Enterprise Security in Every Plan — No Paywalls

Your clients trust you with their data. Here's how we protect it.

Row-level security, dedicated databases, and full data isolation — included from $99/mo. Not an enterprise add-on. Standard.

Built for multi-tenant deployments from day one. Your data stays in your chosen region. We never contact your end users or market to them.

Start Free Trial View Data Processing Agreement Have a Security Checklist? →
For Agencies & Multi-Client Teams

The three things your clients will ask about

When you bring a BI platform into a client engagement, they want to know their data is isolated, your brand is the only one they see, and no one's mining their users. Here's the short answer to each.

"Can Client A see Client B's data?"

No. Data Tags filter every query automatically — each user sees only the rows that belong to them. Configured once, enforced on every report, every export, every scheduled email. You build one report, every client sees only their own.

How row-level security works →

"Will my clients see DashboardFox branding?"

No. White-label is included in every plan. Custom domain, your logo, your colors, your email sender. Your clients see your product — not ours. We have no interest in marketing to the people using your dashboards.

White-label details →

"Will DashboardFox contact our users?"

Never. We only communicate with account administrators for billing and product updates. Your clients' users — their data, their identities — stay entirely within your instance. We don't export, analyze, or reach out to them.

See our privacy promise →

Your data stays yours

We don't need a copy of your data to help you visualize it.

Your Database PostgreSQL · MySQL · SQL Server
● Live
Last query result
customerrevenueregion
Acme Corp$142kWest
Pinnacle$89kEast
ShopLite$214kWest
TLS encrypted · Read-only by design · Nothing stored
vs
Files & APIs Excel · CSV · REST APIs
● Stored
Last refreshed 2 hours ago
Next refresh in 4 hours
Rows stored 18,432
Schedule
Every 6h Daily 6am Weekly
Encrypted at rest · Stored in your dedicated isolated DB
Database data is never copied or cached
Imports encrypted at rest in your dedicated DB
Every customer database is fully isolated

Direct database connections

For database connections, we query your data live — nothing is copied or stored in DashboardFox. We read it when you run a report, then it's gone.

Dedicated customer databases

Every customer gets their own isolated database. No shared multi-tenant data pools — your data is never commingled with others.

Imported data stays isolated

When you use Excel uploads or API sources, that data is stored in your dedicated customer database — encrypted at rest and completely separate from every other customer.

Read-only by design

DashboardFox only reads your data — we have no functionality to write to your database. We still recommend read-only credentials as a best practice so both sides are covered.

No Security Paywalls

Row-level security is typically an enterprise upgrade. Not here.

Most BI tools lock row-level security and audit logs behind expensive tiers. We include them in every plan — because security shouldn't be a selling point for an upgrade.

DashboardFox Security included from day one
Best Value
$99 /mo · Starter plan
  • Row-level security (Data Tags)
  • Field-level security
  • Audit logs
  • Dedicated isolated database
  • White-label included
  • Multi-tenant support
Metabase Pro tier required for RLS
$575 /mo · Pro plan minimum
  • Row-level security (Pro only)
  • Audit logs (Pro only)
  • White-label (separate add-on)
  • Shared infrastructure (cloud)
  • Dedicated database per customer
  • Multi-tenant (complex setup)
Power BI / Tableau Enterprise tier for full RLS
$500+ /user/mo · Enterprise required
  • RLS (Premium / Enterprise only)
  • Per-seat pricing (idle users count)
  • White-label (enterprise contracts)
  • Dedicated database per customer
  • Multi-tenant agency model
  • MAU pricing
See Full Pricing → Feature comparisons based on publicly available pricing pages as of 2026. Always verify with each vendor.
Infrastructure

Protected at every layer

From encrypted storage to isolated containers, your data is protected by enterprise-grade infrastructure.

IP restrictions

Limit access to your instance to specific IP addresses or ranges. Combine with static egress IP to lock down traffic in both directions.

Encryption at rest

All customer databases use AES-256 transparent data encryption (TDE). Backups are encrypted with AES-256 before leaving our servers.

Encryption in transit

TLS 1.2+ on all connections — to our platform, between services, and to your databases. No exceptions.

Containerized isolation

Kubernetes-based architecture with customer isolation by design. Resources are separated at the infrastructure level.

Secure credential storage

Database credentials, API keys, OAuth tokens, and uploaded driver files are stored in encrypted secrets management — never in plaintext, never in code.

US & EU data regions

Choose your data region at signup. Your data stays in that region for the life of your account — no cross-region replication.

Security Architecture — Outermost to Innermost
NetworkIP allowlists · TLS 1.2+ everywhere · Static egress IP
InfrastructureKubernetes isolation · Containerized per customer · AES-256 TDE encryption at rest
AuthenticationSession tokens · 2FA (Duo) · IP restrictions · Concurrent session control
AuthorizationRole-based access control · Field-level security · Report & dashboard permissions
Row-Level SecurityData Tags filter every query · Every user sees only their data · Configured once, enforced everywhere

Security at the data level

Row-level security, field-level security, role-based access control, and audit logs — all available from $99/mo. No plan upgrade required.

app.yourdomain.com/reports
  • Row-level security — Users see only their data, automatically filtered across every report
  • Field-level security — Control which columns each audience sees by building tailored Apps (semantic layers). For Raw SQL and Stored Procedures, field access is managed within the query
  • Role-based access control — Granular permissions on reports, dashboards, and data sources
  • Audit logs — Track report execution, security events, and admin changes. Retention is tiered by plan. GDPR/compliance logging follows regulatory requirements regardless of plan
  • Secure sharing — Share reports without exposing underlying data or credentials
Row-level security, audit logs, and field-level security are included in every plan from $99/mo. Metabase charges $575/mo before you even get RLS.
See what's included at your tier →
For Agencies & MSPs

One instance, many clients — each in their own lane

Serving multiple clients from a single DashboardFox instance? Data Tags create airtight isolation between tenants — no per-client database required. One report template, hundreds of clients, zero cross-contamination.

  • Data Tags — Dynamically filter data so each user sees only their tenant's data, automatically applied to every report
  • Security Policies — Define rules once, enforce everywhere across all reports and dashboards
  • Dynamic data connections — Route users to different databases, schemas, or credentials based on who's logged in (Enterprise tier)
  • One report, many tenants — Build once, serve hundreds of clients — each seeing only their own data
See agency deployment options →

Authentication & access control

Control who can access your dashboards and how they authenticate.

  • Session management — Tokens expire on inactivity; concurrent sessions automatically invalidate
  • Two-factor authentication — Cisco Duo integration available (Scale tier+)
  • Public & shareable views — Share reports via direct link or enable a Guest View Library portal. Both are anonymous and view-only — no row-level security, no saved views
  • IP restrictions — Limit access to specific IP addresses or ranges
  • Admin activity logging — Full audit trail on administrative actions
IP Restrictions Allowlisted addresses only Session Management + 2FA Token expiry · Concurrent session control · Duo MFA Role-Based Access Control Permissions on reports, dashboards, and data sources Field-Level Security Control visible columns per audience Row-Level Security Every user sees only their data Audit Log — every action recorded
Compliance

SOC 2 in progress — here's what protects you right now

We're transparent: SOC 2 Type II certification is underway. What we won't do is ask you to wait on a badge before trusting us with data. Here's the architecture that will earn that certification — and what protects your clients today.

Why "SOC 2 in progress" isn't a gap — it's a milestone

SOC 2 Type II requires 6–12 months of audited operational evidence. We're in that window now. The controls, processes, and architecture — dedicated databases per customer, AES-256 encryption at rest, TLS 1.2+ in transit, annual third-party pen testing, audit logs, GDPR-ready DPA, CCPA-compliant data handling, and HIPAA-ready infrastructure — were designed for SOC 2 compliance from day one. Not retrofitted. The certification documents what's already true.

Annual third-party penetration testing
Cyber liability insurance
GDPR-ready DPA available now
Dedicated DB per customer
Full audit trails
Public status page

What we do today

  • Architecture designed for SOC 2 and GDPR compliance
  • CCPA/CPRA compliant data handling
  • HIPAA-ready infrastructure — BAA available on request
  • FERPA-ready — education data addendum available on request
  • Annual third-party penetration testing
  • Right to deletion and data export support
  • 30-day data retention after account closure
  • Full audit trails on all administrative actions
  • PCI DSS compliance — We never store payment card data; all billing processed by PCI-compliant processors
  • Cyber liability insurance coverage
  • Public status page with real-time system status and incident updates

On our roadmap

  • SOC 2 Type II certification In progress
  • ISO 27001 certification Planned

Security & Legal Documentation

Privacy Policy Data Processing Agreement Business Associate Agreement FERPA Education Data Addendum Sub-processor Registry Breach Notification Policy Data Retention Policy Acceptable Use Policy Vulnerability Disclosure Policy

We don't market to your clients. Ever.

Your end users see your brand, not ours. Their data stays in your instance. We never export, analyze, or market to the people using your dashboards — they may not even know DashboardFox exists. We only communicate with account administrators for billing and product updates, and you can opt out of those anytime.

Have a security review checklist?

Government, healthcare, finance, and compliance-sensitive teams often need more than a webpage. If you're evaluating vendors against a formal checklist — data handling, subprocessors, breach notification, audit procedures — talk to us directly. We'll go through it line by line.

We're a small team. You'll talk to engineers, not a sales rep reading from a deck.

Email Security Team Download DPA →
Need complete infrastructure control?

DashboardFox can run entirely on your own servers — Windows, Linux, or Docker. Air-gapped capable. One-time license from $4,995.

Explore Self-Hosted →
Questions

Security FAQs

No. Every customer gets their own isolated database — your data is never commingled with other customers in storage or at the application level. Backups use separate database files, stored encrypted.
You choose between US and EU data centers when you create your instance. Your data stays in that region for the life of your account. Choose carefully — region changes are not supported after setup.
We never copy, cache, or store your actual database data. What we do store in your dedicated customer database is metadata: your users, roles, groups, permissions, report and dashboard definitions, the semantic layer you build on top of your data sources, and any data you bring in via Excel uploads or API fetches. Your live database data is queried on demand and never retained.
No. DashboardFox is read-only by design — we have no functionality to write to your database. We still recommend using read-only database credentials as a best practice so both sides are covered.
No. Your dedicated DashboardFox instance database is not accessible to any outside connections. The read-only credentials provided are for use within the DashboardFox application only — they cannot be used to connect from external tools or networks.
SOC 2 Type II certification is currently in progress. Our architecture and processes have been designed for SOC 2 and GDPR compliance from day one — dedicated databases per customer, AES-256 encryption at rest, TLS 1.2+ in transit, full audit logs, annual third-party penetration testing, and cyber liability insurance are all in place now. We also support GDPR, CCPA, and HIPAA-ready deployments with a BAA available on request. The certification audits what's already built.
You assign Data Tags to users (like ClientID or Region) and DashboardFox automatically filters every report so each user sees only their data. It's configured once and applies everywhere — no per-report setup required. Included in every plan, including Starter at $99/mo.
Credentials for your external data sources — database passwords, API keys, OAuth tokens, and driver files — are encrypted and stored in the DashboardFox backend database. They are never retrieved back to the interface or displayed in plaintext. Your DashboardFox instance database also has a read-only password so you can register apps and build semantic layers on your imported Excel and API data. That password is managed through our management portal, where you can view it and self-service recycle it anytime. Every request to view these credentials is recorded in the audit log. Higher tiers also support SSH tunnels and TLS certificate management.
You can request a copy of your DashboardFox database, which includes all platform metadata (users, roles, report definitions, semantic layer) and any data imported via Excel or API. Source database data is never stored by DashboardFox and is unaffected by cancellation. Your data is retained for 30 days after cancellation, then all data — including credentials and backups — is permanently deleted.
No. Your data is yours. DashboardFox does not analyze, export, or use customer data for training models, marketing, or anything else. Only account administrators are contacted for billing and product updates — and you can opt out anytime.
Yes. Our self-hosted option runs entirely on your infrastructure — Windows, Linux, or Docker. Air-gapped capable, no phone-home required. Same core reporting engine as cloud, with differences in branding policies, caching, and data source routing. One-time license with first year of upgrades and priority support included, starting at $4,995. Learn more about self-hosted.
Early Access — 90 Days Free

Built lean. Priced fairly. Supported by humans.

Full access to all features. No credit card required.

Start Free Trial Have questions? Let's talk

Prefer no subscriptions & full control? Self-hosted from $4,995 one-time →

We'll notify you before Early Access ends

25+ years building BI tools Support from the team that builds it Available in US & EU regions
DashboardFox mascot