The Heimdall Proxy and Manager do not store customer information beyond possibly SQL logs, and this is optional. Further, the "Paranoia" log option will strip SQL query information that may be considered sensitive from any logs.

PCI/HIPAA & Query Caching

When caching, Heimdall stores data in-memory only, and as such is considered in-flight. When connected to an external cache via Redis, an option is provided to use TLS for over the wire encryption.
The Redis configuration should be such that it does not store data to disk (this is the default for Elasticache and most other Redis deployments).

To avoid storing actual cached data to the l2 cache (Redis or Hazelcast) but to only use them for invalidation, you can set the "PCI" option in the cache settings.

SOC2 Compliance

Heimdall does not operate software as a service, so usage of the Heimdall Proxy and associated management components does not fall under SOC2 compliance.

Security Best Practices

By default, Heimdall negotiates the highest level of TLS supported by the database in question on a VDB when TLS is enabled, and will negotiate to the highest level of security common between the client and the version of Java used by Heimdall (default is Java 11). This typically results in TLS 1.2 connections except for SQL Server, as many drivers do not support negotiating with TLS 1.2, so 1.1 is used. If deprecated versions of TLS are needed for old clients, they must be enabled by using the "enable legacy TLS support", but this is not recommended unless needed and appropriate physical security over the connections is assumed.

Heimdall provides a UI interface for uploading of TLS certificates for use with the GUI and VDBs.

When in the AWS cloud environment, configurations (including all passwords) can be stored in an AWS secret.

Export Control Classification Number

Heimdall falls under ECCN 5D992.c. It does not implement itself any cryptographic functions, but instead uses the functions available from Java for the implementation of TLS.
We package by default with the open source OpenJDK, which also falls under ECCN 5D992.c per
Our object code is available for public download to further compliance with 5D992.c.