Photo Max Böttinger in Unsplash

Every compliance framework that touches data recovery says some version of the same thing: you need to be able to restore data, prove that you can, and show who changed what.

SOC 2 wants documented backup processes with tested restores. HIPAA requires “retrievable exact copies” of protected health information. PCI-DSS demands 12 months of audit trail history showing who accessed cardholder data. GDPR mandates restoration of personal data “in a timely manner.”

Most MySQL teams check the first box with a nightly mysqldump or xtrabackup to S3. That’s necessary. It’s also not sufficient. What these frameworks are really describing (continuous capture, granular recovery, forensic attribution) is Continuous Data Protection. CDP has been a recognized enterprise category for over a decade. Zerto, Veeam, Rubrik, and Cohesity all sell it. But they operate at the block and VM level. They don’t understand MySQL transactions, schemas, or rows. Nobody has built CDP for MySQL at the database level. That’s what dbtrail does.

The gap between “we have backups” and “we can restore”

Here’s what actually happens when someone deletes 50 rows from a production table at 2pm and you discover it at 4pm:

Your last backup was at 2am. That’s 12 hours of RPO. To recover those 50 rows, you restore the entire backup to a staging server (30 minutes to several hours depending on database size), query it to find the data, then manually write INSERT statements to put it back. If you also need the binlog to replay changes between 2am and 2pm, you’re parsing raw binlog output with mysqlbinlog, hoping the retention window hasn’t expired, and praying you find the right position.

Total recovery time: hours. Confidence level: low. Audit trail showing what happened: nonexistent.

Now imagine your auditor asks: “Can you demonstrate recovery of a specific record to a point in time within your stated RPO?” The honest answer for most MySQL teams is no. Not for a single record. Only for the entire database, and only to the timestamp of the last backup.

What auditors actually look for

Compliance frameworks are less prescriptive about tools and more prescriptive about capabilities. They don’t say “use mysqldump.” They say things like:

SOC 2 A1.2/A1.3: You need backup processes and tested recovery procedures. Your auditor wants evidence that restores work, not just that backups run. A1.3 means you need to periodically prove you can recover, and document the result.

HIPAA §164.308(a)(7): The contingency plan requires a data backup plan, a disaster recovery plan, and testing and revision procedures. The regulation says “retrievable exact copies” of ePHI. If your MySQL database stores patient data, you need to be able to retrieve the exact state of a specific record, not just the whole database.

PCI-DSS Requirement 10: This one is different. It’s not about backup and recovery, it’s about audit trails. 10.2 wants audit logs for forensic analysis. 10.5 wants 12 months of retention with 3 months immediately available. The log entries must include user identification, event type, date/time, and identity of affected data. Application-layer logs cover API calls and logins, but they don’t capture what happened to the data itself at the database level. If a privileged user runs a direct DELETE against a table, your application logs have nothing.

GDPR Article 32(1)(c): Requires the ability to restore personal data “in a timely manner.” The phrase is intentionally vague, but a 4-hour full restore when the incident affected 3 rows is hard to argue is “timely.”

What fills the gap: Continuous Data Protection for MySQL

dbtrail is CDP built specifically for MySQL. It indexes binary logs in real time. Every INSERT, UPDATE, and DELETE is captured with full before/after row values, tied to the MySQL user, source host, and timestamp. When something goes wrong, you query the index, see exactly what changed, and get recovery SQL that restores only the affected rows.

Infrastructure-level CDP treats your database as an opaque block device. dbtrail understands tables, rows, transactions, foreign keys, and schema changes. That’s what makes row-level recovery, transaction forensics, and targeted rollback possible. Oracle solved this for its own ecosystem 20 years ago with Flashback. MySQL never had anything comparable.

In practice, that means three things your backups can’t give you:

Granular recovery. Restore specific rows to their pre-incident state in seconds. No staging server, no full restore, no manual SQL. This is what lets you answer “can you demonstrate point-in-time recovery of a specific record” with a yes.

Data-level audit trail. Every row change attributed to a MySQL user, host, and timestamp, with the complete before and after values. The database-level audit trail that application logging misses, and what PCI-DSS Requirement 10 is asking for.

Testable recovery. Recovery SQL can be generated at any time, against any past timestamp. You can validate it without executing it (dry-run mode). This is the evidence your SOC 2 auditor wants for A1.3.

What dbtrail does not do

It doesn’t replace your backups. You still need xtrabackup or mysqldump for full disaster recovery. You still need cross-region replication for infrastructure-level DR. You still need application-layer logging for access events that don’t touch the database directly.

dbtrail is the layer between those systems: database-native CDP with row-level recovery, data-change audit trails, and the ability to prove it all works on demand.

The compliance mapping

We published a detailed mapping of dbtrail capabilities to specific controls across SOC 2, HIPAA, PCI-DSS, and GDPR. It lists every relevant control number, what dbtrail covers, and what you still need from other tools.

Read the full compliance mapping in our documentation →

If you’re going through a compliance audit and want to include dbtrail as a documented technical control, contact us at hello@dbtrail.com. We can provide architecture documentation, encryption specifications, and recovery validation procedures for your evidence package.

dbtrail is Continuous Data Protection for MySQL. Every change captured, every row recoverable, in seconds. Start free, no credit card required.