Architecture Overview

Dubhub's architecture has 3 main components:

The agent - A lightweight proxy that runs in your cloud environment and connects to your source database. It also applies your masking policy to the data in real time as it’s transmitted.
The replication server - Deployed in a hardened container, this server hosts a database replica that receives transactions from your source database. It regularly takes snapshots of the replica and pushes them to a private ECR registry in your account. It can also manage and run clones, allowing users to work with them remotely.
The Baseshift Dashboard - A web-based admin panel accessible from any supported browser. You can use it to configure Dubs, review and trigger snapshots, invite team members, and manage other settings.

Baseshift is designed to give you full control over your data and environment.

The agent and the replication server are installed in your environment. Your data never leaves your infrastructure.
The Baseshift dashboard acts only as a control plane. It’s used to configure and manage your Dubs. Baseshift or it's employees do not have access to your data or internal network.
Data masking is enforced by the agent. It applies anonymization policies before any data reaches the replication server. All data stored in the replication server is masked at all times, ensuring compliance without compromising workflow efficiency.
While user names and their roles are replicated, user passwords are not. Users can connect to local clones without a password, a random temporary password is generated for remote clones upon each launch.
If clones are built as Docker images, they are pushed to an ECR repository in your AWS account. The data inside the image is encrypted using AES-256 in XTS mode. You can optionally provide an additional encryption password at install time, which is never accessible to Baseshift services.