Seven Connection Modes for Data Portability: Which Is Right for Your Organization?
Not all data connections are created equal. Your choice of connection mode can make the difference between seamless compliance and security nightmares.
The Connection Mode Dilemma
When implementing data portability, you face a fundamental question: How do you securely access user data across your systems?
The answer depends on:
- Your security posture
- Your infrastructure
- Your compliance requirements
- Your team's capabilities
- Your users' expectations
There's no one-size-fits-all solution. That's why modern platforms support multiple connection modes.
The 7 Connection Modes
Mode 1: Browser-Only Mode (Zero Footprint)
How It Works:
- Credentials never leave the user's browser
- All queries run client-side via browser extensions or WebAssembly
- Data is extracted locally and uploaded encrypted
- Your servers never see credentials
Security Profile:
- ✅ Highest security: Credentials never transmitted
- ✅ Zero trust: No server-side credential storage
- ✅ Audit-friendly: Complete client-side control
- ⚠️ Limited scale: Depends on client resources
Best For:
- Highly regulated industries (finance, healthcare)
- Companies with strict zero-trust policies
- Scenarios where credential sharing is prohibited
- Small to medium data volumes
Real-World Example: A healthcare SaaS company uses browser mode because HIPAA auditors require that database credentials never leave their infrastructure. Users run exports from their own browsers, and the company never touches credentials.
Limitations:
- Requires modern browser
- Limited by client bandwidth
- Can't run in background
- User must stay connected
When to Choose:
- Security > convenience
- Regulatory requirements mandate it
- Data volumes < 10GB per export
- You have technical users
Mode 2: Vault Integration Mode
How It Works:
- Credentials stored in your existing secrets management (HashiCorp Vault, AWS Secrets Manager, Azure Key Vault)
- Export platform requests credentials via API
- Credentials are used and immediately discarded
- Never persisted outside your vault
Security Profile:
- ✅ Enterprise-grade: Leverages existing security infrastructure
- ✅ Centralized control: All credentials in one place
- ✅ Audit trails: Vault logs all access
- ✅ Rotation-friendly: Update once, works everywhere
Best For:
- Enterprises with existing vault infrastructure
- Companies with strict credential policies
- Multi-team organizations
- Compliance-heavy industries
Real-World Example: A fintech company with 500 microservices already uses HashiCorp Vault. They configure SwitchKit to pull database credentials from Vault, maintaining their existing security model.
Setup Requirements:
- Existing vault infrastructure
- API access to vault
- Proper IAM roles and permissions
- Network connectivity
When to Choose:
- You already use a secrets manager
- You need centralized credential management
- You have DevOps/security team bandwidth
- Compliance requires secrets management
Mode 3: Direct Connection Mode (Encrypted Storage)
How It Works:
- Credentials stored encrypted in the export platform
- Encrypted at rest with AES-256
- Decrypted only during export operations
- Access controlled by IAM and RBAC
Security Profile:
- ✅ Good security: Industry-standard encryption
- ✅ Easy setup: No additional infrastructure
- ✅ Reliable: No external dependencies
- ⚠️ Trust required: Platform stores credentials
Best For:
- Companies without vault infrastructure
- Fast implementation timelines
- Standard security requirements
- Small to medium teams
Real-World Example: A SaaS startup needs compliance fast. They use direct mode with encrypted storage, accepting that the platform stores credentials in exchange for rapid deployment.
Security Measures:
- AES-256 encryption at rest
- TLS 1.3 in transit
- HSM-backed key storage
- Regular security audits
When to Choose:
- Speed > maximum security
- No existing vault infrastructure
- Standard compliance requirements
- Limited DevOps resources
Mode 4: Read-Only Replica Mode
How It Works:
- Create read-only replica of production database
- Export platform connects to replica, not production
- Zero impact on production performance
- Credentials are for replica only (limited blast radius)
Security Profile:
- ✅ Production isolation: No production access
- ✅ Performance isolation: No production impact
- ✅ Limited permissions: Read-only access
- ✅ Snapshot consistency: Point-in-time exports
Best For:
- High-traffic production systems
- Companies with existing replication
- Performance-sensitive applications
- Large data volumes
Real-World Example: An e-commerce platform with millions of transactions per day can't risk production database load. They set up a read replica specifically for data exports.
Setup Requirements:
- Database replication capability
- Replica infrastructure
- Replication lag monitoring
- Network access to replica
When to Choose:
- Production performance is critical
- You have large databases (>100GB)
- You already use replication
- You need point-in-time consistency
Mode 5: S3/File Import Mode
How It Works:
- Export data to S3 (or similar) from your systems
- Export platform reads from S3
- No direct database access required
- You control export timing and format
Security Profile:
- ✅ No database access: Platform never touches databases
- ✅ You control exports: Full control over what's exported
- ✅ Async processing: Decouple export from delivery
- ⚠️ Manual process: Requires your systems to export
Best For:
- Companies with strict database access policies
- Existing batch export processes
- Air-gapped or isolated systems
- Complex data transformation requirements
Real-World Example: A government contractor can't allow external database access. They export data nightly to S3, and the compliance platform picks it up from there.
Setup Requirements:
- S3 bucket (or equivalent)
- Export scripts/jobs
- Scheduling infrastructure
- IAM roles for bucket access
When to Choose:
- Database access is prohibited
- You have existing export processes
- You need custom transformations
- Async processing is acceptable
Mode 6: API Integration Mode
How It Works:
- Export platform calls your existing APIs
- Your APIs return user data
- No direct database access
- You control data access logic
Security Profile:
- ✅ API-first: Leverages existing APIs
- ✅ Business logic: Respects your access controls
- ✅ Flexible: Works with any backend
- ⚠️ API dependency: Requires well-designed APIs
Best For:
- API-first architectures
- Microservices environments
- Companies with mature API infrastructure
- Complex access control requirements
Real-World Example: A B2B platform has GraphQL APIs that already implement complex access control. They expose a data export API that the compliance platform calls.
Setup Requirements:
- Existing APIs (REST, GraphQL, gRPC)
- Authentication mechanism (OAuth, API keys)
- Rate limiting and throttling
- Comprehensive API documentation
When to Choose:
- You have mature API infrastructure
- Business logic is complex
- You want maximum control
- Your data model is API-first
Mode 7: Hybrid Mode (Mix and Match)
How It Works:
- Different connection modes for different data sources
- E.g., Browser mode for production DB, API mode for third-party services
- Flexibility to choose best mode per source
- Unified export pipeline
Security Profile:
- ✅ Optimized: Best security for each source
- ✅ Flexible: Adapt to different requirements
- ⚠️ Complex: More moving parts
- ⚠️ Management overhead: Multiple configurations
Best For:
- Complex, heterogeneous environments
- Companies with varied security requirements
- Large organizations with multiple teams
- Gradual migration scenarios
Real-World Example: An enterprise uses:
- Browser mode for production databases (highest security)
- Vault mode for internal services (centralized management)
- API mode for third-party integrations (existing infrastructure)
When to Choose:
- You have diverse data sources
- Different sources have different security requirements
- You want to optimize each connection
- You have the bandwidth to manage complexity
Decision Framework
Step 1: Assess Your Security Requirements
Questions to Ask:
- What compliance frameworks apply? (SOC 2, ISO 27001, HIPAA, etc.)
- What are your credential storage policies?
- What does your security team require?
- What have auditors flagged in the past?
Security Tiers:
- Maximum Security: Browser mode or Vault mode
- High Security: Read replica or API mode
- Standard Security: Direct mode with encryption
- Flexible Security: Hybrid mode
Step 2: Evaluate Your Infrastructure
Questions to Ask:
- Do you have a secrets manager?
- Do you have read replicas?
- Do you have mature APIs?
- What's your DevOps capacity?
Infrastructure Readiness:
- Vault exists → Vault mode
- Replicas exist → Replica mode
- APIs exist → API mode
- None exist → Browser or Direct mode
Step 3: Consider Performance Requirements
Questions to Ask:
- What's your data volume per user?
- How many concurrent exports?
- What's acceptable processing time?
- Can you impact production?
Performance Profiles:
- Large volumes (>10GB): Replica or S3 mode
- High concurrency (>100): Replica or API mode
- Production-sensitive: Replica or S3 mode
- Small volumes (less than 1GB): Any mode works
Step 4: Factor in Implementation Timeline
Questions to Ask:
- How quickly do you need this?
- What's your team's bandwidth?
- What infrastructure can you provision?
- What's your budget?
Implementation Speed:
- Fastest (1-2 weeks): Direct mode
- Fast (2-4 weeks): Browser or API mode
- Medium (4-6 weeks): Vault or Replica mode
- Slow (6-8 weeks): S3 or Hybrid mode
Comparison Matrix
| Mode | Security | Setup Time | Complexity | Best For | | ----------- | ---------- | ---------- | ---------- | -------------------- | | Browser | ⭐⭐⭐⭐⭐ | 2 weeks | Low | Regulated industries | | Vault | ⭐⭐⭐⭐⭐ | 4 weeks | Medium | Enterprises | | Direct | ⭐⭐⭐⭐ | 1 week | Low | Startups | | Replica | ⭐⭐⭐⭐ | 4 weeks | Medium | High-scale | | S3 | ⭐⭐⭐⭐ | 6 weeks | High | Isolated systems | | API | ⭐⭐⭐⭐ | 3 weeks | Medium | API-first orgs | | Hybrid | ⭐⭐⭐⭐⭐ | 8 weeks | High | Complex environments |
Common Scenarios
Scenario 1: Early-Stage Startup
- Situation: 10K users, small team, need compliance fast
- Recommendation: Direct mode
- Why: Fast setup, good security, no infrastructure overhead
Scenario 2: Enterprise with Vault
- Situation: 1M users, existing HashiCorp Vault, security-first culture
- Recommendation: Vault mode
- Why: Leverages existing infrastructure, meets security requirements
Scenario 3: Healthcare SaaS
- Situation: HIPAA compliance, strict credential policies
- Recommendation: Browser mode
- Why: Credentials never leave user's control, audit-friendly
Scenario 4: High-Traffic E-commerce
- Situation: Millions of transactions/day, can't impact production
- Recommendation: Read replica mode
- Why: Zero production impact, handles large volumes
Scenario 5: Government Contractor
- Situation: Air-gapped systems, no external database access
- Recommendation: S3 mode
- Why: No direct access required, you control exports
Scenario 6: Microservices Architecture
- Situation: 50+ services, mature API infrastructure
- Recommendation: API mode
- Why: Leverages existing APIs, respects business logic
Scenario 7: Large Enterprise
- Situation: Multiple teams, varied requirements, complex environment
- Recommendation: Hybrid mode
- Why: Optimize each source independently
Migration Paths
Starting Simple, Growing Complex
Phase 1: Direct Mode (Month 1)
- Get compliant fast
- Learn your data landscape
- Build team expertise
Phase 2: Add Replica (Month 3)
- Offload production database
- Improve performance
- Reduce production risk
Phase 3: Integrate Vault (Month 6)
- Centralize credential management
- Improve security posture
- Simplify credential rotation
Phase 4: Hybrid Optimization (Month 12)
- Optimize each source
- Maximum security and performance
- Mature operational model
How SwitchKit Supports All Modes
SwitchKit is designed to support your journey:
Out of the Box
- Direct mode (encrypted storage)
- Browser mode (zero footprint)
- API mode (REST/GraphQL)
With Configuration
- Vault mode (HashiCorp, AWS, Azure)
- Replica mode (PostgreSQL, MySQL, MongoDB)
- S3 mode (AWS S3, Google Cloud Storage, Azure Blob)
Enterprise Features
- Hybrid mode (mix and match)
- Custom connectors
- Advanced security controls
Explore SwitchKit's connection modes →
Best Practices
Start Conservative
Begin with the most secure mode you can implement quickly. You can always optimize later.
Document Everything
Whatever mode you choose, document:
- Why you chose it
- How it's configured
- Who has access
- How to troubleshoot
Test Thoroughly
Test your connection mode with:
- Happy path scenarios
- Edge cases
- Failure scenarios
- Security scenarios
Monitor Continuously
Track:
- Connection success rate
- Performance metrics
- Security events
- Error patterns
Plan for Evolution
Your needs will change. Design for:
- Easy mode switching
- Gradual migration
- Hybrid configurations
- Future requirements
Conclusion
The right connection mode depends on your unique situation. There's no universal "best" choice—only the best choice for you.
Key Takeaways:
- Security requirements drive mode selection
- Infrastructure readiness enables certain modes
- Performance needs influence the decision
- Implementation timeline matters
- You can evolve over time
Start with:
- Assess your requirements
- Evaluate your infrastructure
- Choose the simplest mode that meets your needs
- Plan your evolution path
Remember: The best connection mode is the one that gets you compliant while meeting your security, performance, and operational requirements.
Need help choosing the right connection mode? Talk to our team or start your free trial to explore all options.