# Data Security

Data for a run is split between the **object store** (e.g. S3, GCS) and the **database**.&#x20;

* **Metadata** (e.g. name, schema) and **aggregate data** (e.g. summary statistics, histograms) are stored in the database.
* **Raw data** is stored in the object store.

All data accesses are mediated by the API ensuring the enforcement of access controls. For more details on permissions, see [Users and Permissions](/v0.22.x/using-distributional/access-controls/users-and-permissions.md).&#x20;

## Database

Database access is always done through the API with the API enforcing access controls to ensure users only access data for which they have permission.

## Object Store

Direct object store access is required to upload or download raw run data using the SDK. [Pre-signed URLs](https://docs.aws.amazon.com/AmazonS3/latest/userguide/using-presigned-url.html) are used to provide limited direct access. This access is limited in both time and scope, ensuring only data for a specific run is accessible and that it is only accessible for a limited time.

When uploading or downloading data for a run, the SDK first sends a request for a pre-signed upload or download URL to the API. The API enforces access controls, returning an error if the user is missing the necessary permissions. Otherwise, it returns a pre-signed URL which the SDK then uses to upload or download the data.

<figure><img src="/files/nPX2mzpGPzHDjfncVFR9" alt=""><figcaption><p>Data upload</p></figcaption></figure>

{% hint style="info" %}
Uploading data to a run in a given namespace requires write permission to runs in that namespace. Downloading data from a run in a given namespace requires read permission to runs in that namespace.
{% endhint %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.dbnl.com/v0.22.x/platform/self-hosted/data-security.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.