This looks useful, but I'm hesitant to give a third party access to my production databases. What assurances do I have in regard to the safety of this tool and whether or not it will access my client's secure data?
OtterTune does not need to access user tables or view queries (nor do we want to). OtterTune only collects runtime metrics from the database (e.g., InnoDB stats, pg_stat_database) and CloudWatch. These performance counters are enough of a signal to tell how your application uses the database and how optimize the system accordingly.
Two of our major deployments that we can talk about were at a French bank and Booking.com, both of which are in Europe. Their infosec people looked at what we were sending to our service and said that were no GDPR issues.
The original motivation of the OtterTune project started because when I was a grad student I had trouble getting real workloads and data sets for my experiments. So I decided to purposely work on a database optimization tool that did not need access to the things that you are worried about when I started a new professor.
