Oracle Data Safe is positioned as a free database security service included with Oracle Cloud, but the "free" positioning applies only to Autonomous Database and Exadata Cloud targets on OCI. When enterprises connect their on-premise Oracle Databases — or non-OCI cloud databases — to Data Safe for security assessment, user activity monitoring, and sensitive data discovery, they encounter a target database licensing model that can add hundreds of thousands of dollars annually to their Oracle spend.
Oracle Data Safe is Oracle's cloud-based database security control platform, delivered as an OCI service. It provides unified security capabilities across Oracle Database deployments: security and configuration assessment (evaluating database settings against security benchmarks), user risk assessment (identifying over-privileged accounts and dormant users), data discovery (locating sensitive data types including PII, financial data, and health records), data masking (replacing sensitive data with realistic non-sensitive equivalents for non-production environments), activity auditing (capturing database activity and generating compliance reports), and alerts (real-time notification of security policy violations).
Oracle built Data Safe to address the database security monitoring gap that exists in enterprise Oracle deployments. Prior to Data Safe, Oracle's security tools were fragmented across Oracle Audit Vault and Database Firewall (AVDF), Oracle Database Security Assessment Tool (DBSAT), and manual audit configuration. Data Safe consolidates these capabilities into a single OCI console with centralized policy management across all connected Oracle Database targets.
From a licensing perspective, Data Safe is priced on a "target database" model — meaning you pay per Oracle Database instance you connect to the service. This model creates clear incentives for Oracle: every additional Oracle Database in your estate is a potential additional Data Safe target, and every compliance requirement that drives you to monitor more databases drives more Data Safe revenue.
Oracle's marketing for Data Safe emphasises its inclusion with OCI at no additional charge. This is accurate, but only for a specific subset of database targets. Understanding exactly which targets are free versus which carry costs is essential before expanding your Data Safe deployment.
| Database Target Type | Data Safe Cost | Notes |
|---|---|---|
| Oracle Autonomous Database (Shared/Dedicated) on OCI | Free | Full Data Safe feature set included with Autonomous subscription |
| Oracle Exadata Cloud Service on OCI | Free | Included with ExaCS subscription at no additional charge |
| Oracle Database Cloud Service (DBCS) on OCI | Free | Included for databases running on OCI DBCS |
| Oracle Database on OCI Compute (BYOL) | Free | Databases you manage yourself on OCI VMs qualify as free targets |
| Oracle Database on-premise (any edition) | Paid | Requires a paid Data Safe target license; charged per database per month |
| Oracle Database on AWS, Azure, or GCP | Paid | Third-party cloud Oracle Databases treated as non-OCI targets and charged |
| Oracle Autonomous Database on Exadata Cloud@Customer | Free | Cloud@Customer treated as OCI for Data Safe licensing purposes |
The practical implication is that enterprises in hybrid cloud environments — running some databases on OCI and others on-premise or on AWS — pay Data Safe costs only for the non-OCI databases. This creates a financial incentive structure: every Oracle Database you migrate to OCI eliminates a paid Data Safe target. Oracle's account teams are not shy about using Data Safe target database costs as a migration incentive, particularly in OCI migration discussions where moving on-premise Oracle Databases to OCI is on the table.
A "target database" in Oracle Data Safe terminology is a single Oracle Database instance (not a CDB — each PDB within a CDB can be registered as a separate target). For on-premise databases, Oracle prices each target at a monthly subscription rate that varies based on the database edition and the feature tier of Data Safe you are using.
Oracle's target database pricing for on-premise Data Safe connections is not publicly listed — it is negotiated through Oracle's cloud subscription sales process. Benchmarks from enterprise deployments we have reviewed suggest per-target monthly costs in the range of $200–$800 per database instance per month, depending on edition, feature tier, and committed term. At these rates, an enterprise with 50 on-premise Oracle Database instances connecting all of them to Data Safe can add $120,000–$480,000 annually to their Oracle spend before a single feature has been used.
Compliance Trap: Enterprises implementing Data Safe as part of a GDPR, SOX, or PCI-DSS compliance program often connect all Oracle Database instances at once — driven by audit timelines — without pricing the target database costs first. The compliance team's urgency gives Oracle pricing leverage, and the cost is discovered when the first OCI invoice arrives. Model your target database count and costs before you connect any non-OCI databases to Data Safe.
Oracle Data Safe is structured in two functional tiers, with the higher tier required for the most compliance-critical capabilities.
The basic feature set includes Security Assessment, User Assessment, and Data Discovery. Security Assessment evaluates your database configuration against CIS Oracle Database benchmarks and Oracle's own security hardening guides, providing a risk score and remediation guidance. User Assessment identifies privileged accounts, dormant users, and accounts with excessive privileges. Data Discovery scans database schemas for sensitive data patterns and generates a sensitive data inventory — essential for GDPR Article 30 Records of Processing Activities.
Advanced features include Activity Auditing, Data Masking, and Alerts. Activity Auditing captures and stores database audit events — who accessed what data, when, and from where — in Oracle's managed audit repository. This is the feature set required for SOX database access logging, PCI-DSS audit trail requirements, and GDPR data access logging obligations. Data Masking generates masked copies of production schemas for use in development and test environments, eliminating sensitive data exposure in non-production databases. The advanced feature tier is licensed as an add-on to the base target database subscription and carries a separate per-target cost.
If you are running Oracle Data Safe on on-premise databases, our Oracle license optimization team can benchmark your target database costs against alternatives and restructure your Data Safe deployment to reduce spend while maintaining compliance coverage.
Connecting on-premise Oracle Databases to Data Safe requires deploying an on-premise connector — a Java-based agent that establishes an outbound TLS connection to OCI's Data Safe service endpoint. The connector itself is free software; the cost is entirely in the target database license you must purchase for each connected instance.
Oracle requires each database instance — not each physical server — to be licensed as a Data Safe target. A physical server running 10 Oracle Database SE2 instances represents 10 targets from a Data Safe licensing perspective. The connector supports one or more database instances per installed connector, but Oracle counts targets at the database instance level regardless of connector architecture.
Enterprises with large on-premise Oracle estates — common in manufacturing, government, and financial services — face material Data Safe costs when connecting comprehensive database inventories. A healthcare organization with 200 on-premise Oracle Database instances supporting clinical, administrative, and research systems could face Data Safe target database costs of $500,000–$1.5M annually for full estate coverage. At those economics, alternative database security monitoring tools such as Imperva, IBM Guardium, or Elastic SIEM become financially competitive even accounting for implementation costs.
Oracle Data Safe's Activity Auditing feature stores audit records in Oracle's OCI-managed repository. For OCI-native database targets, audit data storage is included in the Data Safe subscription for a defined retention period. For on-premise targets, audit data generated by on-premise databases is transmitted to OCI and stored in Oracle's managed audit repository, where storage costs apply.
Regulatory compliance typically requires 12–24 months of audit data retention (SOX requires seven years of records accessible). Long-term audit data retention in Oracle Data Safe's managed repository generates ongoing OCI Object Storage costs. High-transaction production databases can generate substantial daily audit volumes — a database processing millions of financial transactions daily can generate multi-gigabyte daily audit archives — and multi-year retention requirements accumulate quickly to material OCI storage costs. Enterprises should model audit volume and retention cost as part of their Data Safe total cost of ownership, not as an afterthought to the target database license cost.
Oracle Data Safe addresses a genuine compliance need in enterprise Oracle environments. The platform is particularly effective for organizations under the following regulatory frameworks:
For enterprises with OCI-based Oracle Database deployments, Data Safe provides these compliance capabilities at no additional cost — making it a compelling alternative to commercial third-party DAST (Database Activity Security Testing) tools that typically cost $300–$600 per database per year. The economic case weakens when on-premise databases are involved, where Data Safe target database costs approach or exceed commercial alternatives without the compliance requirement benefit of the additional spend.
Before committing to Oracle Data Safe for on-premise database security monitoring, enterprises should evaluate commercial alternatives. Oracle's Data Safe pricing for on-premise targets is rarely competitive with purpose-built database security platforms when total cost of ownership is accurately modelled.
Imperva Database Activity Monitoring (DAM) and IBM Security Guardium are the most commonly evaluated alternatives in enterprise Oracle Database environments. Both products support Oracle Database across versions and editions, provide equivalent or superior capabilities to Data Safe's advanced feature tier, and are priced at per-database rates that are typically 30–60% lower than Oracle's equivalent Data Safe target database costs. These alternatives do not include the OCI integration that makes Data Safe attractive for cloud-first Oracle environments, but for organizations with predominantly on-premise Oracle estates, the financial case for third-party alternatives is strong.
Our Oracle license optimization practice regularly conducts make-vs-buy analyses for Data Safe versus alternatives as part of Oracle cloud transition advisory work. The recommendation depends on your OCI adoption trajectory: if you are migrating Oracle Databases to OCI over the next 24–36 months, absorbing Data Safe on-premise target costs temporarily may be justified. If your on-premise Oracle estate is stable long-term, third-party alternatives produce better total cost outcomes.
Before committing to Oracle Data Safe for your on-premise estate, let our team benchmark the cost against alternatives. We have conducted this analysis for healthcare, financial services, and government organizations — the findings consistently challenge Oracle's preferred solution. Learn about our compliance review service →
For enterprises that have already committed to Oracle Data Safe or are in the process of negotiating, there are several practical cost control measures that we recommend as standard practice.
If OCI migration is on your roadmap, prioritize the databases that carry the highest compliance obligations — financial transaction databases, clinical data stores, HR systems — for early migration. Moving these to OCI first eliminates their Data Safe target database costs while maintaining compliance coverage, reducing your on-premise target database license count for the most expensive database tiers.
Oracle offers term discounts on Data Safe target database subscriptions for two and three-year commitments. The discount for a three-year commitment versus month-to-month can be 20–35%. If your on-premise database estate is stable (not actively migrating to OCI), locking in multi-year rates reduces unit costs. Do not accept Oracle's initial multi-year offer — benchmark against alternatives and use the competitive pricing as negotiating leverage.
Not every on-premise Oracle Database requires the full Data Safe advanced feature set. Development, test, and analytics databases that contain masked or synthetic data do not require Activity Auditing. License these at the basic feature tier (Security Assessment and User Assessment only) rather than the advanced tier, which significantly reduces per-target costs for the non-production database population.
If your Oracle Database environments are on version 12.1 or later, consolidating multiple databases into Container Database (CDB) architectures with Pluggable Databases (PDBs) reduces the number of independent instances — and therefore the number of Data Safe targets — in your estate. Oracle Data Safe allows PDB-level registration, which may not reduce licensing costs in all cases, but the architectural consolidation reduces management overhead and potentially the total target count depending on how Oracle prices PDB targets in your negotiation.
A major healthcare system faced $6M in Oracle compliance exposure across its clinical database estate. Our team conducted a full Oracle compliance review, covering database security option licensing, Advanced Security TDE deployment, and Data Safe target database costs — eliminating the compliance gap and reducing security monitoring spend by 40%. Read the case study →
Download our comprehensive Oracle Database licensing guide — covering all editions, options, security products, and compliance requirements — used by Oracle customers managing complex database estates.
Download Free Guide →Weekly briefings on Oracle audit activity, contract tactics, Java updates, and cloud licensing changes — read by 2,000+ Oracle stakeholders at Fortune 500 enterprises.
Oracle Licensing Experts Team — Former Oracle executives, licensing managers, and LMS auditors with 25+ years of combined experience. We operate exclusively on the buyer side. Learn about our team →