Security

How Spanna handles credentials, auth, and browser-based access.

1. Security Model

  • Desktop: the desktop app connects directly to your MongoDB deployment.
  • Web: the browser client uses Spanna's web service so database operations can run from the browser.
  • Auth: user authentication is handled through Supabase Auth.
  • Billing: subscription checkout and billing are handled through Paddle.

2. Credential Vault

Spanna stores connection credentials in an encrypted vault. Desktop can stay completely local with no account. When you sign in, an encrypted cloud-backed vault keeps saved connections synced across your desktop devices. Pro extends this to browser sessions.

  • Credentials are encrypted before storage.
  • Free and Pro bootstrap the cloud-backed vault automatically during the normal sign-in flow.
  • Pro extends the synced workspace with folders, saved queries, settings, and higher limits.
  • User-facing recovery actions are limited to export/reset troubleshooting paths.

3. What Spanna Stores

  • Account information needed for auth and subscription state.
  • Workspace metadata such as connection names and settings.
  • Encrypted credential material when vault-backed storage is used.
  • Operational metadata such as billing, telemetry, and audit events.

4. What This Page Does Not Claim

  • No security certification or compliance attestation is claimed here.
  • No blanket promise is made that the browser client is zero-infrastructure; it necessarily uses Spanna's service layer.
  • No claim is made that any system is risk-free or invulnerable.

5. Vulnerability Reporting

Report security issues privately to hello@spanna.app. Include reproduction steps, affected surface, and any proof-of-concept details. Please do not disclose vulnerabilities publicly before we have had a reasonable chance to investigate and remediate them.

6. Security Hygiene for Users

  • Prefer least-privilege MongoDB users for application access.
  • Use TLS, X.509, OIDC, Kerberos, or AWS IAM where appropriate for your deployment.
  • Reset the vault and re-save credentials if a device or workspace state becomes inconsistent.
  • Keep desktop builds current so you receive the latest security fixes and auth/sync improvements.