLS 1.2)
  • All traffic between warpcore services is encrypted in transit
  • Encryption keys managed via dedicated KMS with automatic rotation
  • Web dashboard served over HTTPS with HSTS

🛡️Access Control

  • Read-only mode enforced at the PostgreSQL connection level
  • Query execution timeout (10-60s depending on plan)
  • Result row limits prevent accidental full-table dumps
  • Table allow/blocklist to restrict queryable tables (Pro+)
  • Role-based access control via Discord roles (Team plan)
  • Channel restrictions limit where warpcore responds

🗄️Data Handling

  • Query results are rendered as Discord messages, not stored
  • Schema metadata cached for AI queries, refreshed periodically
  • No customer data is used for AI model training
  • Audit logs track who queried what and when (Team plan)
  • Connection credentials can be deleted anytime from dashboard

🏗️Infrastructure

  • Hosted on cloud infrastructure with DDoS protection
  • Isolated execution environments for each query
  • Automated security patches and dependency updates
  • Application-level rate limiting
  • Status page with real-time uptime monitoring
Recommendations

Best practices for connecting your database

While warpcore enforces read-only connections, we recommend these additional steps for defense in depth:

  1. Create a dedicated read-only user — Don't use your admin credentials. Create a PostgreSQL role with SELECT-only permissions.
  2. Use table allow/blocklists — On Pro and Team plans, specify exactly which tables warpcore can see.
  3. Use row-level security — PostgreSQL's RLS policies are respected by warpcore.
  4. Consider a read replica — Point warpcore at a read replica to eliminate impact on write performance.
  5. Restrict network access — Add warpcore's static IPs to your database's allowlist.
-- Create a dedicated read-only user for warpcore CREATE ROLE warpcore_reader WITH LOGIN PASSWORD 'your-secure-password' NOSUPERUSER NOCREATEDB NOCREATEROLE; -- Grant read-only access to specific tables GRANT USAGE ON SCHEMA public TO warpcore_reader; GRANT SELECT ON public.users, public.orders, public.daily_metrics TO warpcore_reader; -- Set default read-only mode ALTER ROLE warpcore_reader SET default_transaction_read_only = on;

What warpcore does not do

We think it's more useful to tell you what we can't do than what we can.

We do not write to your database

warpcore cannot execute INSERT, UPDATE, DELETE, DROP, ALTER, or any DDL/DML statements. Enforced at the PostgreSQL connection level.

We do not store your query results

Results are sent directly to Discord and discarded. We don't build data warehouses from your queries.

We do not train AI on your data

Your database schema is used to generate SQL queries. Actual data rows are never sent to AI models.

We do not access your database outside queries

warpcore connects only when a user runs a command or a scheduled report executes. No background crawlers, no data syncing.

Responsible disclosure

Found a security issue? Please email security@warpcore.app with details. We'll acknowledge within 24 hours.

Please do not disclose vulnerabilities publicly until we've had a chance to address them.

Policies & documentation

Privacy Policy

How we collect, use, and protect your information

Terms of Service

The rules that govern use of warpcore

Data Processing Agreement

GDPR-compliant DPA available on request

Subprocessors

Third parties that process data on our behalf

Questions about security?

We'll walk through the details with you. Just ask.

Add to Discord — FreeSee How It Works

Free plan, no credit card, takes about 2 minutes.