All the data stored using the insertItem, updateItem, deleteItem, or putTransaction APIs is end-to-end encrypted. Both the stored item and the item ID are end-to-end encrypted. Other user data and metadata, such as usernames, timestamps, and user activity logs, are encrypted on the wire and at rest, but are not end-to-end encrypted.
The user's encryption key gets randomly generated when the user creates an account, and this key gets encrypted itself with another key derived from the user's password. The encrypted key gets stored on the Userbase server, and the user retrieves it back after every successful login. The Userbase server never sees the user's password, and it only receives an scrypt hash of the password that gets computed client-side.
Resetting a user's password is possible, but only when the user has provided an email address during signUp or updateUser, and when the user has previously signed in with the rememberMe option set to 'local'. In this case, the user will have the encryption key saved in the browser's local storage, and the user will be able to regain access to the account by getting a temporary password via email. The user must still have access to a previously used device in order to be able to reset the password. Therefore, if you want to allow your users to reset their password, make sure to set rememberMe to 'local' during signUp and signIn, and make sure you require an email address during signUp and updateUser. We still recommend that you inform your users that since their data is end-to-end encrypted, they should take care to store their password in a safe place, such as a password manager. Recovery will not be possible if the user loses access to all previously used devices.
You can see the list of usernames, the time the user accounts were created, and any other information you collect during user sign up, such as users' email, name, address, etc.
From the Admin panel you can see all your users, suspend user accounts, and permanently close user accounts.
You can close your Userbase Admin account from the Admin panel. Once you close your Userbase Admin account, all your apps will stop working. If you closed your account in error, please get in touch to check if we can still recover it.
At the moment, Userbase is not metering data storage, and nothing will happen if you exceed it. In the future, Userbase will have other pricing plans that allow higher storage volumes. If you happen to be exceeding the limit when these new pricing plans become available, we will ask you to upgrade to the new plans.
At the moment, you will have to handle payments yourself and hide the web app from non-paying users. In the future, we will support payments directly from the Userbase SDK as part of a new pricing plan.
This feature will be available soon. At the moment, users only have access to their own data.
Userbase helps you implement the necessary GDPR controls, avoid personal data misuse, and give your users control over their data. If you need assistance with GDPR compliance, please get in touch.
Userbase only acknowledges data modification requests once the data has been successfully persisted to Amazon DynamoDB. This is a highly-durable service that synchronously replicates data to at least three isolated geographical zones before acknowledging a write operation. Userbase has continuous backups enabled on all its DynamoDB tables with a 35 day recovery window.