An audit trail of every database action, tied to a real identity

Database audit logging is the recorded trail of database activity — who did what, when, and from where. It splits into two layers: the infrastructure layer (provisioning, configuration, backups, managed by the cloud provider) and the workflow layer (schema changes, queries, approvals, exports inside the database).

Yes. SOC 2, HIPAA, PCI DSS, ISO 27001, and GDPR all require an audit trail covering both layers. Infrastructure logs from CloudTrail, Cloud Audit Logs, or Azure Monitor cover provider-managed actions. The workflow layer needs separate auditing through engine-native tools (pgaudit, MySQL audit plugins, SQL Server Audit, Oracle Unified Auditing) or a workflow gateway like Bytebase.

SOC 2 (Trust Services Criteria CC6.1, CC6.3, CC7.2), HIPAA (§ 164.312(b)), PCI DSS (Requirement 10), ISO 27001 (Annex A 8.15), and GDPR (Article 30). Each emphasizes different fields and retention rules — PCI DSS requires one year online, HIPAA emphasizes PHI access, SOC 2 emphasizes administrator activity.

Engine-native tools log the statement but leave three gaps: identity (a database user, not the person behind a shared account), context (no approval, reason, or masking decision), and coverage (a different tool and format per engine). Bytebase records routed actions at the gateway with the real SSO identity, the surrounding workflow context, and one consistent format across every engine.

No. Bytebase logs actions routed through it — the workflow layer where people query and change schema. An application or admin connecting directly to the database isn't in Bytebase's audit log; engine-native auditing (pgaudit, SQL Server Audit, Oracle Unified Auditing) is the backstop for that path. The two together cover the workflow and direct-access paths.

Yes. Bytebase runs in your own infrastructure as a single Docker image, so your data and database credentials never leave your network, and it's open-source.