Merge pull request #261 from databasus/develop

FIX (webhook): Update webhook tests to not expect URL to be encrypted
2026-04-06 00:32:03 +02:00 · 2026-01-14 09:43:26 +03:00 · 2026-01-14 09:42:25 +03:00 · 2026-01-14 09:10:28 +03:00 · 2026-01-14 09:09:00 +03:00 · 2026-01-14 08:39:27 +03:00
206 changed files with 14460 additions and 3199 deletions
--- a/.github/workflows/ci-release.yml
+++ b/.github/workflows/ci-release.yml
@@ -17,7 +17,7 @@ jobs:
      - name: Set up Go
        uses: actions/setup-go@v5
        with:
-          go-version: "1.24.4"
+          go-version: "1.24.9"

      - name: Cache Go modules
        uses: actions/cache@v4
@@ -134,7 +134,7 @@ jobs:
      - name: Set up Go
        uses: actions/setup-go@v5
        with:
-          go-version: "1.24.4"
+          go-version: "1.24.9"

      - name: Cache Go modules
        uses: actions/cache@v4
@@ -221,6 +221,12 @@ jobs:
          TEST_MONGODB_60_PORT=27060
          TEST_MONGODB_70_PORT=27070
          TEST_MONGODB_82_PORT=27082
+          # Valkey (cache)
+          VALKEY_HOST=localhost
+          VALKEY_PORT=6379
+          VALKEY_USERNAME=
+          VALKEY_PASSWORD=
+          VALKEY_IS_SSL=false
          EOF

      - name: Start test containers
@@ -233,6 +239,11 @@ jobs:
          # Wait for main dev database
          timeout 60 bash -c 'until docker exec dev-db pg_isready -h localhost -p 5437 -U postgres; do sleep 2; done'

+          # Wait for Valkey (cache)
+          echo "Waiting for Valkey..."
+          timeout 60 bash -c 'until docker exec dev-valkey valkey-cli ping 2>/dev/null | grep -q PONG; do sleep 2; done'
+          echo "Valkey is ready!"
+
          # Wait for test databases
          timeout 60 bash -c 'until nc -z localhost 5000; do sleep 2; done'
          timeout 60 bash -c 'until nc -z localhost 5001; do sleep 2; done'
@@ -672,17 +683,6 @@ jobs:
            echo EOF
          } >> $GITHUB_OUTPUT

-      - name: Update CITATION.cff version
-        run: |
-          VERSION="${{ needs.determine-version.outputs.new_version }}"
-          sed -i "s/^version: .*/version: ${VERSION}/" CITATION.cff
-          sed -i "s/^date-released: .*/date-released: \"$(date +%Y-%m-%d)\"/" CITATION.cff
-          git config user.name "github-actions[bot]"
-          git config user.email "github-actions[bot]@users.noreply.github.com"
-          git add CITATION.cff
-          git commit -m "Update CITATION.cff to v${VERSION}" || true
-          git push || true
-
      - name: Create GitHub Release
        uses: actions/create-release@v1
        env:
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -6,14 +6,14 @@ repos:
    hooks:
      - id: frontend-format
        name: Frontend Format (Prettier)
-        entry: powershell -Command "cd frontend; npm run format"
+        entry: bash -c "cd frontend && npm run format"
        language: system
        files: ^frontend/.*\.(ts|tsx|js|jsx|json|css|md)$
        pass_filenames: false

      - id: frontend-lint
        name: Frontend Lint (ESLint)
-        entry: powershell -Command "cd frontend; npm run lint"
+        entry: bash -c "cd frontend && npm run lint"
        language: system
        files: ^frontend/.*\.(ts|tsx|js|jsx)$
        pass_filenames: false
@@ -23,7 +23,7 @@ repos:
    hooks:
      - id: backend-format-and-lint
        name: Backend Format & Lint (golangci-lint)
-        entry: powershell -Command "cd backend; golangci-lint fmt; golangci-lint run"
+        entry: bash -c "cd backend && golangci-lint fmt ./internal/... ./cmd/... && golangci-lint run ./internal/... ./cmd/..."
        language: system
        files: ^backend/.*\.go$
-        pass_filenames: false
+        pass_filenames: false
--- a/CITATION.cff
+++ b/CITATION.cff
@@ -32,5 +32,5 @@ keywords:
  - mongodb
  - mariadb
 license: Apache-2.0
-version: 2.16.3
-date-released: "2025-12-25"
+version: 2.21.0
+date-released: "2026-01-05"
--- a/130
+++ b/130
@@ -22,7 +22,7 @@ RUN npm run build

 # ========= BUILD BACKEND =========
 # Backend build stage
-FROM --platform=$BUILDPLATFORM golang:1.24.4 AS backend-build
+FROM --platform=$BUILDPLATFORM golang:1.24.9 AS backend-build

 # Make TARGET args available early so tools built here match the final image arch
 ARG TARGETOS
@@ -123,6 +123,15 @@ RUN wget -qO- https://www.postgresql.org/media/keys/ACCC4CF8.asc | apt-key add -
  apt-get install -y --no-install-recommends postgresql-17 && \
  rm -rf /var/lib/apt/lists/*

+# Install Valkey server from debian repository
+# Valkey is only accessible internally (localhost) - not exposed outside container
+RUN wget -O /usr/share/keyrings/greensec.github.io-valkey-debian.key https://greensec.github.io/valkey-debian/public.key && \
+  echo "deb [signed-by=/usr/share/keyrings/greensec.github.io-valkey-debian.key] https://greensec.github.io/valkey-debian/repo $(lsb_release -cs) main" \
+  > /etc/apt/sources.list.d/valkey-debian.list && \
+  apt-get update && \
+  apt-get install -y --no-install-recommends valkey && \
+  rm -rf /var/lib/apt/lists/*
+
 # ========= Install rclone =========
 RUN apt-get update && \
  apt-get install -y --no-install-recommends rclone && \
@@ -172,19 +181,23 @@ RUN if [ "$TARGETARCH" = "amd64" ]; then \

 # ========= Install MongoDB Database Tools =========
 # Note: MongoDB Database Tools are backward compatible - single version supports all server versions (4.0-8.0)
-# Use dpkg with apt-get -f install to handle dependencies
+# Note: For ARM64, we use Ubuntu 22.04 package as MongoDB doesn't provide Debian 12 ARM64 packages
 RUN apt-get update && \
  if [ "$TARGETARCH" = "amd64" ]; then \
  wget -q https://fastdl.mongodb.org/tools/db/mongodb-database-tools-debian12-x86_64-100.10.0.deb -O /tmp/mongodb-database-tools.deb; \
  elif [ "$TARGETARCH" = "arm64" ]; then \
-  wget -q https://fastdl.mongodb.org/tools/db/mongodb-database-tools-debian12-aarch64-100.10.0.deb -O /tmp/mongodb-database-tools.deb; \
+  wget -q https://fastdl.mongodb.org/tools/db/mongodb-database-tools-ubuntu2204-arm64-100.10.0.deb -O /tmp/mongodb-database-tools.deb; \
  fi && \
-  dpkg -i /tmp/mongodb-database-tools.deb || true && \
-  apt-get install -f -y --no-install-recommends && \
-  rm /tmp/mongodb-database-tools.deb && \
+  dpkg -i /tmp/mongodb-database-tools.deb || apt-get install -f -y --no-install-recommends && \
+  rm -f /tmp/mongodb-database-tools.deb && \
  rm -rf /var/lib/apt/lists/* && \
-  ln -sf /usr/bin/mongodump /usr/local/mongodb-database-tools/bin/mongodump && \
-  ln -sf /usr/bin/mongorestore /usr/local/mongodb-database-tools/bin/mongorestore
+  mkdir -p /usr/local/mongodb-database-tools/bin && \
+  if [ -f /usr/bin/mongodump ]; then \
+  ln -sf /usr/bin/mongodump /usr/local/mongodb-database-tools/bin/mongodump; \
+  fi && \
+  if [ -f /usr/bin/mongorestore ]; then \
+  ln -sf /usr/bin/mongorestore /usr/local/mongodb-database-tools/bin/mongorestore; \
+  fi

 # Create postgres user and set up directories
 RUN useradd -m -s /bin/bash postgres || true && \
@@ -241,7 +254,34 @@ PG_BIN="/usr/lib/postgresql/17/bin"
 # Ensure proper ownership of data directory
 echo "Setting up data directory permissions..."
 mkdir -p /databasus-data/pgdata
+mkdir -p /databasus-data/temp
+mkdir -p /databasus-data/backups
 chown -R postgres:postgres /databasus-data
+chmod 700 /databasus-data/temp
+
+# ========= Start Valkey (internal cache) =========
+echo "Configuring Valkey cache..."
+cat > /tmp/valkey.conf << 'VALKEY_CONFIG'
+port 6379
+bind 127.0.0.1
+protected-mode yes
+save ""
+maxmemory 256mb
+maxmemory-policy allkeys-lru
+VALKEY_CONFIG
+
+echo "Starting Valkey..."
+valkey-server /tmp/valkey.conf &
+VALKEY_PID=\$!
+
+echo "Waiting for Valkey to be ready..."
+for i in {1..30}; do
+    if valkey-cli ping >/dev/null 2>&1; then
+        echo "Valkey is ready!"
+        break
+    fi
+    sleep 1
+done

 # Initialize PostgreSQL if not already initialized
 if [ ! -s "/databasus-data/pgdata/PG_VERSION" ]; then
@@ -257,24 +297,68 @@ if [ ! -s "/databasus-data/pgdata/PG_VERSION" ]; then
    echo "max_connections = 100" >> /databasus-data/pgdata/postgresql.conf
 fi

-# Start PostgreSQL in background
-echo "Starting PostgreSQL..."
-gosu postgres \$PG_BIN/postgres -D /databasus-data/pgdata -p 5437 &
-POSTGRES_PID=\$!
+# Function to start PostgreSQL and wait for it to be ready
+start_postgres() {
+    echo "Starting PostgreSQL..."
+    gosu postgres \$PG_BIN/postgres -D /databasus-data/pgdata -p 5437 &
+    POSTGRES_PID=\$!
+    
+    echo "Waiting for PostgreSQL to be ready..."
+    for i in {1..30}; do
+        if gosu postgres \$PG_BIN/pg_isready -p 5437 -h localhost >/dev/null 2>&1; then
+            echo "PostgreSQL is ready!"
+            return 0
+        fi
+        sleep 1
+    done
+    return 1
+}

-# Wait for PostgreSQL to be ready
-echo "Waiting for PostgreSQL to be ready..."
-for i in {1..30}; do
-    if gosu postgres \$PG_BIN/pg_isready -p 5437 -h localhost >/dev/null 2>&1; then
-        echo "PostgreSQL is ready!"
-        break
-    fi
-    if [ \$i -eq 30 ]; then
-        echo "PostgreSQL failed to start"
+# Try to start PostgreSQL
+if ! start_postgres; then
+    echo ""
+    echo "=========================================="
+    echo "PostgreSQL failed to start. Attempting WAL reset recovery..."
+    echo "=========================================="
+    echo ""
+    
+    # Kill any remaining postgres processes
+    pkill -9 postgres 2>/dev/null || true
+    sleep 2
+    
+    # Attempt pg_resetwal to recover from WAL corruption
+    echo "Running pg_resetwal to reset WAL..."
+    if gosu postgres \$PG_BIN/pg_resetwal -f /databasus-data/pgdata; then
+        echo "WAL reset successful. Restarting PostgreSQL..."
+        
+        # Try starting PostgreSQL again after WAL reset
+        if start_postgres; then
+            echo "PostgreSQL recovered successfully after WAL reset!"
+        else
+            echo ""
+            echo "=========================================="
+            echo "ERROR: PostgreSQL failed to start even after WAL reset."
+            echo "The database may be severely corrupted."
+            echo ""
+            echo "Options:"
+            echo "  1. Delete the volume and start fresh (data loss)"
+            echo "  2. Manually inspect /databasus-data/pgdata for issues"
+            echo "=========================================="
+            exit 1
+        fi
+    else
+        echo ""
+        echo "=========================================="
+        echo "ERROR: pg_resetwal failed."
+        echo "The database may be severely corrupted."
+        echo ""
+        echo "Options:"
+        echo "  1. Delete the volume and start fresh (data loss)"
+        echo "  2. Manually inspect /databasus-data/pgdata for issues"
+        echo "=========================================="
        exit 1
    fi
-    sleep 1
-done
+fi

 # Create database and set password for postgres user
 echo "Setting up database and user..."
--- a/README.md
+++ b/README.md
@@ -2,7 +2,7 @@
  <img src="assets/logo.svg" alt="Databasus Logo" width="250"/>

  <h3>Backup tool for PostgreSQL, MySQL and MongoDB</h3>
-  <p>Databasus is a free, open source and self-hosted tool to backup databases. Make backups with different storages (S3, Google Drive, FTP, etc.) and notifications about progress (Slack, Discord, Telegram, etc.). Previously known as Postgresus (see migration guide).</p>
+  <p>Databasus is a free, open source and self-hosted tool to backup databases (with focus on PostgreSQL). Make backups with different storages (S3, Google Drive, FTP, etc.) and notifications about progress (Slack, Discord, Telegram, etc.). Previously known as Postgresus (see migration guide).</p>
  
  <!-- Badges -->
   [![PostgreSQL](https://img.shields.io/badge/PostgreSQL-336791?logo=postgresql&logoColor=white)](https://www.postgresql.org/)
@@ -114,7 +114,7 @@ You have four ways to install Databasus:

 ## 📦 Installation

-You have three ways to install Databasus: automated script (recommended), simple Docker run, or Docker Compose setup.
+You have four ways to install Databasus: automated script (recommended), simple Docker run, or Docker Compose setup.

 ### Option 1: Automated installation script (recommended, Linux only)

@@ -245,6 +245,8 @@ This project is licensed under the Apache 2.0 License - see the [LICENSE](LICENS

 Contributions are welcome! Read the <a href="https://databasus.com/contribute">contributing guide</a> for more details, priorities and rules. If you want to contribute but don't know where to start, message me on Telegram [@rostislav_dugin](https://t.me/rostislav_dugin)

+Also you can join our large community of developers, DBAs and DevOps engineers on Telegram [@databasus_community](https://t.me/databasus_community).
+
 --

 ## 📖 Migration guide
@@ -271,6 +273,8 @@ Then manually move databases from Postgresus to Databasus.

 ### Why was Postgresus renamed to Databasus?

+Databasus has been developed since 2023. It was internal tool to backup production and home projects databases. In start of 2025 it was released as open source project on GitHub. By the end of 2025 it became popular and the time for renaming has come in December 2025.
+
 It was an important step for the project to grow. Actually, there are a couple of reasons:

 1. Postgresus is no longer a little tool that just adds UI for pg_dump for little projects. It became a tool both for individual users, DevOps, DBAs, teams, companies and even large enterprises. Tens of thousands of users use Postgresus every day. Postgresus grew into a reliable backup management tool. Initial positioning is no longer suitable: the project is not just a UI wrapper, it's a solid backup management system now (despite it's still easy to use).
@@ -278,3 +282,35 @@ It was an important step for the project to grow. Actually, there are a couple o
 2. New databases are supported: although the primary focus is PostgreSQL (with 100% support in the most efficient way) and always will be, Databasus added support for MySQL, MariaDB and MongoDB. Later more databases will be supported.

 3. Trademark issue: "postgres" is a trademark of PostgreSQL Inc. and cannot be used in the project name. So for safety and legal reasons, we had to rename the project.
+
+## AI disclaimer
+
+There have been questions about AI usage in project development in issues and discussions. As the project focuses on security, reliability and production usage, it's important to explain how AI is used in the development process.
+
+AI is used as a helper for:
+
+- verification of code quality and searching for vulnerabilities
+- cleaning up and improving documentation, comments and code
+- assistance during development
+- double-checking PRs and commits after human review
+
+AI is not used for:
+
+- writing entire code
+- "vibe code" approach
+- code without line-by-line verification by a human
+- code without tests
+
+The project has:
+
+- solid test coverage (both unit and integration tests)
+- CI/CD pipeline automation with tests and linting to ensure code quality
+- verification by experienced developers with experience in large and secure projects
+
+So AI is just an assistant and a tool for developers to increase productivity and ensure code quality. The work is done by developers.
+
+Moreover, it's important to note that we do not differentiate between bad human code and AI vibe code. There are strict requirements for any code to be merged to keep the codebase maintainable.
+
+Even if code is written manually by a human, it's not guaranteed to be merged. Vibe code is not allowed at all and all such PRs are rejected by default (see [contributing guide](https://databasus.com/contribute)).
+
+We also draw attention to fast issue resolution and security [vulnerability reporting](https://github.com/databasus/databasus?tab=security-ov-file#readme).
--- a/assets/dashboard-dark.svg
+++ b/assets/dashboard-dark.svg
--- a/assets/logo-square.png
+++ b/assets/logo-square.png
--- a/assets/logo-square.svg
+++ b/assets/logo-square.svg
@@ -0,0 +1,12 @@
+<svg width="128" height="128" viewBox="0 0 128 128" fill="none" xmlns="http://www.w3.org/2000/svg">
+<g clip-path="url(#clip0_287_1020)">
+<path d="M50.1522 115.189C50.1522 121.189 57.1564 121.193 59 118C60.1547 116 61 114 61 108C61 102 58.1044 96.9536 55.3194 91.5175C54.6026 90.1184 53.8323 88.6149 53.0128 86.9234C51.6073 84.0225 49.8868 81.3469 47.3885 79.2139C47.0053 78.8867 46.8935 78.0093 46.9624 77.422C47.2351 75.1036 47.5317 72.7876 47.8283 70.4718C48.3186 66.6436 48.8088 62.8156 49.1909 58.9766C49.459 56.2872 49.4542 53.5119 49.1156 50.8329C48.3833 45.0344 45.1292 40.7783 40.1351 37.9114C38.6818 37.0771 38.2533 36.1455 38.4347 34.5853C38.9402 30.2473 40.6551 26.3306 42.8342 22.6642C44.8356 19.297 47.1037 16.0858 49.3676 12.8804C49.6576 12.4699 49.9475 12.0594 50.2367 11.6488C50.6069 11.1231 51.5231 10.7245 52.1971 10.7075C60.4129 10.5017 68.6303 10.3648 76.8477 10.2636C77.4123 10.2563 78.1584 10.5196 78.5221 10.9246C83.6483 16.634 88.2284 22.712 90.9778 29.9784C91.1658 30.4758 91.3221 30.9869 91.4655 31.4997C92.4976 35.1683 92.4804 35.1803 89.5401 37.2499L89.4071 37.3436C83.8702 41.2433 81.8458 46.8198 82.0921 53.349C82.374 60.8552 84.0622 68.1313 85.9869 75.3539C86.3782 76.8218 86.6318 77.9073 85.2206 79.2609C82.3951 81.9698 81.2196 85.6872 80.6575 89.4687C80.0724 93.4081 79.599 97.3637 79.1254 101.32C78.8627 103.515 78.8497 105.368 78.318 107.904C76.2819 117.611 71 128 63 128H50.1522C45 128 41 123.189 41 115.189H50.1522Z" fill="#155DFC"/>
+<path d="M46.2429 6.56033C43.3387 11.1 40.3642 15.4031 37.7614 19.9209C35.413 23.9964 33.8487 28.4226 33.0913 33.1211C32.0998 39.2728 33.694 44.7189 38.0765 48.9775C41.6846 52.4835 42.6153 56.4472 42.152 61.1675C41.1426 71.4587 39.1174 81.5401 36.2052 91.4522C36.1769 91.5477 36.0886 91.6255 35.8974 91.8977C34.1517 91.3525 32.3161 90.8446 30.5266 90.2095C5.53011 81.3376 -12.7225 64.953 -24.1842 41.0298C-25.175 38.9625 -26.079 36.8498 -26.9263 34.7202C-27.0875 34.3151 -26.9749 33.5294 -26.6785 33.2531C-17.1479 24.3723 -7.64007 15.4647 2.00468 6.70938C8.64568 0.681612 16.5812 -1.21558 25.2457 0.739942C31.9378 2.24992 38.5131 4.27834 45.1363 6.09048C45.5843 6.2128 45.9998 6.45502 46.2429 6.56033Z" fill="#155DFC"/>
+<path d="M96.9586 89.3257C95.5888 84.7456 94.0796 80.4011 93.0111 75.9514C91.6065 70.0978 90.4683 64.1753 89.3739 58.2529C88.755 54.9056 89.3998 51.8176 91.89 49.2108C98.2669 42.5358 98.3933 34.7971 95.3312 26.7037C92.7471 19.8739 88.593 13.9904 83.7026 8.60904C83.1298 7.9788 82.5693 7.33641 81.918 6.60491C82.2874 6.40239 82.5709 6.18773 82.8909 6.07999C90.1281 3.64085 97.4495 1.54842 105.041 0.488845C112.781 -0.591795 119.379 1.81818 125.045 6.97592C130.017 11.5018 134.805 16.2327 139.812 20.7188C143.822 24.3115 148.013 27.7066 152.19 31.1073C152.945 31.7205 153.137 32.2154 152.913 33.1041C149.059 48.4591 141.312 61.4883 129.457 71.9877C120.113 80.2626 109.35 85.9785 96.9586 89.3265V89.3257Z" fill="#155DFC"/>
+</g>
+<defs>
+<clipPath id="clip0_287_1020">
+<rect width="128" height="128" rx="6" fill="white"/>
+</clipPath>
+</defs>
+</svg>
--- a/assets/tools/README.md
+++ b/assets/tools/README.md
@@ -0,0 +1,17 @@
+We keep binaries here to speed up CI \ CD tasks and building.
+
+Docker image needs:
+- PostgreSQL client tools (versions 12-18)
+- MySQL client tools (versions 5.7, 8.0, 8.4, 9)
+- MariaDB client tools (versions 10.6, 12.1)
+- MongoDB Database Tools (latest)
+
+For the most of tools, we need a couple of binaries for each version. However, if we download them on each run, it will download a couple of GBs each time.
+
+So, for speed up we keep only required executables (like pg_dump, mysqldump, mariadb-dump, mongodump, etc.).
+
+It takes:
+- ~ 100MB for ARM
+- ~ 100MB for x64
+
+Instead of GBs. See Dockefile for usage details.
--- a/backend/.env.development.example
+++ b/backend/.env.development.example
@@ -11,6 +11,12 @@ DATABASE_URL=postgres://postgres:Q1234567@dev-db:5437/databasus?sslmode=disable
 GOOSE_DRIVER=postgres
 GOOSE_DBSTRING=postgres://postgres:Q1234567@dev-db:5437/databasus?sslmode=disable
 GOOSE_MIGRATION_DIR=./migrations
+# valkey
+VALKEY_HOST=127.0.0.1
+VALKEY_PORT=6379
+VALKEY_USERNAME=
+VALKEY_PASSWORD=
+VALKEY_IS_SSL=false
 # testing
 # to get Google Drive env variables: add storage in UI and copy data from added storage here 
 TEST_GOOGLE_DRIVE_CLIENT_ID=
--- a/backend/.env.production.example
+++ b/backend/.env.production.example
@@ -10,4 +10,10 @@ DATABASE_URL=postgres://postgres:Q1234567@localhost:5437/databasus?sslmode=disab
 # migrations
 GOOSE_DRIVER=postgres
 GOOSE_DBSTRING=postgres://postgres:Q1234567@localhost:5437/databasus?sslmode=disable
-GOOSE_MIGRATION_DIR=./migrations
+GOOSE_MIGRATION_DIR=./migrations
+# valkey
+VALKEY_HOST=127.0.0.1
+VALKEY_PORT=6379
+VALKEY_USERNAME=
+VALKEY_PASSWORD=
+VALKEY_IS_SSL=false
--- a/backend/.gitignore
+++ b/backend/.gitignore
@@ -16,4 +16,6 @@ databasus-backend.exe
 ui/build/*
 pgdata-for-restore/
 temp/
-cmd.exe
+cmd.exe
+temp/
+valkey-data/
--- a/backend/Makefile
+++ b/backend/Makefile
@@ -2,10 +2,10 @@ run:
 	go run cmd/main.go

 test:
-	go test -p=1 -count=1 -failfast -timeout 10m .\internal\...
+	go test -p=1 -count=1 -failfast -timeout 15m ./internal/...

 lint:
-	golangci-lint fmt && golangci-lint run
+	golangci-lint fmt ./cmd/... ./internal/... && golangci-lint run ./cmd/... ./internal/...

 migration-create:
 	goose create $(name) sql
--- a/backend/cmd/main.go
+++ b/backend/cmd/main.go
@@ -15,6 +15,9 @@ import (
 	"databasus-backend/internal/config"
 	"databasus-backend/internal/features/audit_logs"
 	"databasus-backend/internal/features/backups/backups"
+	"databasus-backend/internal/features/backups/backups/backuping"
+	backups_cancellation "databasus-backend/internal/features/backups/backups/cancellation"
+	backups_download "databasus-backend/internal/features/backups/backups/download"
 	backups_config "databasus-backend/internal/features/backups/config"
 	"databasus-backend/internal/features/databases"
 	"databasus-backend/internal/features/disk"
@@ -29,6 +32,7 @@ import (
 	users_middleware "databasus-backend/internal/features/users/middleware"
 	users_services "databasus-backend/internal/features/users/services"
 	workspaces_controllers "databasus-backend/internal/features/workspaces/controllers"
+	cache_utils "databasus-backend/internal/util/cache"
 	env_utils "databasus-backend/internal/util/env"
 	files_utils "databasus-backend/internal/util/files"
 	"databasus-backend/internal/util/logger"
@@ -52,7 +56,21 @@ import (
 func main() {
 	log := logger.GetLogger()

-	runMigrations(log)
+	cache_utils.TestCacheConnection()
+
+	if config.GetEnv().IsPrimaryNode {
+		err := cache_utils.ClearAllCache()
+		if err != nil {
+			log.Error("Failed to clear cache", "error", err)
+			os.Exit(1)
+		}
+	}
+
+	if config.GetEnv().IsPrimaryNode {
+		runMigrations(log)
+	} else {
+		log.Info("Skipping migrations (IS_PRIMARY_NODE is false)")
+	}

 	// create directories that used for backups and restore
 	err := files_utils.EnsureDirectories([]string{
@@ -96,7 +114,9 @@ func main() {
 	enableCors(ginApp)
 	setUpRoutes(ginApp)
 	setUpDependencies()
+
 	runBackgroundTasks(log)
+
 	mountFrontend(ginApp)

 	startServerWithGracefulShutdown(log, ginApp)
@@ -183,6 +203,7 @@ func setUpRoutes(r *gin.Engine) {
 	userController := users_controllers.GetUserController()
 	userController.RegisterRoutes(v1)
 	system_healthcheck.GetHealthcheckController().RegisterRoutes(v1)
+	backups.GetBackupController().RegisterPublicRoutes(v1)

 	// Setup auth middleware
 	userService := users_services.GetUserService()
@@ -217,27 +238,65 @@ func setUpDependencies() {
 	audit_logs.SetupDependencies()
 	notifiers.SetupDependencies()
 	storages.SetupDependencies()
+	backups_config.SetupDependencies()
+	backups_cancellation.SetupDependencies()
 }

 func runBackgroundTasks(log *slog.Logger) {
 	log.Info("Preparing to run background tasks...")

-	err := files_utils.CleanFolder(config.GetEnv().TempFolder)
-	if err != nil {
-		log.Error("Failed to clean temp folder", "error", err)
+	// Create context that will be cancelled on shutdown
+	ctx, cancel := context.WithCancel(context.Background())
+
+	// Set up signal handling for graceful shutdown
+	quit := make(chan os.Signal, 1)
+	signal.Notify(quit, os.Interrupt, syscall.SIGTERM)
+	go func() {
+		<-quit
+		log.Info("Shutdown signal received, cancelling all background tasks")
+		cancel()
+	}()
+
+	if config.GetEnv().IsPrimaryNode {
+		log.Info("Starting primary node background tasks...")
+
+		err := files_utils.CleanFolder(config.GetEnv().TempFolder)
+		if err != nil {
+			log.Error("Failed to clean temp folder", "error", err)
+		}
+
+		go runWithPanicLogging(log, "backup background service", func() {
+			backuping.GetBackupsScheduler().Run(ctx)
+		})
+
+		go runWithPanicLogging(log, "restore background service", func() {
+			restores.GetRestoreBackgroundService().Run(ctx)
+		})
+
+		go runWithPanicLogging(log, "healthcheck attempt background service", func() {
+			healthcheck_attempt.GetHealthcheckAttemptBackgroundService().Run(ctx)
+		})
+
+		go runWithPanicLogging(log, "audit log cleanup background service", func() {
+			audit_logs.GetAuditLogBackgroundService().Run(ctx)
+		})
+
+		go runWithPanicLogging(log, "download token cleanup background service", func() {
+			backups_download.GetDownloadTokenBackgroundService().Run(ctx)
+		})
+	} else {
+		log.Info("Skipping primary node tasks as not primary node")
 	}

-	go runWithPanicLogging(log, "backup background service", func() {
-		backups.GetBackupBackgroundService().Run()
-	})
+	if config.GetEnv().IsBackupNode {
+		log.Info("Starting backup node background tasks...")

-	go runWithPanicLogging(log, "restore background service", func() {
-		restores.GetRestoreBackgroundService().Run()
-	})
-
-	go runWithPanicLogging(log, "healthcheck attempt background service", func() {
-		healthcheck_attempt.GetHealthcheckAttemptBackgroundService().Run()
-	})
+		go runWithPanicLogging(log, "backup node", func() {
+			backuping.GetBackuperNode().Run(ctx)
+		})
+	} else {
+		log.Info("Skipping backup node tasks as not backup node")
+	}
 }

 func runWithPanicLogging(log *slog.Logger, serviceName string, fn func()) {
@@ -280,16 +339,13 @@ func generateSwaggerDocs(log *slog.Logger) {
 func runMigrations(log *slog.Logger) {
 	log.Info("Running database migrations...")

-	cmd := exec.Command("goose", "up")
+	cmd := exec.Command("goose", "-dir", "./migrations", "up")
 	cmd.Env = append(
 		os.Environ(),
 		"GOOSE_DRIVER=postgres",
 		"GOOSE_DBSTRING="+config.GetEnv().DatabaseDsn,
 	)

-	// Set the working directory to where migrations are located
-	cmd.Dir = "./migrations"
-
 	output, err := cmd.CombinedOutput()
 	if err != nil {
 		log.Error("Failed to run migrations", "error", err, "output", string(output))
--- a/backend/docker-compose.yml.example
+++ b/backend/docker-compose.yml.example
@@ -19,6 +19,21 @@ services:
    command: -p 5437
    shm_size: 10gb

+  # Valkey for caching
+  dev-valkey:
+    image: valkey/valkey:9.0.1-alpine
+    ports:
+      - "${VALKEY_PORT:-6379}:6379"
+    volumes:
+      - ./valkey-data:/data
+    container_name: dev-valkey
+    healthcheck:
+      test: ["CMD", "valkey-cli", "ping"]
+      interval: 10s
+      timeout: 5s
+      retries: 5
+      start_period: 20s
+
  # Test MinIO container
  test-minio:
    image: minio/minio:latest
--- a/backend/go.mod
+++ b/backend/go.mod
@@ -1,6 +1,6 @@
 module databasus-backend

-go 1.24.4
+go 1.24.9

 require (
 	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.20.0
@@ -25,6 +25,7 @@ require (
 	github.com/swaggo/files v1.0.1
 	github.com/swaggo/gin-swagger v1.6.0
 	github.com/swaggo/swag v1.16.4
+	github.com/valkey-io/valkey-go v1.0.70
 	go.mongodb.org/mongo-driver v1.17.6
 	golang.org/x/crypto v0.46.0
 	golang.org/x/time v0.14.0
@@ -269,7 +270,7 @@ require (
 	go.opentelemetry.io/otel/metric v1.38.0 // indirect
 	go.opentelemetry.io/otel/trace v1.38.0 // indirect
 	golang.org/x/arch v0.17.0 // indirect
-	golang.org/x/net v0.47.0 // indirect
+	golang.org/x/net v0.48.0 // indirect
 	golang.org/x/oauth2 v0.33.0
 	golang.org/x/sync v0.19.0 // indirect
 	golang.org/x/sys v0.39.0 // indirect
--- a/backend/go.sum
+++ b/backend/go.sum
@@ -539,8 +539,8 @@ github.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE=
 github.com/onsi/ginkgo v1.16.5/go.mod h1:+E8gABHa3K6zRBolWtd+ROzc/U5bkGt0FwiG042wbpU=
 github.com/onsi/ginkgo/v2 v2.17.3 h1:oJcvKpIb7/8uLpDDtnQuf18xVnwKp8DTD7DQ6gTd/MU=
 github.com/onsi/ginkgo/v2 v2.17.3/go.mod h1:nP2DPOQoNsQmsVyv5rDA8JkXQoCs6goXIvr/PRJ1eCc=
-github.com/onsi/gomega v1.37.0 h1:CdEG8g0S133B4OswTDC/5XPSzE1OeP29QOioj2PID2Y=
-github.com/onsi/gomega v1.37.0/go.mod h1:8D9+Txp43QWKhM24yyOBEdpkzN8FvJyAwecBgsU4KU0=
+github.com/onsi/gomega v1.38.3 h1:eTX+W6dobAYfFeGC2PV6RwXRu/MyT+cQguijutvkpSM=
+github.com/onsi/gomega v1.38.3/go.mod h1:ZCU1pkQcXDO5Sl9/VVEGlDyp+zm0m1cmeG5TOzLgdh4=
 github.com/oracle/oci-go-sdk/v65 v65.104.0 h1:l9awEvzWvxmYhy/97A0hZ87pa7BncYXmcO/S8+rvgK0=
 github.com/oracle/oci-go-sdk/v65 v65.104.0/go.mod h1:oB8jFGVc/7/zJ+DbleE8MzGHjhs2ioCz5stRTdZdIcY=
 github.com/panjf2000/ants/v2 v2.11.3 h1:AfI0ngBoXJmYOpDh9m516vjqoUu2sLrIVgppI9TZVpg=
@@ -660,6 +660,8 @@ github.com/ulikunitz/xz v0.5.15 h1:9DNdB5s+SgV3bQ2ApL10xRc35ck0DuIX/isZvIk+ubY=
 github.com/ulikunitz/xz v0.5.15/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14=
 github.com/unknwon/goconfig v1.0.0 h1:rS7O+CmUdli1T+oDm7fYj1MwqNWtEJfNj+FqcUHML8U=
 github.com/unknwon/goconfig v1.0.0/go.mod h1:qu2ZQ/wcC/if2u32263HTVC39PeOQRSmidQk3DuDFQ8=
+github.com/valkey-io/valkey-go v1.0.70 h1:mjYNT8qiazxDAJ0QNQ8twWT/YFOkOoRd40ERV2mB49Y=
+github.com/valkey-io/valkey-go v1.0.70/go.mod h1:VGhZ6fs68Qrn2+OhH+6waZH27bjpgQOiLyUQyXuYK5k=
 github.com/wk8/go-ordered-map/v2 v2.1.8 h1:5h/BUHu93oj4gIdvHHHGsScSTMijfx5PeYkE/fJgbpc=
 github.com/wk8/go-ordered-map/v2 v2.1.8/go.mod h1:5nJHM5DyteebpVlHnWMV0rPz6Zp7+xBAnxjb1X5vnTw=
 github.com/xanzy/ssh-agent v0.3.3 h1:+/15pJfg/RsTxqYcX6fHqOXZwwMP+2VyYWJeWM2qQFM=
@@ -720,6 +722,8 @@ go.uber.org/mock v0.5.0 h1:KAMbZvZPyBPWgD14IrIQ38QCyjwpvVVV6K/bHl1IwQU=
 go.uber.org/mock v0.5.0/go.mod h1:ge71pBPLYDk7QIi1LupWxdAykm7KIEFchiOqd6z7qMM=
 go.yaml.in/yaml/v2 v2.4.3 h1:6gvOSjQoTB3vt1l+CU+tSyi/HOjfOjRLJ4YwYZGwRO0=
 go.yaml.in/yaml/v2 v2.4.3/go.mod h1:zSxWcmIDjOzPXpjlTTbAsKokqkDNAVtZO0WOMiT90s8=
+go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc=
+go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=
 golang.org/x/arch v0.17.0 h1:4O3dfLzd+lQewptAHqjewQZQDyEdejz3VwgeYwkZneU=
 golang.org/x/arch v0.17.0/go.mod h1:bdwinDaKcfZUGpH09BB7ZmOfhalA8lQdzl62l8gGWsk=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
@@ -818,8 +822,8 @@ golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk=
 golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
 golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
 golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4=
-golang.org/x/net v0.47.0 h1:Mx+4dIFzqraBXUugkia1OOvlD6LemFo1ALMHjrXDOhY=
-golang.org/x/net v0.47.0/go.mod h1:/jNxtkgq5yWUGYkaZGqo27cfGZ1c5Nen03aYrrKpVRU=
+golang.org/x/net v0.48.0 h1:zyQRTTrjc33Lhh0fBgT/H3oZq9WuvRR5gPC70xpDiQU=
+golang.org/x/net v0.48.0/go.mod h1:+ndRgGjkh8FGtu1w1FGbEC31if4VrNVMuKTgcAAnQRY=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
--- a/backend/internal/config/config.go
+++ b/backend/internal/config/config.go
@@ -9,6 +9,7 @@ import (
 	"strings"
 	"sync"

+	"github.com/google/uuid"
 	"github.com/ilyakaznacheev/cleanenv"
 	"github.com/joho/godotenv"
 )
@@ -29,6 +30,12 @@ type EnvVariables struct {
 	MariadbInstallDir    string            `env:"MARIADB_INSTALL_DIR"`
 	MongodbInstallDir    string            `env:"MONGODB_INSTALL_DIR"`

+	NodeID                   string
+	IsManyNodesMode          bool `env:"IS_MANY_NODES_MODE"`
+	IsPrimaryNode            bool `env:"IS_PRIMARY_NODE"`
+	IsBackupNode             bool `env:"IS_BACKUP_NODE"`
+	NodeNetworkThroughputMBs int  `env:"NODE_NETWORK_THROUGHPUT_MBPS"`
+
 	DataFolder    string
 	TempFolder    string
 	SecretKeyPath string
@@ -79,6 +86,13 @@ type EnvVariables struct {
 	TestMongodb70Port string `env:"TEST_MONGODB_70_PORT"`
 	TestMongodb82Port string `env:"TEST_MONGODB_82_PORT"`

+	// Valkey
+	ValkeyHost     string `env:"VALKEY_HOST"     required:"true"`
+	ValkeyPort     string `env:"VALKEY_PORT"     required:"true"`
+	ValkeyUsername string `env:"VALKEY_USERNAME"`
+	ValkeyPassword string `env:"VALKEY_PASSWORD"`
+	ValkeyIsSsl    bool   `env:"VALKEY_IS_SSL"   required:"true"`
+
 	// oauth
 	GitHubClientID     string `env:"GITHUB_CLIENT_ID"`
 	GitHubClientSecret string `env:"GITHUB_CLIENT_SECRET"`
@@ -189,6 +203,26 @@ func loadEnvVariables() {
 	env.MongodbInstallDir = filepath.Join(backendRoot, "tools", "mongodb")
 	tools.VerifyMongodbInstallation(log, env.EnvMode, env.MongodbInstallDir)

+	env.NodeID = uuid.New().String()
+	if env.NodeNetworkThroughputMBs == 0 {
+		env.NodeNetworkThroughputMBs = 125 // 1 Gbit/s
+	}
+
+	if !env.IsManyNodesMode {
+		env.IsPrimaryNode = true
+		env.IsBackupNode = true
+	}
+
+	// Valkey
+	if env.ValkeyHost == "" {
+		log.Error("VALKEY_HOST is empty")
+		os.Exit(1)
+	}
+	if env.ValkeyPort == "" {
+		log.Error("VALKEY_PORT is empty")
+		os.Exit(1)
+	}
+
 	// Store the data and temp folders one level below the root
 	// (projectRoot/databasus-data -> /databasus-data)
 	env.DataFolder = filepath.Join(filepath.Dir(backendRoot), "databasus-data", "backups")
--- a/backend/internal/features/audit_logs/background_service.go
+++ b/backend/internal/features/audit_logs/background_service.go
@@ -0,0 +1,38 @@
+package audit_logs
+
+import (
+	"context"
+	"log/slog"
+	"time"
+)
+
+type AuditLogBackgroundService struct {
+	auditLogService *AuditLogService
+	logger          *slog.Logger
+}
+
+func (s *AuditLogBackgroundService) Run(ctx context.Context) {
+	s.logger.Info("Starting audit log cleanup background service")
+
+	if ctx.Err() != nil {
+		return
+	}
+
+	ticker := time.NewTicker(1 * time.Hour)
+	defer ticker.Stop()
+
+	for {
+		select {
+		case <-ctx.Done():
+			return
+		case <-ticker.C:
+			if err := s.cleanOldAuditLogs(); err != nil {
+				s.logger.Error("Failed to clean old audit logs", "error", err)
+			}
+		}
+	}
+}
+
+func (s *AuditLogBackgroundService) cleanOldAuditLogs() error {
+	return s.auditLogService.CleanOldAuditLogs()
+}
--- a/backend/internal/features/audit_logs/background_service_test.go
+++ b/backend/internal/features/audit_logs/background_service_test.go
@@ -0,0 +1,141 @@
+package audit_logs
+
+import (
+	"databasus-backend/internal/storage"
+	"fmt"
+	"testing"
+	"time"
+
+	user_enums "databasus-backend/internal/features/users/enums"
+	users_testing "databasus-backend/internal/features/users/testing"
+
+	"github.com/google/uuid"
+	"github.com/stretchr/testify/assert"
+	"gorm.io/gorm"
+)
+
+func Test_CleanOldAuditLogs_DeletesLogsOlderThanOneYear(t *testing.T) {
+	service := GetAuditLogService()
+	user := users_testing.CreateTestUser(user_enums.UserRoleMember)
+	db := storage.GetDb()
+	baseTime := time.Now().UTC()
+
+	// Create old logs (more than 1 year old)
+	createTimedAuditLog(db, &user.UserID, "Old log 1", baseTime.Add(-400*24*time.Hour))
+	createTimedAuditLog(db, &user.UserID, "Old log 2", baseTime.Add(-370*24*time.Hour))
+
+	// Create recent logs (less than 1 year old)
+	createAuditLog(service, "Recent log 1", &user.UserID, nil)
+	createAuditLog(service, "Recent log 2", &user.UserID, nil)
+
+	// Run cleanup
+	err := service.CleanOldAuditLogs()
+	assert.NoError(t, err)
+
+	// Verify old logs were deleted
+	oneYearAgo := baseTime.Add(-365 * 24 * time.Hour)
+	var oldLogs []*AuditLog
+	db.Where("created_at < ?", oneYearAgo).Find(&oldLogs)
+	assert.Equal(t, 0, len(oldLogs), "All logs older than 1 year should be deleted")
+
+	// Verify recent logs still exist
+	var recentLogs []*AuditLog
+	db.Where("created_at >= ?", oneYearAgo).Find(&recentLogs)
+	assert.GreaterOrEqual(t, len(recentLogs), 2, "Recent logs should not be deleted")
+}
+
+func Test_CleanOldAuditLogs_PreservesLogsNewerThanOneYear(t *testing.T) {
+	service := GetAuditLogService()
+	user := users_testing.CreateTestUser(user_enums.UserRoleMember)
+	db := storage.GetDb()
+	baseTime := time.Now().UTC()
+
+	// Create logs exactly at boundary (1 year old)
+	boundaryTime := baseTime.Add(-365 * 24 * time.Hour)
+	createTimedAuditLog(db, &user.UserID, "Boundary log", boundaryTime)
+
+	// Create recent logs
+	createTimedAuditLog(db, &user.UserID, "Recent log 1", baseTime.Add(-364*24*time.Hour))
+	createTimedAuditLog(db, &user.UserID, "Recent log 2", baseTime.Add(-100*24*time.Hour))
+	createAuditLog(service, "Current log", &user.UserID, nil)
+
+	// Get count before cleanup
+	var countBefore int64
+	db.Model(&AuditLog{}).Count(&countBefore)
+
+	// Run cleanup
+	err := service.CleanOldAuditLogs()
+	assert.NoError(t, err)
+
+	// Get count after cleanup
+	var countAfter int64
+	db.Model(&AuditLog{}).Count(&countAfter)
+
+	// Verify logs newer than 1 year are preserved
+	oneYearAgo := baseTime.Add(-365 * 24 * time.Hour)
+	var recentLogs []*AuditLog
+	db.Where("created_at >= ?", oneYearAgo).Find(&recentLogs)
+
+	messages := make([]string, len(recentLogs))
+	for i, log := range recentLogs {
+		messages[i] = log.Message
+	}
+
+	assert.Contains(t, messages, "Recent log 1")
+	assert.Contains(t, messages, "Recent log 2")
+	assert.Contains(t, messages, "Current log")
+}
+
+func Test_CleanOldAuditLogs_HandlesEmptyDatabase(t *testing.T) {
+	service := GetAuditLogService()
+
+	// Run cleanup on database that may have no old logs
+	err := service.CleanOldAuditLogs()
+	assert.NoError(t, err)
+}
+
+func Test_CleanOldAuditLogs_DeletesMultipleOldLogs(t *testing.T) {
+	service := GetAuditLogService()
+	user := users_testing.CreateTestUser(user_enums.UserRoleMember)
+	db := storage.GetDb()
+	baseTime := time.Now().UTC()
+
+	// Create many old logs with specific UUIDs to track them
+	testLogIDs := make([]uuid.UUID, 5)
+	for i := 0; i < 5; i++ {
+		testLogIDs[i] = uuid.New()
+		daysAgo := 400 + (i * 10)
+		log := &AuditLog{
+			ID:        testLogIDs[i],
+			UserID:    &user.UserID,
+			Message:   fmt.Sprintf("Test old log %d", i),
+			CreatedAt: baseTime.Add(-time.Duration(daysAgo) * 24 * time.Hour),
+		}
+		result := db.Create(log)
+		assert.NoError(t, result.Error)
+	}
+
+	// Verify logs exist before cleanup
+	var logsBeforeCleanup []*AuditLog
+	db.Where("id IN ?", testLogIDs).Find(&logsBeforeCleanup)
+	assert.Equal(t, 5, len(logsBeforeCleanup), "All test logs should exist before cleanup")
+
+	// Run cleanup
+	err := service.CleanOldAuditLogs()
+	assert.NoError(t, err)
+
+	// Verify test logs were deleted
+	var logsAfterCleanup []*AuditLog
+	db.Where("id IN ?", testLogIDs).Find(&logsAfterCleanup)
+	assert.Equal(t, 0, len(logsAfterCleanup), "All old test logs should be deleted")
+}
+
+func createTimedAuditLog(db *gorm.DB, userID *uuid.UUID, message string, createdAt time.Time) {
+	log := &AuditLog{
+		ID:        uuid.New(),
+		UserID:    userID,
+		Message:   message,
+		CreatedAt: createdAt,
+	}
+	db.Create(log)
+}
--- a/backend/internal/features/audit_logs/controller.go
+++ b/backend/internal/features/audit_logs/controller.go
@@ -1,6 +1,7 @@
 package audit_logs

 import (
+	"errors"
 	"net/http"

 	user_models "databasus-backend/internal/features/users/models"
@@ -50,7 +51,7 @@ func (c *AuditLogController) GetGlobalAuditLogs(ctx *gin.Context) {

 	response, err := c.auditLogService.GetGlobalAuditLogs(user, request)
 	if err != nil {
-		if err.Error() == "only administrators can view global audit logs" {
+		if errors.Is(err, ErrOnlyAdminsCanViewGlobalLogs) {
 			ctx.JSON(http.StatusForbidden, gin.H{"error": err.Error()})
 			return
 		}
@@ -99,7 +100,7 @@ func (c *AuditLogController) GetUserAuditLogs(ctx *gin.Context) {

 	response, err := c.auditLogService.GetUserAuditLogs(targetUserID, user, request)
 	if err != nil {
-		if err.Error() == "insufficient permissions to view user audit logs" {
+		if errors.Is(err, ErrInsufficientPermissionsToViewLogs) {
 			ctx.JSON(http.StatusForbidden, gin.H{"error": err.Error()})
 			return
 		}
--- a/backend/internal/features/audit_logs/di.go
+++ b/backend/internal/features/audit_logs/di.go
@@ -7,11 +7,15 @@ import (

 var auditLogRepository = &AuditLogRepository{}
 var auditLogService = &AuditLogService{
-	auditLogRepository: auditLogRepository,
-	logger:             logger.GetLogger(),
+	auditLogRepository,
+	logger.GetLogger(),
 }
 var auditLogController = &AuditLogController{
-	auditLogService: auditLogService,
+	auditLogService,
+}
+var auditLogBackgroundService = &AuditLogBackgroundService{
+	auditLogService,
+	logger.GetLogger(),
 }

 func GetAuditLogService() *AuditLogService {
@@ -22,6 +26,10 @@ func GetAuditLogController() *AuditLogController {
 	return auditLogController
 }

+func GetAuditLogBackgroundService() *AuditLogBackgroundService {
+	return auditLogBackgroundService
+}
+
 func SetupDependencies() {
 	users_services.GetUserService().SetAuditLogWriter(auditLogService)
 	users_services.GetSettingsService().SetAuditLogWriter(auditLogService)
--- a/backend/internal/features/audit_logs/errors.go
+++ b/backend/internal/features/audit_logs/errors.go
@@ -0,0 +1,12 @@
+package audit_logs
+
+import "errors"
+
+var (
+	ErrOnlyAdminsCanViewGlobalLogs = errors.New(
+		"only administrators can view global audit logs",
+	)
+	ErrInsufficientPermissionsToViewLogs = errors.New(
+		"insufficient permissions to view user audit logs",
+	)
+)
--- a/backend/internal/features/audit_logs/repository.go
+++ b/backend/internal/features/audit_logs/repository.go
@@ -137,3 +137,15 @@ func (r *AuditLogRepository) CountGlobal(beforeDate *time.Time) (int64, error) {
 	err := query.Count(&count).Error
 	return count, err
 }
+
+func (r *AuditLogRepository) DeleteOlderThan(beforeDate time.Time) (int64, error) {
+	result := storage.GetDb().
+		Where("created_at < ?", beforeDate).
+		Delete(&AuditLog{})
+
+	if result.Error != nil {
+		return 0, result.Error
+	}
+
+	return result.RowsAffected, nil
+}
--- a/backend/internal/features/audit_logs/service.go
+++ b/backend/internal/features/audit_logs/service.go
@@ -1,7 +1,6 @@
 package audit_logs

 import (
-	"errors"
 	"log/slog"
 	"time"

@@ -44,7 +43,7 @@ func (s *AuditLogService) GetGlobalAuditLogs(
 	request *GetAuditLogsRequest,
 ) (*GetAuditLogsResponse, error) {
 	if user.Role != user_enums.UserRoleAdmin {
-		return nil, errors.New("only administrators can view global audit logs")
+		return nil, ErrOnlyAdminsCanViewGlobalLogs
 	}

 	limit := request.Limit
@@ -79,7 +78,7 @@ func (s *AuditLogService) GetUserAuditLogs(
 ) (*GetAuditLogsResponse, error) {
 	// Users can view their own logs, ADMIN can view any user's logs
 	if user.Role != user_enums.UserRoleAdmin && user.ID != targetUserID {
-		return nil, errors.New("insufficient permissions to view user audit logs")
+		return nil, ErrInsufficientPermissionsToViewLogs
 	}

 	limit := request.Limit
@@ -135,3 +134,19 @@ func (s *AuditLogService) GetWorkspaceAuditLogs(
 		Offset:    offset,
 	}, nil
 }
+
+func (s *AuditLogService) CleanOldAuditLogs() error {
+	oneYearAgo := time.Now().UTC().Add(-365 * 24 * time.Hour)
+
+	deletedCount, err := s.auditLogRepository.DeleteOlderThan(oneYearAgo)
+	if err != nil {
+		s.logger.Error("Failed to delete old audit logs", "error", err)
+		return err
+	}
+
+	if deletedCount > 0 {
+		s.logger.Info("Deleted old audit logs", "count", deletedCount, "olderThan", oneYearAgo)
+	}
+
+	return nil
+}
--- a/backend/internal/features/backups/backups/background_service.go
+++ b/backend/internal/features/backups/backups/background_service.go
@@ -1,254 +0,0 @@
-package backups
-
-import (
-	"databasus-backend/internal/config"
-	backups_config "databasus-backend/internal/features/backups/config"
-	"databasus-backend/internal/features/storages"
-	"databasus-backend/internal/util/encryption"
-	"databasus-backend/internal/util/period"
-	"log/slog"
-	"time"
-)
-
-type BackupBackgroundService struct {
-	backupService       *BackupService
-	backupRepository    *BackupRepository
-	backupConfigService *backups_config.BackupConfigService
-	storageService      *storages.StorageService
-
-	lastBackupTime time.Time
-	logger         *slog.Logger
-}
-
-func (s *BackupBackgroundService) Run() {
-	s.lastBackupTime = time.Now().UTC()
-
-	if err := s.failBackupsInProgress(); err != nil {
-		s.logger.Error("Failed to fail backups in progress", "error", err)
-		panic(err)
-	}
-
-	if config.IsShouldShutdown() {
-		return
-	}
-
-	for {
-		if config.IsShouldShutdown() {
-			return
-		}
-
-		if err := s.cleanOldBackups(); err != nil {
-			s.logger.Error("Failed to clean old backups", "error", err)
-		}
-
-		if err := s.runPendingBackups(); err != nil {
-			s.logger.Error("Failed to run pending backups", "error", err)
-		}
-
-		s.lastBackupTime = time.Now().UTC()
-		time.Sleep(1 * time.Minute)
-	}
-}
-
-func (s *BackupBackgroundService) IsBackupsWorkerRunning() bool {
-	// if last backup time is more than 5 minutes ago, return false
-	return s.lastBackupTime.After(time.Now().UTC().Add(-5 * time.Minute))
-}
-
-func (s *BackupBackgroundService) failBackupsInProgress() error {
-	backupsInProgress, err := s.backupRepository.FindByStatus(BackupStatusInProgress)
-	if err != nil {
-		return err
-	}
-
-	for _, backup := range backupsInProgress {
-		backupConfig, err := s.backupConfigService.GetBackupConfigByDbId(backup.DatabaseID)
-		if err != nil {
-			s.logger.Error("Failed to get backup config by database ID", "error", err)
-			continue
-		}
-
-		failMessage := "Backup failed due to application restart"
-		backup.FailMessage = &failMessage
-		backup.Status = BackupStatusFailed
-		backup.BackupSizeMb = 0
-
-		s.backupService.SendBackupNotification(
-			backupConfig,
-			backup,
-			backups_config.NotificationBackupFailed,
-			&failMessage,
-		)
-
-		if err := s.backupRepository.Save(backup); err != nil {
-			return err
-		}
-	}
-
-	return nil
-}
-
-func (s *BackupBackgroundService) cleanOldBackups() error {
-	enabledBackupConfigs, err := s.backupConfigService.GetBackupConfigsWithEnabledBackups()
-	if err != nil {
-		return err
-	}
-
-	for _, backupConfig := range enabledBackupConfigs {
-		backupStorePeriod := backupConfig.StorePeriod
-
-		if backupStorePeriod == period.PeriodForever {
-			continue
-		}
-
-		storeDuration := backupStorePeriod.ToDuration()
-		dateBeforeBackupsShouldBeDeleted := time.Now().UTC().Add(-storeDuration)
-
-		oldBackups, err := s.backupRepository.FindBackupsBeforeDate(
-			backupConfig.DatabaseID,
-			dateBeforeBackupsShouldBeDeleted,
-		)
-		if err != nil {
-			s.logger.Error(
-				"Failed to find old backups for database",
-				"databaseId",
-				backupConfig.DatabaseID,
-				"error",
-				err,
-			)
-			continue
-		}
-
-		for _, backup := range oldBackups {
-			storage, err := s.storageService.GetStorageByID(backup.StorageID)
-			if err != nil {
-				s.logger.Error(
-					"Failed to get storage by ID",
-					"storageId",
-					backup.StorageID,
-					"error",
-					err,
-				)
-				continue
-			}
-
-			encryptor := encryption.GetFieldEncryptor()
-			err = storage.DeleteFile(encryptor, backup.ID)
-			if err != nil {
-				s.logger.Error("Failed to delete backup file", "backupId", backup.ID, "error", err)
-			}
-
-			if err := s.backupRepository.DeleteByID(backup.ID); err != nil {
-				s.logger.Error("Failed to delete old backup", "backupId", backup.ID, "error", err)
-				continue
-			}
-
-			s.logger.Info(
-				"Deleted old backup",
-				"backupId",
-				backup.ID,
-				"databaseId",
-				backupConfig.DatabaseID,
-			)
-		}
-	}
-
-	return nil
-}
-
-func (s *BackupBackgroundService) runPendingBackups() error {
-	enabledBackupConfigs, err := s.backupConfigService.GetBackupConfigsWithEnabledBackups()
-	if err != nil {
-		return err
-	}
-
-	for _, backupConfig := range enabledBackupConfigs {
-		if backupConfig.BackupInterval == nil {
-			continue
-		}
-
-		lastBackup, err := s.backupRepository.FindLastByDatabaseID(backupConfig.DatabaseID)
-		if err != nil {
-			s.logger.Error(
-				"Failed to get last backup for database",
-				"databaseId",
-				backupConfig.DatabaseID,
-				"error",
-				err,
-			)
-			continue
-		}
-
-		var lastBackupTime *time.Time
-		if lastBackup != nil {
-			lastBackupTime = &lastBackup.CreatedAt
-		}
-
-		remainedBackupTryCount := s.GetRemainedBackupTryCount(lastBackup)
-
-		if backupConfig.BackupInterval.ShouldTriggerBackup(time.Now().UTC(), lastBackupTime) ||
-			remainedBackupTryCount > 0 {
-			s.logger.Info(
-				"Triggering scheduled backup",
-				"databaseId",
-				backupConfig.DatabaseID,
-				"intervalType",
-				backupConfig.BackupInterval.Interval,
-			)
-
-			go s.backupService.MakeBackup(backupConfig.DatabaseID, remainedBackupTryCount == 1)
-			s.logger.Info(
-				"Successfully triggered scheduled backup",
-				"databaseId",
-				backupConfig.DatabaseID,
-			)
-		}
-	}
-
-	return nil
-}
-
-// GetRemainedBackupTryCount returns the number of remaining backup tries for a given backup.
-// If the backup is not failed or the backup config does not allow retries, it returns 0.
-// If the backup is failed and the backup config allows retries, it returns the number of remaining tries.
-// If the backup is failed and the backup config does not allow retries, it returns 0.
-func (s *BackupBackgroundService) GetRemainedBackupTryCount(lastBackup *Backup) int {
-	if lastBackup == nil {
-		return 0
-	}
-
-	if lastBackup.Status != BackupStatusFailed {
-		return 0
-	}
-
-	backupConfig, err := s.backupConfigService.GetBackupConfigByDbId(lastBackup.DatabaseID)
-	if err != nil {
-		s.logger.Error("Failed to get backup config by database ID", "error", err)
-		return 0
-	}
-
-	if !backupConfig.IsRetryIfFailed {
-		return 0
-	}
-
-	maxFailedTriesCount := backupConfig.MaxFailedTriesCount
-
-	lastBackups, err := s.backupRepository.FindByDatabaseIDWithLimit(
-		lastBackup.DatabaseID,
-		maxFailedTriesCount,
-	)
-	if err != nil {
-		s.logger.Error("Failed to find last backups by database ID", "error", err)
-		return 0
-	}
-
-	lastFailedBackups := make([]*Backup, 0)
-
-	for _, backup := range lastBackups {
-		if backup.Status == BackupStatusFailed {
-			lastFailedBackups = append(lastFailedBackups, backup)
-		}
-	}
-
-	return maxFailedTriesCount - len(lastFailedBackups)
-}
--- a/backend/internal/features/backups/backups/background_service_test.go
+++ b/backend/internal/features/backups/backups/background_service_test.go
@@ -1,321 +0,0 @@
-package backups
-
-import (
-	backups_config "databasus-backend/internal/features/backups/config"
-	"databasus-backend/internal/features/databases"
-	"databasus-backend/internal/features/intervals"
-	"databasus-backend/internal/features/notifiers"
-	"databasus-backend/internal/features/storages"
-	users_enums "databasus-backend/internal/features/users/enums"
-	users_testing "databasus-backend/internal/features/users/testing"
-	workspaces_testing "databasus-backend/internal/features/workspaces/testing"
-	"databasus-backend/internal/util/period"
-	"testing"
-	"time"
-
-	"github.com/stretchr/testify/assert"
-)
-
-func Test_MakeBackupForDbHavingBackupDayAgo_BackupCreated(t *testing.T) {
-	// setup data
-	user := users_testing.CreateTestUser(users_enums.UserRoleAdmin)
-	router := CreateTestRouter()
-	workspace := workspaces_testing.CreateTestWorkspace("Test Workspace", user, router)
-	storage := storages.CreateTestStorage(workspace.ID)
-	notifier := notifiers.CreateTestNotifier(workspace.ID)
-	database := databases.CreateTestDatabase(workspace.ID, storage, notifier)
-
-	// Enable backups for the database
-	backupConfig, err := backups_config.GetBackupConfigService().GetBackupConfigByDbId(database.ID)
-	assert.NoError(t, err)
-
-	timeOfDay := "04:00"
-	backupConfig.BackupInterval = &intervals.Interval{
-		Interval:  intervals.IntervalDaily,
-		TimeOfDay: &timeOfDay,
-	}
-	backupConfig.IsBackupsEnabled = true
-	backupConfig.StorePeriod = period.PeriodWeek
-	backupConfig.Storage = storage
-	backupConfig.StorageID = &storage.ID
-
-	_, err = backups_config.GetBackupConfigService().SaveBackupConfig(backupConfig)
-	assert.NoError(t, err)
-
-	// add old backup
-	backupRepository.Save(&Backup{
-		DatabaseID: database.ID,
-		StorageID:  storage.ID,
-
-		Status: BackupStatusCompleted,
-
-		CreatedAt: time.Now().UTC().Add(-24 * time.Hour),
-	})
-
-	GetBackupBackgroundService().runPendingBackups()
-
-	time.Sleep(100 * time.Millisecond)
-
-	// assertions
-	backups, err := backupRepository.FindByDatabaseID(database.ID)
-	assert.NoError(t, err)
-	assert.Len(t, backups, 2)
-
-	// cleanup
-	for _, backup := range backups {
-		err := backupRepository.DeleteByID(backup.ID)
-		assert.NoError(t, err)
-	}
-
-	databases.RemoveTestDatabase(database)
-	time.Sleep(50 * time.Millisecond) // Wait for cascading deletes
-	notifiers.RemoveTestNotifier(notifier)
-	storages.RemoveTestStorage(storage.ID)
-	workspaces_testing.RemoveTestWorkspace(workspace, router)
-}
-
-func Test_MakeBackupForDbHavingHourAgoBackup_BackupSkipped(t *testing.T) {
-	// setup data
-	user := users_testing.CreateTestUser(users_enums.UserRoleAdmin)
-	router := CreateTestRouter()
-	workspace := workspaces_testing.CreateTestWorkspace("Test Workspace", user, router)
-	storage := storages.CreateTestStorage(workspace.ID)
-	notifier := notifiers.CreateTestNotifier(workspace.ID)
-	database := databases.CreateTestDatabase(workspace.ID, storage, notifier)
-
-	// Enable backups for the database
-	backupConfig, err := backups_config.GetBackupConfigService().GetBackupConfigByDbId(database.ID)
-	assert.NoError(t, err)
-
-	timeOfDay := "04:00"
-	backupConfig.BackupInterval = &intervals.Interval{
-		Interval:  intervals.IntervalDaily,
-		TimeOfDay: &timeOfDay,
-	}
-	backupConfig.IsBackupsEnabled = true
-	backupConfig.StorePeriod = period.PeriodWeek
-	backupConfig.Storage = storage
-	backupConfig.StorageID = &storage.ID
-
-	_, err = backups_config.GetBackupConfigService().SaveBackupConfig(backupConfig)
-	assert.NoError(t, err)
-
-	// add recent backup (1 hour ago)
-	backupRepository.Save(&Backup{
-		DatabaseID: database.ID,
-		StorageID:  storage.ID,
-
-		Status: BackupStatusCompleted,
-
-		CreatedAt: time.Now().UTC().Add(-1 * time.Hour),
-	})
-
-	GetBackupBackgroundService().runPendingBackups()
-
-	time.Sleep(100 * time.Millisecond)
-
-	// assertions
-	backups, err := backupRepository.FindByDatabaseID(database.ID)
-	assert.NoError(t, err)
-	assert.Len(t, backups, 1) // Should still be 1 backup, no new backup created
-
-	// cleanup
-	for _, backup := range backups {
-		err := backupRepository.DeleteByID(backup.ID)
-		assert.NoError(t, err)
-	}
-
-	databases.RemoveTestDatabase(database)
-	time.Sleep(50 * time.Millisecond) // Wait for cascading deletes
-	notifiers.RemoveTestNotifier(notifier)
-	storages.RemoveTestStorage(storage.ID)
-	workspaces_testing.RemoveTestWorkspace(workspace, router)
-}
-
-func Test_MakeBackupHavingFailedBackupWithoutRetries_BackupSkipped(t *testing.T) {
-	// setup data
-	user := users_testing.CreateTestUser(users_enums.UserRoleAdmin)
-	router := CreateTestRouter()
-	workspace := workspaces_testing.CreateTestWorkspace("Test Workspace", user, router)
-	storage := storages.CreateTestStorage(workspace.ID)
-	notifier := notifiers.CreateTestNotifier(workspace.ID)
-	database := databases.CreateTestDatabase(workspace.ID, storage, notifier)
-
-	// Enable backups for the database with retries disabled
-	backupConfig, err := backups_config.GetBackupConfigService().GetBackupConfigByDbId(database.ID)
-	assert.NoError(t, err)
-
-	timeOfDay := "04:00"
-	backupConfig.BackupInterval = &intervals.Interval{
-		Interval:  intervals.IntervalDaily,
-		TimeOfDay: &timeOfDay,
-	}
-	backupConfig.IsBackupsEnabled = true
-	backupConfig.StorePeriod = period.PeriodWeek
-	backupConfig.Storage = storage
-	backupConfig.StorageID = &storage.ID
-	backupConfig.IsRetryIfFailed = false
-	backupConfig.MaxFailedTriesCount = 0
-
-	_, err = backups_config.GetBackupConfigService().SaveBackupConfig(backupConfig)
-	assert.NoError(t, err)
-
-	// add failed backup
-	failMessage := "backup failed"
-	backupRepository.Save(&Backup{
-		DatabaseID: database.ID,
-		StorageID:  storage.ID,
-
-		Status:      BackupStatusFailed,
-		FailMessage: &failMessage,
-
-		CreatedAt: time.Now().UTC().Add(-1 * time.Hour),
-	})
-
-	GetBackupBackgroundService().runPendingBackups()
-
-	time.Sleep(100 * time.Millisecond)
-
-	// assertions
-	backups, err := backupRepository.FindByDatabaseID(database.ID)
-	assert.NoError(t, err)
-	assert.Len(t, backups, 1) // Should still be 1 backup, no retry attempted
-
-	// cleanup
-	for _, backup := range backups {
-		err := backupRepository.DeleteByID(backup.ID)
-		assert.NoError(t, err)
-	}
-
-	databases.RemoveTestDatabase(database)
-	time.Sleep(50 * time.Millisecond) // Wait for cascading deletes
-	notifiers.RemoveTestNotifier(notifier)
-	storages.RemoveTestStorage(storage.ID)
-	workspaces_testing.RemoveTestWorkspace(workspace, router)
-}
-
-func Test_MakeBackupHavingFailedBackupWithRetries_BackupCreated(t *testing.T) {
-	// setup data
-	user := users_testing.CreateTestUser(users_enums.UserRoleAdmin)
-	router := CreateTestRouter()
-	workspace := workspaces_testing.CreateTestWorkspace("Test Workspace", user, router)
-	storage := storages.CreateTestStorage(workspace.ID)
-	notifier := notifiers.CreateTestNotifier(workspace.ID)
-	database := databases.CreateTestDatabase(workspace.ID, storage, notifier)
-
-	// Enable backups for the database with retries enabled
-	backupConfig, err := backups_config.GetBackupConfigService().GetBackupConfigByDbId(database.ID)
-	assert.NoError(t, err)
-
-	timeOfDay := "04:00"
-	backupConfig.BackupInterval = &intervals.Interval{
-		Interval:  intervals.IntervalDaily,
-		TimeOfDay: &timeOfDay,
-	}
-	backupConfig.IsBackupsEnabled = true
-	backupConfig.StorePeriod = period.PeriodWeek
-	backupConfig.Storage = storage
-	backupConfig.StorageID = &storage.ID
-	backupConfig.IsRetryIfFailed = true
-	backupConfig.MaxFailedTriesCount = 3
-
-	_, err = backups_config.GetBackupConfigService().SaveBackupConfig(backupConfig)
-	assert.NoError(t, err)
-
-	// add failed backup
-	failMessage := "backup failed"
-	backupRepository.Save(&Backup{
-		DatabaseID: database.ID,
-		StorageID:  storage.ID,
-
-		Status:      BackupStatusFailed,
-		FailMessage: &failMessage,
-
-		CreatedAt: time.Now().UTC().Add(-1 * time.Hour),
-	})
-
-	GetBackupBackgroundService().runPendingBackups()
-
-	time.Sleep(100 * time.Millisecond)
-
-	// assertions
-	backups, err := backupRepository.FindByDatabaseID(database.ID)
-	assert.NoError(t, err)
-	assert.Len(t, backups, 2) // Should have 2 backups, retry was attempted
-
-	// cleanup
-	for _, backup := range backups {
-		err := backupRepository.DeleteByID(backup.ID)
-		assert.NoError(t, err)
-	}
-
-	databases.RemoveTestDatabase(database)
-	time.Sleep(100 * time.Millisecond) // Wait for cascading deletes
-	notifiers.RemoveTestNotifier(notifier)
-	storages.RemoveTestStorage(storage.ID)
-	workspaces_testing.RemoveTestWorkspace(workspace, router)
-}
-
-func Test_MakeBackupHavingFailedBackupWithRetries_RetriesCountNotExceeded(t *testing.T) {
-	// setup data
-	user := users_testing.CreateTestUser(users_enums.UserRoleAdmin)
-	router := CreateTestRouter()
-	workspace := workspaces_testing.CreateTestWorkspace("Test Workspace", user, router)
-	storage := storages.CreateTestStorage(workspace.ID)
-	notifier := notifiers.CreateTestNotifier(workspace.ID)
-	database := databases.CreateTestDatabase(workspace.ID, storage, notifier)
-
-	// Enable backups for the database with retries enabled
-	backupConfig, err := backups_config.GetBackupConfigService().GetBackupConfigByDbId(database.ID)
-	assert.NoError(t, err)
-
-	timeOfDay := "04:00"
-	backupConfig.BackupInterval = &intervals.Interval{
-		Interval:  intervals.IntervalDaily,
-		TimeOfDay: &timeOfDay,
-	}
-	backupConfig.IsBackupsEnabled = true
-	backupConfig.StorePeriod = period.PeriodWeek
-	backupConfig.Storage = storage
-	backupConfig.StorageID = &storage.ID
-	backupConfig.IsRetryIfFailed = true
-	backupConfig.MaxFailedTriesCount = 3
-
-	_, err = backups_config.GetBackupConfigService().SaveBackupConfig(backupConfig)
-	assert.NoError(t, err)
-
-	failMessage := "backup failed"
-
-	for i := 0; i < 3; i++ {
-		backupRepository.Save(&Backup{
-			DatabaseID: database.ID,
-			StorageID:  storage.ID,
-
-			Status:      BackupStatusFailed,
-			FailMessage: &failMessage,
-
-			CreatedAt: time.Now().UTC().Add(-1 * time.Hour),
-		})
-	}
-
-	GetBackupBackgroundService().runPendingBackups()
-
-	time.Sleep(100 * time.Millisecond)
-
-	// assertions
-	backups, err := backupRepository.FindByDatabaseID(database.ID)
-	assert.NoError(t, err)
-	assert.Len(t, backups, 3) // Should have 3 backups, not more than max
-
-	// cleanup
-	for _, backup := range backups {
-		err := backupRepository.DeleteByID(backup.ID)
-		assert.NoError(t, err)
-	}
-
-	databases.RemoveTestDatabase(database)
-	time.Sleep(50 * time.Millisecond) // Wait for cascading deletes
-	notifiers.RemoveTestNotifier(notifier)
-	storages.RemoveTestStorage(storage.ID)
-	workspaces_testing.RemoveTestWorkspace(workspace, router)
-}
--- a/backend/internal/features/backups/backups/backup_context_manager.go
+++ b/backend/internal/features/backups/backups/backup_context_manager.go
@@ -1,60 +0,0 @@
-package backups
-
-import (
-	"context"
-	"sync"
-
-	"github.com/google/uuid"
-)
-
-type BackupContextManager struct {
-	mu               sync.RWMutex
-	cancelFuncs      map[uuid.UUID]context.CancelFunc
-	cancelledBackups map[uuid.UUID]bool
-}
-
-func NewBackupContextManager() *BackupContextManager {
-	return &BackupContextManager{
-		cancelFuncs:      make(map[uuid.UUID]context.CancelFunc),
-		cancelledBackups: make(map[uuid.UUID]bool),
-	}
-}
-
-func (m *BackupContextManager) RegisterBackup(backupID uuid.UUID, cancelFunc context.CancelFunc) {
-	m.mu.Lock()
-	defer m.mu.Unlock()
-	m.cancelFuncs[backupID] = cancelFunc
-	delete(m.cancelledBackups, backupID)
-}
-
-func (m *BackupContextManager) CancelBackup(backupID uuid.UUID) error {
-	m.mu.Lock()
-	defer m.mu.Unlock()
-
-	if m.cancelledBackups[backupID] {
-		return nil
-	}
-
-	cancelFunc, exists := m.cancelFuncs[backupID]
-	if exists {
-		cancelFunc()
-		delete(m.cancelFuncs, backupID)
-	}
-
-	m.cancelledBackups[backupID] = true
-
-	return nil
-}
-
-func (m *BackupContextManager) IsCancelled(backupID uuid.UUID) bool {
-	m.mu.RLock()
-	defer m.mu.RUnlock()
-	return m.cancelledBackups[backupID]
-}
-
-func (m *BackupContextManager) UnregisterBackup(backupID uuid.UUID) {
-	m.mu.Lock()
-	defer m.mu.Unlock()
-	delete(m.cancelFuncs, backupID)
-	delete(m.cancelledBackups, backupID)
-}
--- a/backend/internal/features/backups/backups/backuping/backuper.go
+++ b/backend/internal/features/backups/backups/backuping/backuper.go
@@ -0,0 +1,344 @@
+package backuping
+
+import (
+	"context"
+	"databasus-backend/internal/config"
+	backups_cancellation "databasus-backend/internal/features/backups/backups/cancellation"
+	backups_core "databasus-backend/internal/features/backups/backups/core"
+	backups_config "databasus-backend/internal/features/backups/config"
+	"databasus-backend/internal/features/databases"
+	"databasus-backend/internal/features/storages"
+	workspaces_services "databasus-backend/internal/features/workspaces/services"
+	util_encryption "databasus-backend/internal/util/encryption"
+	"errors"
+	"fmt"
+	"log/slog"
+	"slices"
+	"strings"
+	"time"
+
+	"github.com/google/uuid"
+)
+
+type BackuperNode struct {
+	databaseService     *databases.DatabaseService
+	fieldEncryptor      util_encryption.FieldEncryptor
+	workspaceService    *workspaces_services.WorkspaceService
+	backupRepository    *backups_core.BackupRepository
+	backupConfigService *backups_config.BackupConfigService
+	storageService      *storages.StorageService
+	notificationSender  backups_core.NotificationSender
+	backupCancelManager *backups_cancellation.BackupCancelManager
+	nodesRegistry       *BackupNodesRegistry
+	logger              *slog.Logger
+	createBackupUseCase backups_core.CreateBackupUsecase
+	nodeID              uuid.UUID
+
+	lastHeartbeat time.Time
+}
+
+func (n *BackuperNode) Run(ctx context.Context) {
+	n.lastHeartbeat = time.Now().UTC()
+
+	throughputMBs := config.GetEnv().NodeNetworkThroughputMBs
+
+	backupNode := BackupNode{
+		ID:            n.nodeID,
+		ThroughputMBs: throughputMBs,
+		LastHeartbeat: time.Now().UTC(),
+	}
+
+	if err := n.nodesRegistry.HearthbeatNodeInRegistry(time.Now().UTC(), backupNode); err != nil {
+		n.logger.Error("Failed to register node in registry", "error", err)
+		panic(err)
+	}
+
+	backupHandler := func(backupID uuid.UUID, isCallNotifier bool) {
+		n.MakeBackup(backupID, isCallNotifier)
+		if err := n.nodesRegistry.PublishBackupCompletion(n.nodeID.String(), backupID); err != nil {
+			n.logger.Error(
+				"Failed to publish backup completion",
+				"error",
+				err,
+				"backupID",
+				backupID,
+			)
+		}
+	}
+
+	if err := n.nodesRegistry.SubscribeNodeForBackupsAssignment(n.nodeID.String(), backupHandler); err != nil {
+		n.logger.Error("Failed to subscribe to backup assignments", "error", err)
+		panic(err)
+	}
+	defer func() {
+		if err := n.nodesRegistry.UnsubscribeNodeForBackupsAssignments(); err != nil {
+			n.logger.Error("Failed to unsubscribe from backup assignments", "error", err)
+		}
+	}()
+
+	ticker := time.NewTicker(15 * time.Second)
+	defer ticker.Stop()
+
+	n.logger.Info("Backup node started", "nodeID", n.nodeID, "throughput", throughputMBs)
+
+	for {
+		select {
+		case <-ctx.Done():
+			n.logger.Info("Shutdown signal received, unregistering node", "nodeID", n.nodeID)
+
+			if err := n.nodesRegistry.UnregisterNodeFromRegistry(backupNode); err != nil {
+				n.logger.Error("Failed to unregister node from registry", "error", err)
+			}
+
+			return
+		case <-ticker.C:
+			n.sendHeartbeat(&backupNode)
+		}
+	}
+}
+
+func (n *BackuperNode) IsBackuperRunning() bool {
+	return n.lastHeartbeat.After(time.Now().UTC().Add(-5 * time.Minute))
+}
+
+func (n *BackuperNode) MakeBackup(backupID uuid.UUID, isCallNotifier bool) {
+	backup, err := n.backupRepository.FindByID(backupID)
+	if err != nil {
+		n.logger.Error("Failed to get backup by ID", "backupId", backupID, "error", err)
+		return
+	}
+
+	databaseID := backup.DatabaseID
+
+	database, err := n.databaseService.GetDatabaseByID(databaseID)
+	if err != nil {
+		n.logger.Error("Failed to get database by ID", "databaseId", databaseID, "error", err)
+		return
+	}
+
+	backupConfig, err := n.backupConfigService.GetBackupConfigByDbId(databaseID)
+	if err != nil {
+		n.logger.Error("Failed to get backup config by database ID", "error", err)
+		return
+	}
+
+	if backupConfig.StorageID == nil {
+		n.logger.Error("Backup config storage ID is not defined")
+		return
+	}
+
+	storage, err := n.storageService.GetStorageByID(*backupConfig.StorageID)
+	if err != nil {
+		n.logger.Error("Failed to get storage by ID", "error", err)
+		return
+	}
+
+	start := time.Now().UTC()
+
+	backupProgressListener := func(
+		completedMBs float64,
+	) {
+		backup.BackupSizeMb = completedMBs
+		backup.BackupDurationMs = time.Since(start).Milliseconds()
+
+		if err := n.backupRepository.Save(backup); err != nil {
+			n.logger.Error("Failed to update backup progress", "error", err)
+		}
+	}
+
+	ctx, cancel := context.WithCancel(context.Background())
+	n.backupCancelManager.RegisterBackup(backup.ID, cancel)
+	defer n.backupCancelManager.UnregisterBackup(backup.ID)
+
+	backupMetadata, err := n.createBackupUseCase.Execute(
+		ctx,
+		backup.ID,
+		backupConfig,
+		database,
+		storage,
+		backupProgressListener,
+	)
+	if err != nil {
+		errMsg := err.Error()
+
+		// Check if backup was cancelled (not due to shutdown)
+		isCancelled := strings.Contains(errMsg, "backup cancelled") ||
+			strings.Contains(errMsg, "context canceled") ||
+			errors.Is(err, context.Canceled)
+		isShutdown := strings.Contains(errMsg, "shutdown")
+
+		if isCancelled && !isShutdown {
+			backup.Status = backups_core.BackupStatusCanceled
+			backup.BackupDurationMs = time.Since(start).Milliseconds()
+			backup.BackupSizeMb = 0
+
+			if err := n.backupRepository.Save(backup); err != nil {
+				n.logger.Error("Failed to save cancelled backup", "error", err)
+			}
+
+			// Delete partial backup from storage
+			storage, storageErr := n.storageService.GetStorageByID(backup.StorageID)
+			if storageErr == nil {
+				if deleteErr := storage.DeleteFile(n.fieldEncryptor, backup.ID); deleteErr != nil {
+					n.logger.Error(
+						"Failed to delete partial backup file",
+						"backupId",
+						backup.ID,
+						"error",
+						deleteErr,
+					)
+				}
+			}
+
+			return
+		}
+
+		backup.FailMessage = &errMsg
+		backup.Status = backups_core.BackupStatusFailed
+		backup.BackupDurationMs = time.Since(start).Milliseconds()
+		backup.BackupSizeMb = 0
+
+		if updateErr := n.databaseService.SetBackupError(databaseID, errMsg); updateErr != nil {
+			n.logger.Error(
+				"Failed to update database last backup time",
+				"databaseId",
+				databaseID,
+				"error",
+				updateErr,
+			)
+		}
+
+		if err := n.backupRepository.Save(backup); err != nil {
+			n.logger.Error("Failed to save backup", "error", err)
+		}
+
+		n.SendBackupNotification(
+			backupConfig,
+			backup,
+			backups_config.NotificationBackupFailed,
+			&errMsg,
+		)
+
+		return
+	}
+
+	backup.Status = backups_core.BackupStatusCompleted
+	backup.BackupDurationMs = time.Since(start).Milliseconds()
+
+	// Update backup with encryption metadata if provided
+	if backupMetadata != nil {
+		backup.EncryptionSalt = backupMetadata.EncryptionSalt
+		backup.EncryptionIV = backupMetadata.EncryptionIV
+		backup.Encryption = backupMetadata.Encryption
+	}
+
+	if err := n.backupRepository.Save(backup); err != nil {
+		n.logger.Error("Failed to save backup", "error", err)
+		return
+	}
+
+	// Update database last backup time
+	now := time.Now().UTC()
+	if updateErr := n.databaseService.SetLastBackupTime(databaseID, now); updateErr != nil {
+		n.logger.Error(
+			"Failed to update database last backup time",
+			"databaseId",
+			databaseID,
+			"error",
+			updateErr,
+		)
+	}
+
+	if backup.Status != backups_core.BackupStatusCompleted && !isCallNotifier {
+		return
+	}
+
+	n.SendBackupNotification(
+		backupConfig,
+		backup,
+		backups_config.NotificationBackupSuccess,
+		nil,
+	)
+}
+
+func (n *BackuperNode) SendBackupNotification(
+	backupConfig *backups_config.BackupConfig,
+	backup *backups_core.Backup,
+	notificationType backups_config.BackupNotificationType,
+	errorMessage *string,
+) {
+	database, err := n.databaseService.GetDatabaseByID(backupConfig.DatabaseID)
+	if err != nil {
+		return
+	}
+
+	workspace, err := n.workspaceService.GetWorkspaceByID(*database.WorkspaceID)
+	if err != nil {
+		return
+	}
+
+	for _, notifier := range database.Notifiers {
+		if !slices.Contains(
+			backupConfig.SendNotificationsOn,
+			notificationType,
+		) {
+			continue
+		}
+
+		title := ""
+		switch notificationType {
+		case backups_config.NotificationBackupFailed:
+			title = fmt.Sprintf(
+				"❌ Backup failed for database \"%s\" (workspace \"%s\")",
+				database.Name,
+				workspace.Name,
+			)
+		case backups_config.NotificationBackupSuccess:
+			title = fmt.Sprintf(
+				"✅ Backup completed for database \"%s\" (workspace \"%s\")",
+				database.Name,
+				workspace.Name,
+			)
+		}
+
+		message := ""
+		if errorMessage != nil {
+			message = *errorMessage
+		} else {
+			// Format size conditionally
+			var sizeStr string
+			if backup.BackupSizeMb < 1024 {
+				sizeStr = fmt.Sprintf("%.2f MB", backup.BackupSizeMb)
+			} else {
+				sizeGB := backup.BackupSizeMb / 1024
+				sizeStr = fmt.Sprintf("%.2f GB", sizeGB)
+			}
+
+			// Format duration as "0m 0s 0ms"
+			totalMs := backup.BackupDurationMs
+			minutes := totalMs / (1000 * 60)
+			seconds := (totalMs % (1000 * 60)) / 1000
+			durationStr := fmt.Sprintf("%dm %ds", minutes, seconds)
+
+			message = fmt.Sprintf(
+				"Backup completed successfully in %s.\nCompressed backup size: %s",
+				durationStr,
+				sizeStr,
+			)
+		}
+
+		n.notificationSender.SendNotification(
+			&notifier,
+			title,
+			message,
+		)
+	}
+}
+
+func (n *BackuperNode) sendHeartbeat(backupNode *BackupNode) {
+	n.lastHeartbeat = time.Now().UTC()
+	backupNode.LastHeartbeat = time.Now().UTC()
+	if err := n.nodesRegistry.HearthbeatNodeInRegistry(time.Now().UTC(), *backupNode); err != nil {
+		n.logger.Error("Failed to send heartbeat", "error", err)
+	}
+}
--- a/backend/internal/features/backups/backups/backuping/backuper_test.go
+++ b/backend/internal/features/backups/backups/backuping/backuper_test.go
@@ -1,4 +1,4 @@
-package backups
+package backuping

 import (
 	"context"
@@ -7,18 +7,16 @@ import (
 	"testing"
 	"time"

-	"databasus-backend/internal/features/backups/backups/usecases/common"
+	common "databasus-backend/internal/features/backups/backups/common"
+	backups_core "databasus-backend/internal/features/backups/backups/core"
 	backups_config "databasus-backend/internal/features/backups/config"
 	"databasus-backend/internal/features/databases"
-	encryption_secrets "databasus-backend/internal/features/encryption/secrets"
 	"databasus-backend/internal/features/notifiers"
 	"databasus-backend/internal/features/storages"
 	users_enums "databasus-backend/internal/features/users/enums"
 	users_testing "databasus-backend/internal/features/users/testing"
-	workspaces_services "databasus-backend/internal/features/workspaces/services"
 	workspaces_testing "databasus-backend/internal/features/workspaces/testing"
-	"databasus-backend/internal/util/encryption"
-	"databasus-backend/internal/util/logger"
+	cache_utils "databasus-backend/internal/util/cache"

 	"github.com/google/uuid"
 	"github.com/stretchr/testify/assert"
@@ -26,6 +24,7 @@ import (
 )

 func Test_BackupExecuted_NotificationSent(t *testing.T) {
+	cache_utils.ClearAllCache()
 	user := users_testing.CreateTestUser(users_enums.UserRoleAdmin)
 	router := CreateTestRouter()
 	workspace := workspaces_testing.CreateTestWorkspace("Test Workspace", user, router)
@@ -50,22 +49,19 @@ func Test_BackupExecuted_NotificationSent(t *testing.T) {

 	t.Run("BackupFailed_FailNotificationSent", func(t *testing.T) {
 		mockNotificationSender := &MockNotificationSender{}
-		backupService := &BackupService{
-			databases.GetDatabaseService(),
-			storages.GetStorageService(),
-			backupRepository,
-			notifiers.GetNotifierService(),
-			mockNotificationSender,
-			backups_config.GetBackupConfigService(),
-			encryption_secrets.GetSecretKeyService(),
-			encryption.GetFieldEncryptor(),
-			&CreateFailedBackupUsecase{},
-			logger.GetLogger(),
-			[]BackupRemoveListener{},
-			workspaces_services.GetWorkspaceService(),
-			nil,
-			NewBackupContextManager(),
+		backuperNode := CreateTestBackuperNode()
+		backuperNode.notificationSender = mockNotificationSender
+		backuperNode.createBackupUseCase = &CreateFailedBackupUsecase{}
+
+		// Create a backup record directly that will be looked up by MakeBackup
+		backup := &backups_core.Backup{
+			DatabaseID: database.ID,
+			StorageID:  storage.ID,
+			Status:     backups_core.BackupStatusInProgress,
+			CreatedAt:  time.Now().UTC(),
 		}
+		err := backupRepository.Save(backup)
+		assert.NoError(t, err)

 		// Set up expectations
 		mockNotificationSender.On("SendNotification",
@@ -78,7 +74,7 @@ func Test_BackupExecuted_NotificationSent(t *testing.T) {
 			}),
 		).Once()

-		backupService.MakeBackup(database.ID, true)
+		backuperNode.MakeBackup(backup.ID, true)

 		// Verify all expectations were met
 		mockNotificationSender.AssertExpectations(t)
@@ -86,6 +82,19 @@ func Test_BackupExecuted_NotificationSent(t *testing.T) {

 	t.Run("BackupSuccess_SuccessNotificationSent", func(t *testing.T) {
 		mockNotificationSender := &MockNotificationSender{}
+		backuperNode := CreateTestBackuperNode()
+		backuperNode.notificationSender = mockNotificationSender
+		backuperNode.createBackupUseCase = &CreateSuccessBackupUsecase{}
+
+		// Create a backup record directly that will be looked up by MakeBackup
+		backup := &backups_core.Backup{
+			DatabaseID: database.ID,
+			StorageID:  storage.ID,
+			Status:     backups_core.BackupStatusInProgress,
+			CreatedAt:  time.Now().UTC(),
+		}
+		err := backupRepository.Save(backup)
+		assert.NoError(t, err)

 		// Set up expectations
 		mockNotificationSender.On("SendNotification",
@@ -98,24 +107,7 @@ func Test_BackupExecuted_NotificationSent(t *testing.T) {
 			}),
 		).Once()

-		backupService := &BackupService{
-			databases.GetDatabaseService(),
-			storages.GetStorageService(),
-			backupRepository,
-			notifiers.GetNotifierService(),
-			mockNotificationSender,
-			backups_config.GetBackupConfigService(),
-			encryption_secrets.GetSecretKeyService(),
-			encryption.GetFieldEncryptor(),
-			&CreateSuccessBackupUsecase{},
-			logger.GetLogger(),
-			[]BackupRemoveListener{},
-			workspaces_services.GetWorkspaceService(),
-			nil,
-			NewBackupContextManager(),
-		}
-
-		backupService.MakeBackup(database.ID, true)
+		backuperNode.MakeBackup(backup.ID, true)

 		// Verify all expectations were met
 		mockNotificationSender.AssertExpectations(t)
@@ -123,22 +115,19 @@ func Test_BackupExecuted_NotificationSent(t *testing.T) {

 	t.Run("BackupSuccess_VerifyNotificationContent", func(t *testing.T) {
 		mockNotificationSender := &MockNotificationSender{}
-		backupService := &BackupService{
-			databases.GetDatabaseService(),
-			storages.GetStorageService(),
-			backupRepository,
-			notifiers.GetNotifierService(),
-			mockNotificationSender,
-			backups_config.GetBackupConfigService(),
-			encryption_secrets.GetSecretKeyService(),
-			encryption.GetFieldEncryptor(),
-			&CreateSuccessBackupUsecase{},
-			logger.GetLogger(),
-			[]BackupRemoveListener{},
-			workspaces_services.GetWorkspaceService(),
-			nil,
-			NewBackupContextManager(),
+		backuperNode := CreateTestBackuperNode()
+		backuperNode.notificationSender = mockNotificationSender
+		backuperNode.createBackupUseCase = &CreateSuccessBackupUsecase{}
+
+		// Create a backup record directly that will be looked up by MakeBackup
+		backup := &backups_core.Backup{
+			DatabaseID: database.ID,
+			StorageID:  storage.ID,
+			Status:     backups_core.BackupStatusInProgress,
+			CreatedAt:  time.Now().UTC(),
 		}
+		err := backupRepository.Save(backup)
+		assert.NoError(t, err)

 		// capture arguments
 		var capturedNotifier *notifiers.Notifier
@@ -155,7 +144,7 @@ func Test_BackupExecuted_NotificationSent(t *testing.T) {
 			capturedMessage = args.Get(2).(string)
 		}).Once()

-		backupService.MakeBackup(database.ID, true)
+		backuperNode.MakeBackup(backup.ID, true)

 		// Verify expectations were met
 		mockNotificationSender.AssertExpectations(t)
--- a/backend/internal/features/backups/backups/backuping/di.go
+++ b/backend/internal/features/backups/backups/backuping/di.go
@@ -0,0 +1,77 @@
+package backuping
+
+import (
+	"databasus-backend/internal/config"
+	backups_cancellation "databasus-backend/internal/features/backups/backups/cancellation"
+	backups_core "databasus-backend/internal/features/backups/backups/core"
+	"databasus-backend/internal/features/backups/backups/usecases"
+	backups_config "databasus-backend/internal/features/backups/config"
+	"databasus-backend/internal/features/databases"
+	"databasus-backend/internal/features/notifiers"
+	"databasus-backend/internal/features/storages"
+	workspaces_services "databasus-backend/internal/features/workspaces/services"
+	cache_utils "databasus-backend/internal/util/cache"
+	"databasus-backend/internal/util/encryption"
+	"databasus-backend/internal/util/logger"
+	"time"
+
+	"github.com/google/uuid"
+)
+
+var backupRepository = &backups_core.BackupRepository{}
+
+var backupCancelManager = backups_cancellation.GetBackupCancelManager()
+
+var nodesRegistry = &BackupNodesRegistry{
+	cache_utils.GetValkeyClient(),
+	logger.GetLogger(),
+	cache_utils.DefaultCacheTimeout,
+	cache_utils.NewPubSubManager(),
+	cache_utils.NewPubSubManager(),
+}
+
+func getNodeID() uuid.UUID {
+	nodeIDStr := config.GetEnv().NodeID
+	nodeID, err := uuid.Parse(nodeIDStr)
+	if err != nil {
+		logger.GetLogger().Error("Failed to parse node ID from config", "error", err)
+		panic(err)
+	}
+	return nodeID
+}
+
+var backuperNode = &BackuperNode{
+	databases.GetDatabaseService(),
+	encryption.GetFieldEncryptor(),
+	workspaces_services.GetWorkspaceService(),
+	backupRepository,
+	backups_config.GetBackupConfigService(),
+	storages.GetStorageService(),
+	notifiers.GetNotifierService(),
+	backupCancelManager,
+	nodesRegistry,
+	logger.GetLogger(),
+	usecases.GetCreateBackupUsecase(),
+	getNodeID(),
+	time.Time{},
+}
+
+var backupsScheduler = &BackupsScheduler{
+	backupRepository,
+	backups_config.GetBackupConfigService(),
+	storages.GetStorageService(),
+	backupCancelManager,
+	nodesRegistry,
+	time.Now().UTC(),
+	logger.GetLogger(),
+	make(map[uuid.UUID]BackupToNodeRelation),
+	backuperNode,
+}
+
+func GetBackupsScheduler() *BackupsScheduler {
+	return backupsScheduler
+}
+
+func GetBackuperNode() *BackuperNode {
+	return backuperNode
+}
--- a/backend/internal/features/backups/backups/backuping/dto.go
+++ b/backend/internal/features/backups/backups/backuping/dto.go
@@ -0,0 +1,34 @@
+package backuping
+
+import (
+	"time"
+
+	"github.com/google/uuid"
+)
+
+type BackupNode struct {
+	ID            uuid.UUID `json:"id"`
+	ThroughputMBs int       `json:"throughputMBs"`
+	LastHeartbeat time.Time `json:"lastHeartbeat"`
+}
+
+type BackupNodeStats struct {
+	ID            uuid.UUID `json:"id"`
+	ActiveBackups int       `json:"activeBackups"`
+}
+
+type BackupSubmitMessage struct {
+	NodeID         string `json:"nodeId"`
+	BackupID       string `json:"backupId"`
+	IsCallNotifier bool   `json:"isCallNotifier"`
+}
+
+type BackupCompletionMessage struct {
+	NodeID   string `json:"nodeId"`
+	BackupID string `json:"backupId"`
+}
+
+type BackupToNodeRelation struct {
+	NodeID     uuid.UUID   `json:"nodeId"`
+	BackupsIDs []uuid.UUID `json:"backupsIds"`
+}
--- a/backend/internal/features/backups/backups/backuping/mocks.go
+++ b/backend/internal/features/backups/backups/backuping/mocks.go
@@ -1,4 +1,4 @@
-package backups
+package backuping

 import (
 	"databasus-backend/internal/features/notifiers"
--- a/backend/internal/features/backups/backups/backuping/registry.go
+++ b/backend/internal/features/backups/backups/backuping/registry.go
@@ -0,0 +1,448 @@
+package backuping
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"log/slog"
+	"strings"
+	"time"
+
+	cache_utils "databasus-backend/internal/util/cache"
+
+	"github.com/google/uuid"
+	"github.com/valkey-io/valkey-go"
+)
+
+const (
+	nodeInfoKeyPrefix       = "node:"
+	nodeInfoKeySuffix       = ":info"
+	nodeActiveBackupsPrefix = "node:"
+	nodeActiveBackupsSuffix = ":active_backups"
+	backupSubmitChannel     = "backup:submit"
+	backupCompletionChannel = "backup:completion"
+)
+
+// BackupNodesRegistry helps to sync backups scheduler and backup nodes.
+// Features:
+// - Track node availability and load level
+// - Assign from scheduler to node backups needed to be processed
+// - Notify scheduler from node about backup completion
+type BackupNodesRegistry struct {
+	client            valkey.Client
+	logger            *slog.Logger
+	timeout           time.Duration
+	pubsubBackups     *cache_utils.PubSubManager
+	pubsubCompletions *cache_utils.PubSubManager
+}
+
+func (r *BackupNodesRegistry) GetAvailableNodes() ([]BackupNode, error) {
+	ctx, cancel := context.WithTimeout(context.Background(), r.timeout)
+	defer cancel()
+
+	var allKeys []string
+	cursor := uint64(0)
+	pattern := nodeInfoKeyPrefix + "*" + nodeInfoKeySuffix
+
+	for {
+		result := r.client.Do(
+			ctx,
+			r.client.B().Scan().Cursor(cursor).Match(pattern).Count(1_000).Build(),
+		)
+
+		if result.Error() != nil {
+			return nil, fmt.Errorf("failed to scan node keys: %w", result.Error())
+		}
+
+		scanResult, err := result.AsScanEntry()
+		if err != nil {
+			return nil, fmt.Errorf("failed to parse scan result: %w", err)
+		}
+
+		allKeys = append(allKeys, scanResult.Elements...)
+
+		cursor = scanResult.Cursor
+		if cursor == 0 {
+			break
+		}
+	}
+
+	if len(allKeys) == 0 {
+		return []BackupNode{}, nil
+	}
+
+	keyDataMap, err := r.pipelineGetKeys(allKeys)
+	if err != nil {
+		return nil, fmt.Errorf("failed to pipeline get node keys: %w", err)
+	}
+
+	var nodes []BackupNode
+	for key, data := range keyDataMap {
+		var node BackupNode
+		if err := json.Unmarshal(data, &node); err != nil {
+			r.logger.Warn("Failed to unmarshal node data", "key", key, "error", err)
+			continue
+		}
+		nodes = append(nodes, node)
+	}
+
+	return nodes, nil
+}
+
+func (r *BackupNodesRegistry) GetBackupNodesStats() ([]BackupNodeStats, error) {
+	ctx, cancel := context.WithTimeout(context.Background(), r.timeout)
+	defer cancel()
+
+	var allKeys []string
+	cursor := uint64(0)
+	pattern := nodeActiveBackupsPrefix + "*" + nodeActiveBackupsSuffix
+
+	for {
+		result := r.client.Do(
+			ctx,
+			r.client.B().Scan().Cursor(cursor).Match(pattern).Count(100).Build(),
+		)
+
+		if result.Error() != nil {
+			return nil, fmt.Errorf("failed to scan active backups keys: %w", result.Error())
+		}
+
+		scanResult, err := result.AsScanEntry()
+		if err != nil {
+			return nil, fmt.Errorf("failed to parse scan result: %w", err)
+		}
+
+		allKeys = append(allKeys, scanResult.Elements...)
+
+		cursor = scanResult.Cursor
+		if cursor == 0 {
+			break
+		}
+	}
+
+	if len(allKeys) == 0 {
+		return []BackupNodeStats{}, nil
+	}
+
+	keyDataMap, err := r.pipelineGetKeys(allKeys)
+	if err != nil {
+		return nil, fmt.Errorf("failed to pipeline get active backups keys: %w", err)
+	}
+
+	var stats []BackupNodeStats
+	for key, data := range keyDataMap {
+		nodeID := r.extractNodeIDFromKey(key, nodeActiveBackupsPrefix, nodeActiveBackupsSuffix)
+
+		count, err := r.parseIntFromBytes(data)
+		if err != nil {
+			r.logger.Warn("Failed to parse active backups count", "key", key, "error", err)
+			continue
+		}
+
+		stat := BackupNodeStats{
+			ID:            nodeID,
+			ActiveBackups: int(count),
+		}
+		stats = append(stats, stat)
+	}
+
+	return stats, nil
+}
+
+func (r *BackupNodesRegistry) IncrementBackupsInProgress(nodeID string) error {
+	ctx, cancel := context.WithTimeout(context.Background(), r.timeout)
+	defer cancel()
+
+	key := fmt.Sprintf("%s%s%s", nodeActiveBackupsPrefix, nodeID, nodeActiveBackupsSuffix)
+	result := r.client.Do(ctx, r.client.B().Incr().Key(key).Build())
+
+	if result.Error() != nil {
+		return fmt.Errorf(
+			"failed to increment backups in progress for node %s: %w",
+			nodeID,
+			result.Error(),
+		)
+	}
+
+	return nil
+}
+
+func (r *BackupNodesRegistry) DecrementBackupsInProgress(nodeID string) error {
+	ctx, cancel := context.WithTimeout(context.Background(), r.timeout)
+	defer cancel()
+
+	key := fmt.Sprintf("%s%s%s", nodeActiveBackupsPrefix, nodeID, nodeActiveBackupsSuffix)
+	result := r.client.Do(ctx, r.client.B().Decr().Key(key).Build())
+
+	if result.Error() != nil {
+		return fmt.Errorf(
+			"failed to decrement backups in progress for node %s: %w",
+			nodeID,
+			result.Error(),
+		)
+	}
+
+	newValue, err := result.AsInt64()
+	if err != nil {
+		return fmt.Errorf("failed to parse decremented value for node %s: %w", nodeID, err)
+	}
+
+	if newValue < 0 {
+		setCtx, setCancel := context.WithTimeout(context.Background(), r.timeout)
+		r.client.Do(setCtx, r.client.B().Set().Key(key).Value("0").Build())
+		setCancel()
+		r.logger.Warn("Active backups counter went below 0, reset to 0", "nodeID", nodeID)
+	}
+
+	return nil
+}
+
+func (r *BackupNodesRegistry) HearthbeatNodeInRegistry(now time.Time, backupNode BackupNode) error {
+	ctx, cancel := context.WithTimeout(context.Background(), r.timeout)
+	defer cancel()
+
+	backupNode.LastHeartbeat = now
+
+	data, err := json.Marshal(backupNode)
+	if err != nil {
+		return fmt.Errorf("failed to marshal backup node: %w", err)
+	}
+
+	key := fmt.Sprintf("%s%s%s", nodeInfoKeyPrefix, backupNode.ID.String(), nodeInfoKeySuffix)
+	result := r.client.Do(
+		ctx,
+		r.client.B().Set().Key(key).Value(string(data)).Build(),
+	)
+
+	if result.Error() != nil {
+		return fmt.Errorf("failed to register node %s: %w", backupNode.ID, result.Error())
+	}
+
+	return nil
+}
+
+func (r *BackupNodesRegistry) UnregisterNodeFromRegistry(backupNode BackupNode) error {
+	ctx, cancel := context.WithTimeout(context.Background(), r.timeout)
+	defer cancel()
+
+	infoKey := fmt.Sprintf("%s%s%s", nodeInfoKeyPrefix, backupNode.ID.String(), nodeInfoKeySuffix)
+	counterKey := fmt.Sprintf(
+		"%s%s%s",
+		nodeActiveBackupsPrefix,
+		backupNode.ID.String(),
+		nodeActiveBackupsSuffix,
+	)
+
+	result := r.client.Do(
+		ctx,
+		r.client.B().Del().Key(infoKey, counterKey).Build(),
+	)
+
+	if result.Error() != nil {
+		return fmt.Errorf("failed to unregister node %s: %w", backupNode.ID, result.Error())
+	}
+
+	r.logger.Info("Unregistered node from registry", "nodeID", backupNode.ID)
+	return nil
+}
+
+func (r *BackupNodesRegistry) AssignBackupToNode(
+	targetNodeID string,
+	backupID uuid.UUID,
+	isCallNotifier bool,
+) error {
+	ctx := context.Background()
+
+	message := BackupSubmitMessage{
+		NodeID:         targetNodeID,
+		BackupID:       backupID.String(),
+		IsCallNotifier: isCallNotifier,
+	}
+
+	messageJSON, err := json.Marshal(message)
+	if err != nil {
+		return fmt.Errorf("failed to marshal backup submit message: %w", err)
+	}
+
+	err = r.pubsubBackups.Publish(ctx, backupSubmitChannel, string(messageJSON))
+	if err != nil {
+		return fmt.Errorf("failed to publish backup submit message: %w", err)
+	}
+
+	return nil
+}
+
+func (r *BackupNodesRegistry) SubscribeNodeForBackupsAssignment(
+	nodeID string,
+	handler func(backupID uuid.UUID, isCallNotifier bool),
+) error {
+	ctx := context.Background()
+
+	wrappedHandler := func(message string) {
+		var msg BackupSubmitMessage
+		if err := json.Unmarshal([]byte(message), &msg); err != nil {
+			r.logger.Warn("Failed to unmarshal backup submit message", "error", err)
+			return
+		}
+
+		if msg.NodeID != nodeID {
+			return
+		}
+
+		backupID, err := uuid.Parse(msg.BackupID)
+		if err != nil {
+			r.logger.Warn(
+				"Failed to parse backup ID from message",
+				"backupId",
+				msg.BackupID,
+				"error",
+				err,
+			)
+			return
+		}
+
+		handler(backupID, msg.IsCallNotifier)
+	}
+
+	err := r.pubsubBackups.Subscribe(ctx, backupSubmitChannel, wrappedHandler)
+	if err != nil {
+		return fmt.Errorf("failed to subscribe to backup submit channel: %w", err)
+	}
+
+	r.logger.Info("Subscribed to backup submit channel", "nodeID", nodeID)
+	return nil
+}
+
+func (r *BackupNodesRegistry) UnsubscribeNodeForBackupsAssignments() error {
+	err := r.pubsubBackups.Close()
+	if err != nil {
+		return fmt.Errorf("failed to unsubscribe from backup submit channel: %w", err)
+	}
+
+	r.logger.Info("Unsubscribed from backup submit channel")
+	return nil
+}
+
+func (r *BackupNodesRegistry) PublishBackupCompletion(nodeID string, backupID uuid.UUID) error {
+	ctx := context.Background()
+
+	message := BackupCompletionMessage{
+		NodeID:   nodeID,
+		BackupID: backupID.String(),
+	}
+
+	messageJSON, err := json.Marshal(message)
+	if err != nil {
+		return fmt.Errorf("failed to marshal backup completion message: %w", err)
+	}
+
+	err = r.pubsubCompletions.Publish(ctx, backupCompletionChannel, string(messageJSON))
+	if err != nil {
+		return fmt.Errorf("failed to publish backup completion message: %w", err)
+	}
+
+	return nil
+}
+
+func (r *BackupNodesRegistry) SubscribeForBackupsCompletions(
+	handler func(nodeID string, backupID uuid.UUID),
+) error {
+	ctx := context.Background()
+
+	wrappedHandler := func(message string) {
+		var msg BackupCompletionMessage
+		if err := json.Unmarshal([]byte(message), &msg); err != nil {
+			r.logger.Warn("Failed to unmarshal backup completion message", "error", err)
+			return
+		}
+
+		backupID, err := uuid.Parse(msg.BackupID)
+		if err != nil {
+			r.logger.Warn(
+				"Failed to parse backup ID from completion message",
+				"backupId",
+				msg.BackupID,
+				"error",
+				err,
+			)
+			return
+		}
+
+		handler(msg.NodeID, backupID)
+	}
+
+	err := r.pubsubCompletions.Subscribe(ctx, backupCompletionChannel, wrappedHandler)
+	if err != nil {
+		return fmt.Errorf("failed to subscribe to backup completion channel: %w", err)
+	}
+
+	r.logger.Info("Subscribed to backup completion channel")
+	return nil
+}
+
+func (r *BackupNodesRegistry) UnsubscribeForBackupsCompletions() error {
+	err := r.pubsubCompletions.Close()
+	if err != nil {
+		return fmt.Errorf("failed to unsubscribe from backup completion channel: %w", err)
+	}
+
+	r.logger.Info("Unsubscribed from backup completion channel")
+	return nil
+}
+
+func (r *BackupNodesRegistry) extractNodeIDFromKey(key, prefix, suffix string) uuid.UUID {
+	nodeIDStr := strings.TrimPrefix(key, prefix)
+	nodeIDStr = strings.TrimSuffix(nodeIDStr, suffix)
+
+	nodeID, err := uuid.Parse(nodeIDStr)
+	if err != nil {
+		r.logger.Warn("Failed to parse node ID from key", "key", key, "error", err)
+		return uuid.Nil
+	}
+
+	return nodeID
+}
+
+func (r *BackupNodesRegistry) pipelineGetKeys(keys []string) (map[string][]byte, error) {
+	if len(keys) == 0 {
+		return make(map[string][]byte), nil
+	}
+
+	ctx, cancel := context.WithTimeout(context.Background(), r.timeout)
+	defer cancel()
+
+	commands := make([]valkey.Completed, 0, len(keys))
+	for _, key := range keys {
+		commands = append(commands, r.client.B().Get().Key(key).Build())
+	}
+
+	results := r.client.DoMulti(ctx, commands...)
+
+	keyDataMap := make(map[string][]byte, len(keys))
+	for i, result := range results {
+		if result.Error() != nil {
+			r.logger.Warn("Failed to get key in pipeline", "key", keys[i], "error", result.Error())
+			continue
+		}
+
+		data, err := result.AsBytes()
+		if err != nil {
+			r.logger.Warn("Failed to parse key data in pipeline", "key", keys[i], "error", err)
+			continue
+		}
+
+		keyDataMap[keys[i]] = data
+	}
+
+	return keyDataMap, nil
+}
+
+func (r *BackupNodesRegistry) parseIntFromBytes(data []byte) (int64, error) {
+	str := string(data)
+	var count int64
+	_, err := fmt.Sscanf(str, "%d", &count)
+	if err != nil {
+		return 0, fmt.Errorf("failed to parse integer from bytes: %w", err)
+	}
+	return count, nil
+}
--- a/backend/internal/features/backups/backups/backuping/registry_test.go
+++ b/backend/internal/features/backups/backups/backuping/registry_test.go
@@ -0,0 +1,904 @@
+package backuping
+
+import (
+	"context"
+	"testing"
+	"time"
+
+	cache_utils "databasus-backend/internal/util/cache"
+	"databasus-backend/internal/util/logger"
+
+	"github.com/google/uuid"
+	"github.com/stretchr/testify/assert"
+)
+
+func Test_HearthbeatNodeInRegistry_RegistersNodeWithTTL(t *testing.T) {
+	cache_utils.ClearAllCache()
+	registry := createTestRegistry()
+	node := createTestBackupNode()
+	defer cleanupTestNode(registry, node)
+
+	err := registry.HearthbeatNodeInRegistry(time.Now().UTC(), node)
+	assert.NoError(t, err)
+
+	nodes, err := registry.GetAvailableNodes()
+	assert.NoError(t, err)
+	assert.Len(t, nodes, 1)
+	assert.Equal(t, node.ID, nodes[0].ID)
+	assert.Equal(t, node.ThroughputMBs, nodes[0].ThroughputMBs)
+}
+
+func Test_UnregisterNodeFromRegistry_RemovesNodeAndCounter(t *testing.T) {
+	cache_utils.ClearAllCache()
+	registry := createTestRegistry()
+	node := createTestBackupNode()
+
+	err := registry.HearthbeatNodeInRegistry(time.Now().UTC(), node)
+	assert.NoError(t, err)
+
+	err = registry.IncrementBackupsInProgress(node.ID.String())
+	assert.NoError(t, err)
+
+	err = registry.UnregisterNodeFromRegistry(node)
+	assert.NoError(t, err)
+
+	nodes, err := registry.GetAvailableNodes()
+	assert.NoError(t, err)
+	assert.Empty(t, nodes)
+
+	stats, err := registry.GetBackupNodesStats()
+	assert.NoError(t, err)
+	assert.Empty(t, stats)
+}
+
+func Test_GetAvailableNodes_ReturnsAllRegisteredNodes(t *testing.T) {
+	cache_utils.ClearAllCache()
+	registry := createTestRegistry()
+	node1 := createTestBackupNode()
+	node2 := createTestBackupNode()
+	node3 := createTestBackupNode()
+	defer cleanupTestNode(registry, node1)
+	defer cleanupTestNode(registry, node2)
+	defer cleanupTestNode(registry, node3)
+
+	err := registry.HearthbeatNodeInRegistry(time.Now().UTC(), node1)
+	assert.NoError(t, err)
+	err = registry.HearthbeatNodeInRegistry(time.Now().UTC(), node2)
+	assert.NoError(t, err)
+	err = registry.HearthbeatNodeInRegistry(time.Now().UTC(), node3)
+	assert.NoError(t, err)
+
+	nodes, err := registry.GetAvailableNodes()
+	assert.NoError(t, err)
+	assert.Len(t, nodes, 3)
+
+	nodeIDs := make(map[uuid.UUID]bool)
+	for _, node := range nodes {
+		nodeIDs[node.ID] = true
+	}
+	assert.True(t, nodeIDs[node1.ID])
+	assert.True(t, nodeIDs[node2.ID])
+	assert.True(t, nodeIDs[node3.ID])
+}
+
+func Test_GetAvailableNodes_WhenNoNodesExist_ReturnsEmptySlice(t *testing.T) {
+	cache_utils.ClearAllCache()
+	registry := createTestRegistry()
+
+	nodes, err := registry.GetAvailableNodes()
+	assert.NoError(t, err)
+	assert.NotNil(t, nodes)
+	assert.Empty(t, nodes)
+}
+
+func Test_IncrementBackupsInProgress_IncrementsCounter(t *testing.T) {
+	cache_utils.ClearAllCache()
+	registry := createTestRegistry()
+	node := createTestBackupNode()
+	defer cleanupTestNode(registry, node)
+
+	err := registry.HearthbeatNodeInRegistry(time.Now().UTC(), node)
+	assert.NoError(t, err)
+
+	err = registry.IncrementBackupsInProgress(node.ID.String())
+	assert.NoError(t, err)
+
+	stats, err := registry.GetBackupNodesStats()
+	assert.NoError(t, err)
+	assert.Len(t, stats, 1)
+	assert.Equal(t, node.ID, stats[0].ID)
+	assert.Equal(t, 1, stats[0].ActiveBackups)
+
+	err = registry.IncrementBackupsInProgress(node.ID.String())
+	assert.NoError(t, err)
+
+	stats, err = registry.GetBackupNodesStats()
+	assert.NoError(t, err)
+	assert.Len(t, stats, 1)
+	assert.Equal(t, 2, stats[0].ActiveBackups)
+}
+
+func Test_DecrementBackupsInProgress_DecrementsCounter(t *testing.T) {
+	cache_utils.ClearAllCache()
+	registry := createTestRegistry()
+	node := createTestBackupNode()
+	defer cleanupTestNode(registry, node)
+
+	err := registry.HearthbeatNodeInRegistry(time.Now().UTC(), node)
+	assert.NoError(t, err)
+
+	err = registry.IncrementBackupsInProgress(node.ID.String())
+	assert.NoError(t, err)
+	err = registry.IncrementBackupsInProgress(node.ID.String())
+	assert.NoError(t, err)
+	err = registry.IncrementBackupsInProgress(node.ID.String())
+	assert.NoError(t, err)
+
+	stats, err := registry.GetBackupNodesStats()
+	assert.NoError(t, err)
+	assert.Equal(t, 3, stats[0].ActiveBackups)
+
+	err = registry.DecrementBackupsInProgress(node.ID.String())
+	assert.NoError(t, err)
+
+	stats, err = registry.GetBackupNodesStats()
+	assert.NoError(t, err)
+	assert.Equal(t, 2, stats[0].ActiveBackups)
+
+	err = registry.DecrementBackupsInProgress(node.ID.String())
+	assert.NoError(t, err)
+
+	stats, err = registry.GetBackupNodesStats()
+	assert.NoError(t, err)
+	assert.Equal(t, 1, stats[0].ActiveBackups)
+}
+
+func Test_DecrementBackupsInProgress_WhenNegative_ResetsToZero(t *testing.T) {
+	cache_utils.ClearAllCache()
+	registry := createTestRegistry()
+	node := createTestBackupNode()
+	defer cleanupTestNode(registry, node)
+
+	err := registry.HearthbeatNodeInRegistry(time.Now().UTC(), node)
+	assert.NoError(t, err)
+
+	err = registry.DecrementBackupsInProgress(node.ID.String())
+	assert.NoError(t, err)
+
+	stats, err := registry.GetBackupNodesStats()
+	assert.NoError(t, err)
+	assert.Len(t, stats, 1)
+	assert.Equal(t, 0, stats[0].ActiveBackups)
+}
+
+func Test_GetBackupNodesStats_ReturnsStatsForAllNodes(t *testing.T) {
+	cache_utils.ClearAllCache()
+	registry := createTestRegistry()
+	node1 := createTestBackupNode()
+	node2 := createTestBackupNode()
+	node3 := createTestBackupNode()
+	defer cleanupTestNode(registry, node1)
+	defer cleanupTestNode(registry, node2)
+	defer cleanupTestNode(registry, node3)
+
+	err := registry.HearthbeatNodeInRegistry(time.Now().UTC(), node1)
+	assert.NoError(t, err)
+	err = registry.HearthbeatNodeInRegistry(time.Now().UTC(), node2)
+	assert.NoError(t, err)
+	err = registry.HearthbeatNodeInRegistry(time.Now().UTC(), node3)
+	assert.NoError(t, err)
+
+	err = registry.IncrementBackupsInProgress(node1.ID.String())
+	assert.NoError(t, err)
+
+	err = registry.IncrementBackupsInProgress(node2.ID.String())
+	assert.NoError(t, err)
+	err = registry.IncrementBackupsInProgress(node2.ID.String())
+	assert.NoError(t, err)
+
+	err = registry.IncrementBackupsInProgress(node3.ID.String())
+	assert.NoError(t, err)
+	err = registry.IncrementBackupsInProgress(node3.ID.String())
+	assert.NoError(t, err)
+	err = registry.IncrementBackupsInProgress(node3.ID.String())
+	assert.NoError(t, err)
+
+	stats, err := registry.GetBackupNodesStats()
+	assert.NoError(t, err)
+	assert.Len(t, stats, 3)
+
+	statsMap := make(map[uuid.UUID]int)
+	for _, stat := range stats {
+		statsMap[stat.ID] = stat.ActiveBackups
+	}
+
+	assert.Equal(t, 1, statsMap[node1.ID])
+	assert.Equal(t, 2, statsMap[node2.ID])
+	assert.Equal(t, 3, statsMap[node3.ID])
+}
+
+func Test_GetBackupNodesStats_WhenNoStats_ReturnsEmptySlice(t *testing.T) {
+	cache_utils.ClearAllCache()
+	registry := createTestRegistry()
+
+	stats, err := registry.GetBackupNodesStats()
+	assert.NoError(t, err)
+	assert.NotNil(t, stats)
+	assert.Empty(t, stats)
+}
+
+func Test_MultipleNodes_RegisteredAndQueriedCorrectly(t *testing.T) {
+	cache_utils.ClearAllCache()
+	registry := createTestRegistry()
+	node1 := createTestBackupNode()
+	node1.ThroughputMBs = 50
+	node2 := createTestBackupNode()
+	node2.ThroughputMBs = 100
+	node3 := createTestBackupNode()
+	node3.ThroughputMBs = 150
+	defer cleanupTestNode(registry, node1)
+	defer cleanupTestNode(registry, node2)
+	defer cleanupTestNode(registry, node3)
+
+	err := registry.HearthbeatNodeInRegistry(time.Now().UTC(), node1)
+	assert.NoError(t, err)
+	err = registry.HearthbeatNodeInRegistry(time.Now().UTC(), node2)
+	assert.NoError(t, err)
+	err = registry.HearthbeatNodeInRegistry(time.Now().UTC(), node3)
+	assert.NoError(t, err)
+
+	nodes, err := registry.GetAvailableNodes()
+	assert.NoError(t, err)
+	assert.Len(t, nodes, 3)
+
+	nodeMap := make(map[uuid.UUID]BackupNode)
+	for _, node := range nodes {
+		nodeMap[node.ID] = node
+	}
+
+	assert.Equal(t, 50, nodeMap[node1.ID].ThroughputMBs)
+	assert.Equal(t, 100, nodeMap[node2.ID].ThroughputMBs)
+	assert.Equal(t, 150, nodeMap[node3.ID].ThroughputMBs)
+}
+
+func Test_BackupCounters_TrackedSeparatelyPerNode(t *testing.T) {
+	cache_utils.ClearAllCache()
+	registry := createTestRegistry()
+	node1 := createTestBackupNode()
+	node2 := createTestBackupNode()
+	defer cleanupTestNode(registry, node1)
+	defer cleanupTestNode(registry, node2)
+
+	err := registry.HearthbeatNodeInRegistry(time.Now().UTC(), node1)
+	assert.NoError(t, err)
+	err = registry.HearthbeatNodeInRegistry(time.Now().UTC(), node2)
+	assert.NoError(t, err)
+
+	err = registry.IncrementBackupsInProgress(node1.ID.String())
+	assert.NoError(t, err)
+	err = registry.IncrementBackupsInProgress(node1.ID.String())
+	assert.NoError(t, err)
+
+	err = registry.IncrementBackupsInProgress(node2.ID.String())
+	assert.NoError(t, err)
+
+	stats, err := registry.GetBackupNodesStats()
+	assert.NoError(t, err)
+	assert.Len(t, stats, 2)
+
+	statsMap := make(map[uuid.UUID]int)
+	for _, stat := range stats {
+		statsMap[stat.ID] = stat.ActiveBackups
+	}
+
+	assert.Equal(t, 2, statsMap[node1.ID])
+	assert.Equal(t, 1, statsMap[node2.ID])
+
+	err = registry.DecrementBackupsInProgress(node1.ID.String())
+	assert.NoError(t, err)
+
+	stats, err = registry.GetBackupNodesStats()
+	assert.NoError(t, err)
+
+	statsMap = make(map[uuid.UUID]int)
+	for _, stat := range stats {
+		statsMap[stat.ID] = stat.ActiveBackups
+	}
+
+	assert.Equal(t, 1, statsMap[node1.ID])
+	assert.Equal(t, 1, statsMap[node2.ID])
+}
+
+func Test_GetAvailableNodes_SkipsInvalidJsonData(t *testing.T) {
+	cache_utils.ClearAllCache()
+	registry := createTestRegistry()
+	node := createTestBackupNode()
+	defer cleanupTestNode(registry, node)
+
+	err := registry.HearthbeatNodeInRegistry(time.Now().UTC(), node)
+	assert.NoError(t, err)
+
+	ctx, cancel := context.WithTimeout(context.Background(), registry.timeout)
+	defer cancel()
+
+	invalidKey := nodeInfoKeyPrefix + uuid.New().String() + nodeInfoKeySuffix
+	registry.client.Do(
+		ctx,
+		registry.client.B().Set().Key(invalidKey).Value("invalid json data").Build(),
+	)
+	defer func() {
+		cleanupCtx, cleanupCancel := context.WithTimeout(context.Background(), registry.timeout)
+		defer cleanupCancel()
+		registry.client.Do(cleanupCtx, registry.client.B().Del().Key(invalidKey).Build())
+	}()
+
+	nodes, err := registry.GetAvailableNodes()
+	assert.NoError(t, err)
+	assert.Len(t, nodes, 1)
+	assert.Equal(t, node.ID, nodes[0].ID)
+}
+
+func Test_PipelineGetKeys_HandlesEmptyKeysList(t *testing.T) {
+	cache_utils.ClearAllCache()
+	registry := createTestRegistry()
+
+	keyDataMap, err := registry.pipelineGetKeys([]string{})
+	assert.NoError(t, err)
+	assert.NotNil(t, keyDataMap)
+	assert.Empty(t, keyDataMap)
+}
+
+func Test_HearthbeatNodeInRegistry_UpdatesLastHeartbeat(t *testing.T) {
+	cache_utils.ClearAllCache()
+	registry := createTestRegistry()
+	node := createTestBackupNode()
+	originalHeartbeat := node.LastHeartbeat
+	defer cleanupTestNode(registry, node)
+
+	time.Sleep(10 * time.Millisecond)
+
+	err := registry.HearthbeatNodeInRegistry(time.Now().UTC(), node)
+	assert.NoError(t, err)
+
+	nodes, err := registry.GetAvailableNodes()
+	assert.NoError(t, err)
+	assert.Len(t, nodes, 1)
+	assert.True(t, nodes[0].LastHeartbeat.After(originalHeartbeat))
+}
+
+func createTestRegistry() *BackupNodesRegistry {
+	return &BackupNodesRegistry{
+		cache_utils.GetValkeyClient(),
+		logger.GetLogger(),
+		cache_utils.DefaultCacheTimeout,
+		cache_utils.NewPubSubManager(),
+		cache_utils.NewPubSubManager(),
+	}
+}
+
+func createTestBackupNode() BackupNode {
+	return BackupNode{
+		ID:            uuid.New(),
+		ThroughputMBs: 100,
+		LastHeartbeat: time.Now().UTC(),
+	}
+}
+
+func cleanupTestNode(registry *BackupNodesRegistry, node BackupNode) {
+	registry.UnregisterNodeFromRegistry(node)
+}
+
+func Test_AssignBackupTonode_PublishesJsonMessageToChannel(t *testing.T) {
+	cache_utils.ClearAllCache()
+	registry := createTestRegistry()
+	node := createTestBackupNode()
+	backupID := uuid.New()
+
+	err := registry.AssignBackupToNode(node.ID.String(), backupID, true)
+	assert.NoError(t, err)
+}
+
+func Test_SubscribeNodeForBackupsAssignment_ReceivesSubmittedBackupsForMatchingNode(t *testing.T) {
+	cache_utils.ClearAllCache()
+	registry := createTestRegistry()
+	node := createTestBackupNode()
+	backupID := uuid.New()
+	defer registry.UnsubscribeNodeForBackupsAssignments()
+
+	receivedBackupID := make(chan uuid.UUID, 1)
+	handler := func(id uuid.UUID, isCallNotifier bool) {
+		receivedBackupID <- id
+	}
+
+	err := registry.SubscribeNodeForBackupsAssignment(node.ID.String(), handler)
+	assert.NoError(t, err)
+
+	time.Sleep(100 * time.Millisecond)
+
+	err = registry.AssignBackupToNode(node.ID.String(), backupID, true)
+	assert.NoError(t, err)
+
+	select {
+	case received := <-receivedBackupID:
+		assert.Equal(t, backupID, received)
+	case <-time.After(2 * time.Second):
+		t.Fatal("Timeout waiting for backup message")
+	}
+}
+
+func Test_SubscribeNodeForBackupsAssignment_FiltersOutBackupsForDifferentNode(t *testing.T) {
+	cache_utils.ClearAllCache()
+	registry := createTestRegistry()
+	node1 := createTestBackupNode()
+	node2 := createTestBackupNode()
+	backupID := uuid.New()
+	defer registry.UnsubscribeNodeForBackupsAssignments()
+
+	receivedBackupID := make(chan uuid.UUID, 1)
+	handler := func(id uuid.UUID, isCallNotifier bool) {
+		receivedBackupID <- id
+	}
+
+	err := registry.SubscribeNodeForBackupsAssignment(node1.ID.String(), handler)
+	assert.NoError(t, err)
+
+	time.Sleep(100 * time.Millisecond)
+
+	err = registry.AssignBackupToNode(node2.ID.String(), backupID, false)
+	assert.NoError(t, err)
+
+	select {
+	case <-receivedBackupID:
+		t.Fatal("Should not receive backup for different node")
+	case <-time.After(500 * time.Millisecond):
+	}
+}
+
+func Test_SubscribeNodeForBackupsAssignment_ParsesJsonAndBackupIdCorrectly(t *testing.T) {
+	cache_utils.ClearAllCache()
+	registry := createTestRegistry()
+	node := createTestBackupNode()
+	backupID1 := uuid.New()
+	backupID2 := uuid.New()
+	defer registry.UnsubscribeNodeForBackupsAssignments()
+
+	receivedBackups := make(chan uuid.UUID, 2)
+	handler := func(id uuid.UUID, isCallNotifier bool) {
+		receivedBackups <- id
+	}
+
+	err := registry.SubscribeNodeForBackupsAssignment(node.ID.String(), handler)
+	assert.NoError(t, err)
+
+	time.Sleep(100 * time.Millisecond)
+
+	err = registry.AssignBackupToNode(node.ID.String(), backupID1, true)
+	assert.NoError(t, err)
+
+	err = registry.AssignBackupToNode(node.ID.String(), backupID2, false)
+	assert.NoError(t, err)
+
+	received1 := <-receivedBackups
+	received2 := <-receivedBackups
+
+	receivedIDs := []uuid.UUID{received1, received2}
+	assert.Contains(t, receivedIDs, backupID1)
+	assert.Contains(t, receivedIDs, backupID2)
+}
+
+func Test_SubscribeNodeForBackupsAssignment_HandlesInvalidJson(t *testing.T) {
+	cache_utils.ClearAllCache()
+	registry := createTestRegistry()
+	node := createTestBackupNode()
+	defer registry.UnsubscribeNodeForBackupsAssignments()
+
+	receivedBackupID := make(chan uuid.UUID, 1)
+	handler := func(id uuid.UUID, isCallNotifier bool) {
+		receivedBackupID <- id
+	}
+
+	err := registry.SubscribeNodeForBackupsAssignment(node.ID.String(), handler)
+	assert.NoError(t, err)
+
+	time.Sleep(100 * time.Millisecond)
+
+	ctx := context.Background()
+	err = registry.pubsubBackups.Publish(ctx, "backup:submit", "invalid json")
+	assert.NoError(t, err)
+
+	select {
+	case <-receivedBackupID:
+		t.Fatal("Should not receive backup for invalid JSON")
+	case <-time.After(500 * time.Millisecond):
+	}
+}
+
+func Test_UnsubscribeNodeForBackupsAssignments_StopsReceivingMessages(t *testing.T) {
+	cache_utils.ClearAllCache()
+	registry := createTestRegistry()
+	node := createTestBackupNode()
+	backupID1 := uuid.New()
+	backupID2 := uuid.New()
+
+	receivedBackupID := make(chan uuid.UUID, 2)
+	handler := func(id uuid.UUID, isCallNotifier bool) {
+		receivedBackupID <- id
+	}
+
+	err := registry.SubscribeNodeForBackupsAssignment(node.ID.String(), handler)
+	assert.NoError(t, err)
+
+	time.Sleep(100 * time.Millisecond)
+
+	err = registry.AssignBackupToNode(node.ID.String(), backupID1, true)
+	assert.NoError(t, err)
+
+	received := <-receivedBackupID
+	assert.Equal(t, backupID1, received)
+
+	err = registry.UnsubscribeNodeForBackupsAssignments()
+	assert.NoError(t, err)
+
+	time.Sleep(100 * time.Millisecond)
+
+	err = registry.AssignBackupToNode(node.ID.String(), backupID2, false)
+	assert.NoError(t, err)
+
+	select {
+	case <-receivedBackupID:
+		t.Fatal("Should not receive backup after unsubscribe")
+	case <-time.After(500 * time.Millisecond):
+	}
+}
+
+func Test_SubscribeNodeForBackupsAssignment_WhenAlreadySubscribed_ReturnsError(t *testing.T) {
+	cache_utils.ClearAllCache()
+	registry := createTestRegistry()
+	node := createTestBackupNode()
+	defer registry.UnsubscribeNodeForBackupsAssignments()
+
+	handler := func(id uuid.UUID, isCallNotifier bool) {}
+
+	err := registry.SubscribeNodeForBackupsAssignment(node.ID.String(), handler)
+	assert.NoError(t, err)
+
+	err = registry.SubscribeNodeForBackupsAssignment(node.ID.String(), handler)
+	assert.Error(t, err)
+	assert.Contains(t, err.Error(), "already subscribed")
+}
+
+func Test_MultipleNodes_EachReceivesOnlyTheirBackups(t *testing.T) {
+	cache_utils.ClearAllCache()
+	registry1 := createTestRegistry()
+	registry2 := createTestRegistry()
+	registry3 := createTestRegistry()
+
+	node1 := createTestBackupNode()
+	node2 := createTestBackupNode()
+	node3 := createTestBackupNode()
+
+	backupID1 := uuid.New()
+	backupID2 := uuid.New()
+	backupID3 := uuid.New()
+
+	defer registry1.UnsubscribeNodeForBackupsAssignments()
+	defer registry2.UnsubscribeNodeForBackupsAssignments()
+	defer registry3.UnsubscribeNodeForBackupsAssignments()
+
+	receivedBackups1 := make(chan uuid.UUID, 3)
+	receivedBackups2 := make(chan uuid.UUID, 3)
+	receivedBackups3 := make(chan uuid.UUID, 3)
+
+	handler1 := func(id uuid.UUID, isCallNotifier bool) { receivedBackups1 <- id }
+	handler2 := func(id uuid.UUID, isCallNotifier bool) { receivedBackups2 <- id }
+	handler3 := func(id uuid.UUID, isCallNotifier bool) { receivedBackups3 <- id }
+
+	err := registry1.SubscribeNodeForBackupsAssignment(node1.ID.String(), handler1)
+	assert.NoError(t, err)
+
+	err = registry2.SubscribeNodeForBackupsAssignment(node2.ID.String(), handler2)
+	assert.NoError(t, err)
+
+	err = registry3.SubscribeNodeForBackupsAssignment(node3.ID.String(), handler3)
+	assert.NoError(t, err)
+
+	time.Sleep(100 * time.Millisecond)
+
+	submitRegistry := createTestRegistry()
+	err = submitRegistry.AssignBackupToNode(node1.ID.String(), backupID1, true)
+	assert.NoError(t, err)
+
+	err = submitRegistry.AssignBackupToNode(node2.ID.String(), backupID2, false)
+	assert.NoError(t, err)
+
+	err = submitRegistry.AssignBackupToNode(node3.ID.String(), backupID3, true)
+	assert.NoError(t, err)
+
+	select {
+	case received := <-receivedBackups1:
+		assert.Equal(t, backupID1, received)
+	case <-time.After(2 * time.Second):
+		t.Fatal("Node 1 timeout waiting for backup message")
+	}
+
+	select {
+	case received := <-receivedBackups2:
+		assert.Equal(t, backupID2, received)
+	case <-time.After(2 * time.Second):
+		t.Fatal("Node 2 timeout waiting for backup message")
+	}
+
+	select {
+	case received := <-receivedBackups3:
+		assert.Equal(t, backupID3, received)
+	case <-time.After(2 * time.Second):
+		t.Fatal("Node 3 timeout waiting for backup message")
+	}
+
+	select {
+	case <-receivedBackups1:
+		t.Fatal("Node 1 should not receive additional backups")
+	case <-time.After(300 * time.Millisecond):
+	}
+
+	select {
+	case <-receivedBackups2:
+		t.Fatal("Node 2 should not receive additional backups")
+	case <-time.After(300 * time.Millisecond):
+	}
+
+	select {
+	case <-receivedBackups3:
+		t.Fatal("Node 3 should not receive additional backups")
+	case <-time.After(300 * time.Millisecond):
+	}
+}
+
+func Test_PublishBackupCompletion_PublishesMessageToChannel(t *testing.T) {
+	cache_utils.ClearAllCache()
+	registry := createTestRegistry()
+	node := createTestBackupNode()
+	backupID := uuid.New()
+
+	err := registry.PublishBackupCompletion(node.ID.String(), backupID)
+	assert.NoError(t, err)
+}
+
+func Test_SubscribeForBackupsCompletions_ReceivesCompletedBackups(t *testing.T) {
+	cache_utils.ClearAllCache()
+	registry := createTestRegistry()
+	node := createTestBackupNode()
+	backupID := uuid.New()
+	defer registry.UnsubscribeForBackupsCompletions()
+
+	receivedBackupID := make(chan uuid.UUID, 1)
+	receivedNodeID := make(chan string, 1)
+	handler := func(nodeID string, backupID uuid.UUID) {
+		receivedNodeID <- nodeID
+		receivedBackupID <- backupID
+	}
+
+	err := registry.SubscribeForBackupsCompletions(handler)
+	assert.NoError(t, err)
+
+	time.Sleep(100 * time.Millisecond)
+
+	err = registry.PublishBackupCompletion(node.ID.String(), backupID)
+	assert.NoError(t, err)
+
+	select {
+	case receivedNode := <-receivedNodeID:
+		assert.Equal(t, node.ID.String(), receivedNode)
+	case <-time.After(2 * time.Second):
+		t.Fatal("Timeout waiting for node ID")
+	}
+
+	select {
+	case received := <-receivedBackupID:
+		assert.Equal(t, backupID, received)
+	case <-time.After(2 * time.Second):
+		t.Fatal("Timeout waiting for backup completion message")
+	}
+}
+
+func Test_SubscribeForBackupsCompletions_ParsesJsonCorrectly(t *testing.T) {
+	cache_utils.ClearAllCache()
+	registry := createTestRegistry()
+	node := createTestBackupNode()
+	backupID1 := uuid.New()
+	backupID2 := uuid.New()
+	defer registry.UnsubscribeForBackupsCompletions()
+
+	receivedBackups := make(chan uuid.UUID, 2)
+	handler := func(nodeID string, backupID uuid.UUID) {
+		receivedBackups <- backupID
+	}
+
+	err := registry.SubscribeForBackupsCompletions(handler)
+	assert.NoError(t, err)
+
+	time.Sleep(100 * time.Millisecond)
+
+	err = registry.PublishBackupCompletion(node.ID.String(), backupID1)
+	assert.NoError(t, err)
+
+	err = registry.PublishBackupCompletion(node.ID.String(), backupID2)
+	assert.NoError(t, err)
+
+	received1 := <-receivedBackups
+	received2 := <-receivedBackups
+
+	receivedIDs := []uuid.UUID{received1, received2}
+	assert.Contains(t, receivedIDs, backupID1)
+	assert.Contains(t, receivedIDs, backupID2)
+}
+
+func Test_SubscribeForBackupsCompletions_HandlesInvalidJson(t *testing.T) {
+	cache_utils.ClearAllCache()
+	registry := createTestRegistry()
+	defer registry.UnsubscribeForBackupsCompletions()
+
+	receivedBackupID := make(chan uuid.UUID, 1)
+	handler := func(nodeID string, backupID uuid.UUID) {
+		receivedBackupID <- backupID
+	}
+
+	err := registry.SubscribeForBackupsCompletions(handler)
+	assert.NoError(t, err)
+
+	time.Sleep(100 * time.Millisecond)
+
+	ctx := context.Background()
+	err = registry.pubsubCompletions.Publish(ctx, "backup:completion", "invalid json")
+	assert.NoError(t, err)
+
+	select {
+	case <-receivedBackupID:
+		t.Fatal("Should not receive backup for invalid JSON")
+	case <-time.After(500 * time.Millisecond):
+	}
+}
+
+func Test_UnsubscribeForBackupsCompletions_StopsReceivingMessages(t *testing.T) {
+	cache_utils.ClearAllCache()
+	registry := createTestRegistry()
+	node := createTestBackupNode()
+	backupID1 := uuid.New()
+	backupID2 := uuid.New()
+
+	receivedBackupID := make(chan uuid.UUID, 2)
+	handler := func(nodeID string, backupID uuid.UUID) {
+		receivedBackupID <- backupID
+	}
+
+	err := registry.SubscribeForBackupsCompletions(handler)
+	assert.NoError(t, err)
+
+	time.Sleep(100 * time.Millisecond)
+
+	err = registry.PublishBackupCompletion(node.ID.String(), backupID1)
+	assert.NoError(t, err)
+
+	received := <-receivedBackupID
+	assert.Equal(t, backupID1, received)
+
+	err = registry.UnsubscribeForBackupsCompletions()
+	assert.NoError(t, err)
+
+	time.Sleep(100 * time.Millisecond)
+
+	err = registry.PublishBackupCompletion(node.ID.String(), backupID2)
+	assert.NoError(t, err)
+
+	select {
+	case <-receivedBackupID:
+		t.Fatal("Should not receive backup after unsubscribe")
+	case <-time.After(500 * time.Millisecond):
+	}
+}
+
+func Test_SubscribeForBackupsCompletions_WhenAlreadySubscribed_ReturnsError(t *testing.T) {
+	cache_utils.ClearAllCache()
+	registry := createTestRegistry()
+	defer registry.UnsubscribeForBackupsCompletions()
+
+	handler := func(nodeID string, backupID uuid.UUID) {}
+
+	err := registry.SubscribeForBackupsCompletions(handler)
+	assert.NoError(t, err)
+
+	err = registry.SubscribeForBackupsCompletions(handler)
+	assert.Error(t, err)
+	assert.Contains(t, err.Error(), "already subscribed")
+}
+
+func Test_MultipleSubscribers_EachReceivesCompletionMessages(t *testing.T) {
+	cache_utils.ClearAllCache()
+	registry1 := createTestRegistry()
+	registry2 := createTestRegistry()
+	registry3 := createTestRegistry()
+
+	node1 := createTestBackupNode()
+	node2 := createTestBackupNode()
+	node3 := createTestBackupNode()
+
+	backupID1 := uuid.New()
+	backupID2 := uuid.New()
+	backupID3 := uuid.New()
+
+	defer registry1.UnsubscribeForBackupsCompletions()
+	defer registry2.UnsubscribeForBackupsCompletions()
+	defer registry3.UnsubscribeForBackupsCompletions()
+
+	receivedBackups1 := make(chan uuid.UUID, 3)
+	receivedBackups2 := make(chan uuid.UUID, 3)
+	receivedBackups3 := make(chan uuid.UUID, 3)
+
+	handler1 := func(nodeID string, backupID uuid.UUID) { receivedBackups1 <- backupID }
+	handler2 := func(nodeID string, backupID uuid.UUID) { receivedBackups2 <- backupID }
+	handler3 := func(nodeID string, backupID uuid.UUID) { receivedBackups3 <- backupID }
+
+	err := registry1.SubscribeForBackupsCompletions(handler1)
+	assert.NoError(t, err)
+
+	err = registry2.SubscribeForBackupsCompletions(handler2)
+	assert.NoError(t, err)
+
+	err = registry3.SubscribeForBackupsCompletions(handler3)
+	assert.NoError(t, err)
+
+	time.Sleep(100 * time.Millisecond)
+
+	publishRegistry := createTestRegistry()
+	err = publishRegistry.PublishBackupCompletion(node1.ID.String(), backupID1)
+	assert.NoError(t, err)
+
+	err = publishRegistry.PublishBackupCompletion(node2.ID.String(), backupID2)
+	assert.NoError(t, err)
+
+	err = publishRegistry.PublishBackupCompletion(node3.ID.String(), backupID3)
+	assert.NoError(t, err)
+
+	receivedAll1 := []uuid.UUID{}
+	receivedAll2 := []uuid.UUID{}
+	receivedAll3 := []uuid.UUID{}
+
+	for i := 0; i < 3; i++ {
+		select {
+		case received := <-receivedBackups1:
+			receivedAll1 = append(receivedAll1, received)
+		case <-time.After(2 * time.Second):
+			t.Fatal("Subscriber 1 timeout waiting for completion message")
+		}
+	}
+
+	for i := 0; i < 3; i++ {
+		select {
+		case received := <-receivedBackups2:
+			receivedAll2 = append(receivedAll2, received)
+		case <-time.After(2 * time.Second):
+			t.Fatal("Subscriber 2 timeout waiting for completion message")
+		}
+	}
+
+	for i := 0; i < 3; i++ {
+		select {
+		case received := <-receivedBackups3:
+			receivedAll3 = append(receivedAll3, received)
+		case <-time.After(2 * time.Second):
+			t.Fatal("Subscriber 3 timeout waiting for completion message")
+		}
+	}
+
+	assert.Contains(t, receivedAll1, backupID1)
+	assert.Contains(t, receivedAll1, backupID2)
+	assert.Contains(t, receivedAll1, backupID3)
+
+	assert.Contains(t, receivedAll2, backupID1)
+	assert.Contains(t, receivedAll2, backupID2)
+	assert.Contains(t, receivedAll2, backupID3)
+
+	assert.Contains(t, receivedAll3, backupID1)
+	assert.Contains(t, receivedAll3, backupID2)
+	assert.Contains(t, receivedAll3, backupID3)
+}
--- a/backend/internal/features/backups/backups/backuping/scheduler.go
+++ b/backend/internal/features/backups/backups/backuping/scheduler.go
@@ -0,0 +1,600 @@
+package backuping
+
+import (
+	"context"
+	"databasus-backend/internal/config"
+	backups_cancellation "databasus-backend/internal/features/backups/backups/cancellation"
+	backups_core "databasus-backend/internal/features/backups/backups/core"
+	backups_config "databasus-backend/internal/features/backups/config"
+	"databasus-backend/internal/features/storages"
+	"databasus-backend/internal/util/encryption"
+	"databasus-backend/internal/util/period"
+	"fmt"
+	"log/slog"
+	"time"
+
+	"github.com/google/uuid"
+)
+
+type BackupsScheduler struct {
+	backupRepository    *backups_core.BackupRepository
+	backupConfigService *backups_config.BackupConfigService
+	storageService      *storages.StorageService
+	backupCancelManager *backups_cancellation.BackupCancelManager
+	nodesRegistry       *BackupNodesRegistry
+
+	lastBackupTime time.Time
+	logger         *slog.Logger
+
+	backupToNodeRelations map[uuid.UUID]BackupToNodeRelation
+	backuperNode          *BackuperNode
+}
+
+func (s *BackupsScheduler) Run(ctx context.Context) {
+	s.lastBackupTime = time.Now().UTC()
+
+	if config.GetEnv().IsManyNodesMode {
+		// wait other nodes to start
+		time.Sleep(1 * time.Minute)
+	}
+
+	if err := s.failBackupsInProgress(); err != nil {
+		s.logger.Error("Failed to fail backups in progress", "error", err)
+		panic(err)
+	}
+
+	if err := s.nodesRegistry.SubscribeForBackupsCompletions(s.onBackupCompleted); err != nil {
+		s.logger.Error("Failed to subscribe to backup completions", "error", err)
+		panic(err)
+	}
+	defer func() {
+		if err := s.nodesRegistry.UnsubscribeForBackupsCompletions(); err != nil {
+			s.logger.Error("Failed to unsubscribe from backup completions", "error", err)
+		}
+	}()
+
+	if ctx.Err() != nil {
+		return
+	}
+
+	ticker := time.NewTicker(1 * time.Minute)
+	defer ticker.Stop()
+
+	for {
+		select {
+		case <-ctx.Done():
+			return
+		case <-ticker.C:
+			if err := s.cleanOldBackups(); err != nil {
+				s.logger.Error("Failed to clean old backups", "error", err)
+			}
+
+			if err := s.checkDeadNodesAndFailBackups(); err != nil {
+				s.logger.Error("Failed to check dead nodes and fail backups", "error", err)
+			}
+
+			if err := s.runPendingBackups(); err != nil {
+				s.logger.Error("Failed to run pending backups", "error", err)
+			}
+
+			s.lastBackupTime = time.Now().UTC()
+		}
+	}
+}
+
+func (s *BackupsScheduler) IsSchedulerRunning() bool {
+	// if last backup time is more than 5 minutes ago, return false
+	return s.lastBackupTime.After(time.Now().UTC().Add(-5 * time.Minute))
+}
+
+func (s *BackupsScheduler) failBackupsInProgress() error {
+	backupsInProgress, err := s.backupRepository.FindByStatus(backups_core.BackupStatusInProgress)
+	if err != nil {
+		return err
+	}
+
+	fmt.Println("Backups in progress", len(backupsInProgress))
+
+	for _, backup := range backupsInProgress {
+		if err := s.backupCancelManager.CancelBackup(backup.ID); err != nil {
+			s.logger.Error(
+				"Failed to cancel backup via context manager",
+				"backupId",
+				backup.ID,
+				"error",
+				err,
+			)
+		}
+
+		backupConfig, err := s.backupConfigService.GetBackupConfigByDbId(backup.DatabaseID)
+		if err != nil {
+			s.logger.Error("Failed to get backup config by database ID", "error", err)
+			continue
+		}
+
+		failMessage := "Backup failed due to application restart"
+		backup.FailMessage = &failMessage
+		backup.Status = backups_core.BackupStatusFailed
+		backup.BackupSizeMb = 0
+
+		s.backuperNode.SendBackupNotification(
+			backupConfig,
+			backup,
+			backups_config.NotificationBackupFailed,
+			&failMessage,
+		)
+
+		if err := s.backupRepository.Save(backup); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func (s *BackupsScheduler) StartBackup(databaseID uuid.UUID, isCallNotifier bool) {
+	backupConfig, err := s.backupConfigService.GetBackupConfigByDbId(databaseID)
+	if err != nil {
+		s.logger.Error("Failed to get backup config by database ID", "error", err)
+		return
+	}
+
+	if backupConfig.StorageID == nil {
+		s.logger.Error("Backup config storage ID is nil", "databaseId", databaseID)
+		return
+	}
+
+	leastBusyNodeID, err := s.calculateLeastBusyNode()
+	if err != nil {
+		s.logger.Error(
+			"Failed to calculate least busy node",
+			"databaseId",
+			backupConfig.DatabaseID,
+			"error",
+			err,
+		)
+		return
+	}
+
+	backup := &backups_core.Backup{
+		DatabaseID:   backupConfig.DatabaseID,
+		StorageID:    *backupConfig.StorageID,
+		Status:       backups_core.BackupStatusInProgress,
+		BackupSizeMb: 0,
+		CreatedAt:    time.Now().UTC(),
+	}
+
+	if err := s.backupRepository.Save(backup); err != nil {
+		s.logger.Error(
+			"Failed to save backup",
+			"databaseId",
+			backupConfig.DatabaseID,
+			"error",
+			err,
+		)
+		return
+	}
+
+	if err := s.nodesRegistry.IncrementBackupsInProgress(leastBusyNodeID.String()); err != nil {
+		s.logger.Error(
+			"Failed to increment backups in progress",
+			"nodeId",
+			leastBusyNodeID,
+			"backupId",
+			backup.ID,
+			"error",
+			err,
+		)
+		return
+	}
+
+	if err := s.nodesRegistry.AssignBackupToNode(leastBusyNodeID.String(), backup.ID, isCallNotifier); err != nil {
+		s.logger.Error(
+			"Failed to submit backup",
+			"nodeId",
+			leastBusyNodeID,
+			"backupId",
+			backup.ID,
+			"error",
+			err,
+		)
+		if decrementErr := s.nodesRegistry.DecrementBackupsInProgress(leastBusyNodeID.String()); decrementErr != nil {
+			s.logger.Error(
+				"Failed to decrement backups in progress after submit failure",
+				"nodeId",
+				leastBusyNodeID,
+				"error",
+				decrementErr,
+			)
+		}
+		return
+	}
+
+	if relation, exists := s.backupToNodeRelations[*leastBusyNodeID]; exists {
+		relation.BackupsIDs = append(relation.BackupsIDs, backup.ID)
+		s.backupToNodeRelations[*leastBusyNodeID] = relation
+	} else {
+		s.backupToNodeRelations[*leastBusyNodeID] = BackupToNodeRelation{
+			NodeID:     *leastBusyNodeID,
+			BackupsIDs: []uuid.UUID{backup.ID},
+		}
+	}
+
+	s.logger.Info(
+		"Successfully triggered scheduled backup",
+		"databaseId",
+		backupConfig.DatabaseID,
+		"backupId",
+		backup.ID,
+		"nodeId",
+		leastBusyNodeID,
+	)
+}
+
+// GetRemainedBackupTryCount returns the number of remaining backup tries for a given backup.
+// If the backup is not failed or the backup config does not allow retries, it returns 0.
+// If the backup is failed and the backup config allows retries, it returns the number of remaining tries.
+// If the backup is failed and the backup config does not allow retries, it returns 0.
+func (s *BackupsScheduler) GetRemainedBackupTryCount(lastBackup *backups_core.Backup) int {
+	if lastBackup == nil {
+		return 0
+	}
+
+	if lastBackup.Status != backups_core.BackupStatusFailed {
+		return 0
+	}
+
+	backupConfig, err := s.backupConfigService.GetBackupConfigByDbId(lastBackup.DatabaseID)
+	if err != nil {
+		s.logger.Error("Failed to get backup config by database ID", "error", err)
+		return 0
+	}
+
+	if !backupConfig.IsRetryIfFailed {
+		return 0
+	}
+
+	maxFailedTriesCount := backupConfig.MaxFailedTriesCount
+
+	lastBackups, err := s.backupRepository.FindByDatabaseIDWithLimit(
+		lastBackup.DatabaseID,
+		maxFailedTriesCount,
+	)
+	if err != nil {
+		s.logger.Error("Failed to find last backups by database ID", "error", err)
+		return 0
+	}
+
+	lastFailedBackups := make([]*backups_core.Backup, 0)
+
+	for _, backup := range lastBackups {
+		if backup.Status == backups_core.BackupStatusFailed {
+			lastFailedBackups = append(lastFailedBackups, backup)
+		}
+	}
+
+	return maxFailedTriesCount - len(lastFailedBackups)
+}
+
+func (s *BackupsScheduler) cleanOldBackups() error {
+	enabledBackupConfigs, err := s.backupConfigService.GetBackupConfigsWithEnabledBackups()
+	if err != nil {
+		return err
+	}
+
+	for _, backupConfig := range enabledBackupConfigs {
+		backupStorePeriod := backupConfig.StorePeriod
+
+		if backupStorePeriod == period.PeriodForever {
+			continue
+		}
+
+		storeDuration := backupStorePeriod.ToDuration()
+		dateBeforeBackupsShouldBeDeleted := time.Now().UTC().Add(-storeDuration)
+
+		oldBackups, err := s.backupRepository.FindBackupsBeforeDate(
+			backupConfig.DatabaseID,
+			dateBeforeBackupsShouldBeDeleted,
+		)
+		if err != nil {
+			s.logger.Error(
+				"Failed to find old backups for database",
+				"databaseId",
+				backupConfig.DatabaseID,
+				"error",
+				err,
+			)
+			continue
+		}
+
+		for _, backup := range oldBackups {
+			storage, err := s.storageService.GetStorageByID(backup.StorageID)
+			if err != nil {
+				s.logger.Error(
+					"Failed to get storage by ID",
+					"storageId",
+					backup.StorageID,
+					"error",
+					err,
+				)
+				continue
+			}
+
+			encryptor := encryption.GetFieldEncryptor()
+			err = storage.DeleteFile(encryptor, backup.ID)
+			if err != nil {
+				s.logger.Error("Failed to delete backup file", "backupId", backup.ID, "error", err)
+			}
+
+			if err := s.backupRepository.DeleteByID(backup.ID); err != nil {
+				s.logger.Error("Failed to delete old backup", "backupId", backup.ID, "error", err)
+				continue
+			}
+
+			s.logger.Info(
+				"Deleted old backup",
+				"backupId",
+				backup.ID,
+				"databaseId",
+				backupConfig.DatabaseID,
+			)
+		}
+	}
+
+	return nil
+}
+
+func (s *BackupsScheduler) runPendingBackups() error {
+	enabledBackupConfigs, err := s.backupConfigService.GetBackupConfigsWithEnabledBackups()
+	if err != nil {
+		return err
+	}
+
+	for _, backupConfig := range enabledBackupConfigs {
+		if backupConfig.BackupInterval == nil {
+			continue
+		}
+
+		lastBackup, err := s.backupRepository.FindLastByDatabaseID(backupConfig.DatabaseID)
+		if err != nil {
+			s.logger.Error(
+				"Failed to get last backup for database",
+				"databaseId",
+				backupConfig.DatabaseID,
+				"error",
+				err,
+			)
+			continue
+		}
+
+		var lastBackupTime *time.Time
+		if lastBackup != nil {
+			lastBackupTime = &lastBackup.CreatedAt
+		}
+
+		remainedBackupTryCount := s.GetRemainedBackupTryCount(lastBackup)
+
+		if backupConfig.BackupInterval.ShouldTriggerBackup(time.Now().UTC(), lastBackupTime) ||
+			remainedBackupTryCount > 0 {
+			s.logger.Info(
+				"Triggering scheduled backup",
+				"databaseId",
+				backupConfig.DatabaseID,
+				"intervalType",
+				backupConfig.BackupInterval.Interval,
+			)
+
+			s.StartBackup(backupConfig.DatabaseID, remainedBackupTryCount == 1)
+			continue
+		}
+	}
+
+	return nil
+}
+
+func (s *BackupsScheduler) calculateLeastBusyNode() (*uuid.UUID, error) {
+	nodes, err := s.nodesRegistry.GetAvailableNodes()
+	if err != nil {
+		return nil, fmt.Errorf("failed to get available nodes: %w", err)
+	}
+
+	if len(nodes) == 0 {
+		return nil, fmt.Errorf("no nodes available")
+	}
+
+	stats, err := s.nodesRegistry.GetBackupNodesStats()
+	if err != nil {
+		return nil, fmt.Errorf("failed to get backup nodes stats: %w", err)
+	}
+
+	statsMap := make(map[uuid.UUID]int)
+	for _, stat := range stats {
+		statsMap[stat.ID] = stat.ActiveBackups
+	}
+
+	var bestNode *BackupNode
+	var bestScore float64 = -1
+
+	now := time.Now().UTC()
+	for i := range nodes {
+		node := &nodes[i]
+
+		if now.Sub(node.LastHeartbeat) > 2*time.Minute {
+			continue
+		}
+
+		activeBackups := statsMap[node.ID]
+
+		var score float64
+		if node.ThroughputMBs > 0 {
+			score = float64(activeBackups) / float64(node.ThroughputMBs)
+		} else {
+			score = float64(activeBackups) * 1000
+		}
+
+		if bestNode == nil || score < bestScore {
+			bestNode = node
+			bestScore = score
+		}
+	}
+
+	if bestNode == nil {
+		return nil, fmt.Errorf("no suitable nodes available")
+	}
+
+	return &bestNode.ID, nil
+}
+
+func (s *BackupsScheduler) onBackupCompleted(nodeIDStr string, backupID uuid.UUID) {
+	nodeID, err := uuid.Parse(nodeIDStr)
+	if err != nil {
+		s.logger.Error(
+			"Failed to parse node ID from completion message",
+			"nodeId",
+			nodeIDStr,
+			"error",
+			err,
+		)
+		return
+	}
+
+	relation, exists := s.backupToNodeRelations[nodeID]
+	if !exists {
+		s.logger.Warn(
+			"Received completion for unknown node",
+			"nodeId",
+			nodeID,
+			"backupId",
+			backupID,
+		)
+		return
+	}
+
+	newBackupIDs := make([]uuid.UUID, 0)
+	found := false
+	for _, id := range relation.BackupsIDs {
+		if id == backupID {
+			found = true
+			continue
+		}
+		newBackupIDs = append(newBackupIDs, id)
+	}
+
+	if !found {
+		s.logger.Warn(
+			"Backup not found in node's backup list",
+			"nodeId",
+			nodeID,
+			"backupId",
+			backupID,
+		)
+		return
+	}
+
+	if len(newBackupIDs) == 0 {
+		delete(s.backupToNodeRelations, nodeID)
+	} else {
+		relation.BackupsIDs = newBackupIDs
+		s.backupToNodeRelations[nodeID] = relation
+	}
+
+	if err := s.nodesRegistry.DecrementBackupsInProgress(nodeIDStr); err != nil {
+		s.logger.Error(
+			"Failed to decrement backups in progress",
+			"nodeId",
+			nodeID,
+			"backupId",
+			backupID,
+			"error",
+			err,
+		)
+	}
+}
+
+func (s *BackupsScheduler) checkDeadNodesAndFailBackups() error {
+	nodes, err := s.nodesRegistry.GetAvailableNodes()
+	if err != nil {
+		return fmt.Errorf("failed to get available nodes: %w", err)
+	}
+
+	aliveNodeIDs := make(map[uuid.UUID]bool)
+	now := time.Now().UTC()
+
+	for _, node := range nodes {
+		if now.Sub(node.LastHeartbeat) <= 2*time.Minute {
+			aliveNodeIDs[node.ID] = true
+		}
+	}
+
+	for nodeID, relation := range s.backupToNodeRelations {
+		if aliveNodeIDs[nodeID] {
+			continue
+		}
+
+		s.logger.Warn(
+			"Node is dead, failing its backups",
+			"nodeId",
+			nodeID,
+			"backupCount",
+			len(relation.BackupsIDs),
+		)
+
+		for _, backupID := range relation.BackupsIDs {
+			backup, err := s.backupRepository.FindByID(backupID)
+			if err != nil {
+				s.logger.Error(
+					"Failed to find backup for dead node",
+					"nodeId",
+					nodeID,
+					"backupId",
+					backupID,
+					"error",
+					err,
+				)
+				continue
+			}
+
+			failMessage := "Backup failed due to node unavailability"
+			backup.FailMessage = &failMessage
+			backup.Status = backups_core.BackupStatusFailed
+			backup.BackupSizeMb = 0
+
+			if err := s.backupRepository.Save(backup); err != nil {
+				s.logger.Error(
+					"Failed to save failed backup for dead node",
+					"nodeId",
+					nodeID,
+					"backupId",
+					backupID,
+					"error",
+					err,
+				)
+				continue
+			}
+
+			if err := s.nodesRegistry.DecrementBackupsInProgress(nodeID.String()); err != nil {
+				s.logger.Error(
+					"Failed to decrement backups in progress for dead node",
+					"nodeId",
+					nodeID,
+					"backupId",
+					backupID,
+					"error",
+					err,
+				)
+			}
+
+			s.logger.Info(
+				"Failed backup due to dead node",
+				"nodeId",
+				nodeID,
+				"backupId",
+				backupID,
+			)
+		}
+
+		delete(s.backupToNodeRelations, nodeID)
+	}
+
+	return nil
+}
--- a/backend/internal/features/backups/backups/backuping/scheduler_test.go
+++ b/backend/internal/features/backups/backups/backuping/scheduler_test.go
@@ -0,0 +1,709 @@
+package backuping
+
+import (
+	backups_core "databasus-backend/internal/features/backups/backups/core"
+	backups_config "databasus-backend/internal/features/backups/config"
+	"databasus-backend/internal/features/databases"
+	"databasus-backend/internal/features/intervals"
+	"databasus-backend/internal/features/notifiers"
+	"databasus-backend/internal/features/storages"
+	users_enums "databasus-backend/internal/features/users/enums"
+	users_testing "databasus-backend/internal/features/users/testing"
+	workspaces_testing "databasus-backend/internal/features/workspaces/testing"
+	cache_utils "databasus-backend/internal/util/cache"
+	"databasus-backend/internal/util/period"
+	"testing"
+	"time"
+
+	"github.com/google/uuid"
+	"github.com/stretchr/testify/assert"
+)
+
+func Test_RunPendingBackups_WhenLastBackupWasYesterday_CreatesNewBackup(t *testing.T) {
+	cache_utils.ClearAllCache()
+	backuperNode := CreateTestBackuperNode()
+	cancel := StartBackuperNodeForTest(t, backuperNode)
+	defer StopBackuperNodeForTest(t, cancel, backuperNode)
+
+	// setup data
+	user := users_testing.CreateTestUser(users_enums.UserRoleAdmin)
+	router := CreateTestRouter()
+	workspace := workspaces_testing.CreateTestWorkspace("Test Workspace", user, router)
+	storage := storages.CreateTestStorage(workspace.ID)
+	notifier := notifiers.CreateTestNotifier(workspace.ID)
+	database := databases.CreateTestDatabase(workspace.ID, storage, notifier)
+
+	defer func() {
+		// cleanup backups first
+		backups, _ := backupRepository.FindByDatabaseID(database.ID)
+		for _, backup := range backups {
+			backupRepository.DeleteByID(backup.ID)
+		}
+
+		databases.RemoveTestDatabase(database)
+		time.Sleep(50 * time.Millisecond)
+		notifiers.RemoveTestNotifier(notifier)
+		storages.RemoveTestStorage(storage.ID)
+		workspaces_testing.RemoveTestWorkspace(workspace, router)
+	}()
+
+	// Enable backups for the database
+	backupConfig, err := backups_config.GetBackupConfigService().GetBackupConfigByDbId(database.ID)
+	assert.NoError(t, err)
+
+	timeOfDay := "04:00"
+	backupConfig.BackupInterval = &intervals.Interval{
+		Interval:  intervals.IntervalDaily,
+		TimeOfDay: &timeOfDay,
+	}
+	backupConfig.IsBackupsEnabled = true
+	backupConfig.StorePeriod = period.PeriodWeek
+	backupConfig.Storage = storage
+	backupConfig.StorageID = &storage.ID
+
+	_, err = backups_config.GetBackupConfigService().SaveBackupConfig(backupConfig)
+	assert.NoError(t, err)
+
+	// add old backup
+	backupRepository.Save(&backups_core.Backup{
+		DatabaseID: database.ID,
+		StorageID:  storage.ID,
+
+		Status: backups_core.BackupStatusCompleted,
+
+		CreatedAt: time.Now().UTC().Add(-24 * time.Hour),
+	})
+
+	GetBackupsScheduler().runPendingBackups()
+
+	// Wait for backup to complete (runs in goroutine)
+	WaitForBackupCompletion(t, database.ID, 1, 10*time.Second)
+
+	// assertions
+	backups, err := backupRepository.FindByDatabaseID(database.ID)
+	assert.NoError(t, err)
+	assert.Len(t, backups, 2)
+
+	// Wait for any cleanup operations to complete before defer cleanup runs
+	time.Sleep(200 * time.Millisecond)
+}
+
+func Test_RunPendingBackups_WhenLastBackupWasRecentlyCompleted_SkipsBackup(t *testing.T) {
+	cache_utils.ClearAllCache()
+	backuperNode := CreateTestBackuperNode()
+	cancel := StartBackuperNodeForTest(t, backuperNode)
+	defer StopBackuperNodeForTest(t, cancel, backuperNode)
+
+	// setup data
+	user := users_testing.CreateTestUser(users_enums.UserRoleAdmin)
+	router := CreateTestRouter()
+	workspace := workspaces_testing.CreateTestWorkspace("Test Workspace", user, router)
+	storage := storages.CreateTestStorage(workspace.ID)
+	notifier := notifiers.CreateTestNotifier(workspace.ID)
+	database := databases.CreateTestDatabase(workspace.ID, storage, notifier)
+
+	defer func() {
+		// cleanup backups first
+		backups, _ := backupRepository.FindByDatabaseID(database.ID)
+		for _, backup := range backups {
+			backupRepository.DeleteByID(backup.ID)
+		}
+
+		databases.RemoveTestDatabase(database)
+		time.Sleep(50 * time.Millisecond)
+		notifiers.RemoveTestNotifier(notifier)
+		storages.RemoveTestStorage(storage.ID)
+		workspaces_testing.RemoveTestWorkspace(workspace, router)
+	}()
+
+	// Enable backups for the database
+	backupConfig, err := backups_config.GetBackupConfigService().GetBackupConfigByDbId(database.ID)
+	assert.NoError(t, err)
+
+	timeOfDay := "04:00"
+	backupConfig.BackupInterval = &intervals.Interval{
+		Interval:  intervals.IntervalDaily,
+		TimeOfDay: &timeOfDay,
+	}
+	backupConfig.IsBackupsEnabled = true
+	backupConfig.StorePeriod = period.PeriodWeek
+	backupConfig.Storage = storage
+	backupConfig.StorageID = &storage.ID
+
+	_, err = backups_config.GetBackupConfigService().SaveBackupConfig(backupConfig)
+	assert.NoError(t, err)
+
+	// add recent backup (1 hour ago)
+	backupRepository.Save(&backups_core.Backup{
+		DatabaseID: database.ID,
+		StorageID:  storage.ID,
+
+		Status: backups_core.BackupStatusCompleted,
+
+		CreatedAt: time.Now().UTC().Add(-1 * time.Hour),
+	})
+
+	GetBackupsScheduler().runPendingBackups()
+
+	time.Sleep(100 * time.Millisecond)
+
+	// assertions
+	backups, err := backupRepository.FindByDatabaseID(database.ID)
+	assert.NoError(t, err)
+	assert.Len(t, backups, 1) // Should still be 1 backup, no new backup created
+
+	// Wait for any cleanup operations to complete before defer cleanup runs
+	time.Sleep(200 * time.Millisecond)
+}
+
+func Test_RunPendingBackups_WhenLastBackupFailedAndRetriesDisabled_SkipsBackup(t *testing.T) {
+	cache_utils.ClearAllCache()
+	backuperNode := CreateTestBackuperNode()
+	cancel := StartBackuperNodeForTest(t, backuperNode)
+	defer StopBackuperNodeForTest(t, cancel, backuperNode)
+
+	// setup data
+	user := users_testing.CreateTestUser(users_enums.UserRoleAdmin)
+	router := CreateTestRouter()
+	workspace := workspaces_testing.CreateTestWorkspace("Test Workspace", user, router)
+	storage := storages.CreateTestStorage(workspace.ID)
+	notifier := notifiers.CreateTestNotifier(workspace.ID)
+	database := databases.CreateTestDatabase(workspace.ID, storage, notifier)
+
+	defer func() {
+		// cleanup backups first
+		backups, _ := backupRepository.FindByDatabaseID(database.ID)
+		for _, backup := range backups {
+			backupRepository.DeleteByID(backup.ID)
+		}
+
+		databases.RemoveTestDatabase(database)
+		time.Sleep(50 * time.Millisecond)
+		notifiers.RemoveTestNotifier(notifier)
+		storages.RemoveTestStorage(storage.ID)
+		workspaces_testing.RemoveTestWorkspace(workspace, router)
+	}()
+
+	// Enable backups for the database with retries disabled
+	backupConfig, err := backups_config.GetBackupConfigService().GetBackupConfigByDbId(database.ID)
+	assert.NoError(t, err)
+
+	timeOfDay := "04:00"
+	backupConfig.BackupInterval = &intervals.Interval{
+		Interval:  intervals.IntervalDaily,
+		TimeOfDay: &timeOfDay,
+	}
+	backupConfig.IsBackupsEnabled = true
+	backupConfig.StorePeriod = period.PeriodWeek
+	backupConfig.Storage = storage
+	backupConfig.StorageID = &storage.ID
+	backupConfig.IsRetryIfFailed = false
+	backupConfig.MaxFailedTriesCount = 0
+
+	_, err = backups_config.GetBackupConfigService().SaveBackupConfig(backupConfig)
+	assert.NoError(t, err)
+
+	// add failed backup
+	failMessage := "backup failed"
+	backupRepository.Save(&backups_core.Backup{
+		DatabaseID: database.ID,
+		StorageID:  storage.ID,
+
+		Status:      backups_core.BackupStatusFailed,
+		FailMessage: &failMessage,
+
+		CreatedAt: time.Now().UTC().Add(-1 * time.Hour),
+	})
+
+	GetBackupsScheduler().runPendingBackups()
+
+	time.Sleep(100 * time.Millisecond)
+
+	// assertions
+	backups, err := backupRepository.FindByDatabaseID(database.ID)
+	assert.NoError(t, err)
+	assert.Len(t, backups, 1) // Should still be 1 backup, no retry attempted
+
+	// Wait for any cleanup operations to complete before defer cleanup runs
+	time.Sleep(200 * time.Millisecond)
+}
+
+func Test_RunPendingBackups_WhenLastBackupFailedAndRetriesEnabled_CreatesNewBackup(t *testing.T) {
+	cache_utils.ClearAllCache()
+	backuperNode := CreateTestBackuperNode()
+	cancel := StartBackuperNodeForTest(t, backuperNode)
+	defer StopBackuperNodeForTest(t, cancel, backuperNode)
+
+	// setup data
+	user := users_testing.CreateTestUser(users_enums.UserRoleAdmin)
+	router := CreateTestRouter()
+	workspace := workspaces_testing.CreateTestWorkspace("Test Workspace", user, router)
+	storage := storages.CreateTestStorage(workspace.ID)
+	notifier := notifiers.CreateTestNotifier(workspace.ID)
+	database := databases.CreateTestDatabase(workspace.ID, storage, notifier)
+
+	defer func() {
+		// cleanup backups first
+		backups, _ := backupRepository.FindByDatabaseID(database.ID)
+		for _, backup := range backups {
+			backupRepository.DeleteByID(backup.ID)
+		}
+
+		databases.RemoveTestDatabase(database)
+		time.Sleep(50 * time.Millisecond)
+		notifiers.RemoveTestNotifier(notifier)
+		storages.RemoveTestStorage(storage.ID)
+		workspaces_testing.RemoveTestWorkspace(workspace, router)
+	}()
+
+	// Enable backups for the database with retries enabled
+	backupConfig, err := backups_config.GetBackupConfigService().GetBackupConfigByDbId(database.ID)
+	assert.NoError(t, err)
+
+	timeOfDay := "04:00"
+	backupConfig.BackupInterval = &intervals.Interval{
+		Interval:  intervals.IntervalDaily,
+		TimeOfDay: &timeOfDay,
+	}
+	backupConfig.IsBackupsEnabled = true
+	backupConfig.StorePeriod = period.PeriodWeek
+	backupConfig.Storage = storage
+	backupConfig.StorageID = &storage.ID
+	backupConfig.IsRetryIfFailed = true
+	backupConfig.MaxFailedTriesCount = 3
+
+	_, err = backups_config.GetBackupConfigService().SaveBackupConfig(backupConfig)
+	assert.NoError(t, err)
+
+	// add failed backup
+	failMessage := "backup failed"
+	backupRepository.Save(&backups_core.Backup{
+		DatabaseID: database.ID,
+		StorageID:  storage.ID,
+
+		Status:      backups_core.BackupStatusFailed,
+		FailMessage: &failMessage,
+
+		CreatedAt: time.Now().UTC().Add(-1 * time.Hour),
+	})
+
+	GetBackupsScheduler().runPendingBackups()
+
+	// Wait for backup to complete (runs in goroutine)
+	WaitForBackupCompletion(t, database.ID, 1, 10*time.Second)
+
+	// assertions
+	backups, err := backupRepository.FindByDatabaseID(database.ID)
+	assert.NoError(t, err)
+	assert.Len(t, backups, 2) // Should have 2 backups, retry was attempted
+
+	// Wait for any cleanup operations to complete before defer cleanup runs
+	time.Sleep(200 * time.Millisecond)
+}
+
+func Test_RunPendingBackups_WhenFailedBackupsExceedMaxRetries_SkipsBackup(t *testing.T) {
+	cache_utils.ClearAllCache()
+	backuperNode := CreateTestBackuperNode()
+	cancel := StartBackuperNodeForTest(t, backuperNode)
+	defer StopBackuperNodeForTest(t, cancel, backuperNode)
+
+	// setup data
+	user := users_testing.CreateTestUser(users_enums.UserRoleAdmin)
+	router := CreateTestRouter()
+	workspace := workspaces_testing.CreateTestWorkspace("Test Workspace", user, router)
+	storage := storages.CreateTestStorage(workspace.ID)
+	notifier := notifiers.CreateTestNotifier(workspace.ID)
+	database := databases.CreateTestDatabase(workspace.ID, storage, notifier)
+
+	defer func() {
+		// cleanup backups first
+		backups, _ := backupRepository.FindByDatabaseID(database.ID)
+		for _, backup := range backups {
+			backupRepository.DeleteByID(backup.ID)
+		}
+
+		databases.RemoveTestDatabase(database)
+		time.Sleep(50 * time.Millisecond)
+		notifiers.RemoveTestNotifier(notifier)
+		storages.RemoveTestStorage(storage.ID)
+		workspaces_testing.RemoveTestWorkspace(workspace, router)
+	}()
+
+	// Enable backups for the database with retries enabled
+	backupConfig, err := backups_config.GetBackupConfigService().GetBackupConfigByDbId(database.ID)
+	assert.NoError(t, err)
+
+	timeOfDay := "04:00"
+	backupConfig.BackupInterval = &intervals.Interval{
+		Interval:  intervals.IntervalDaily,
+		TimeOfDay: &timeOfDay,
+	}
+	backupConfig.IsBackupsEnabled = true
+	backupConfig.StorePeriod = period.PeriodWeek
+	backupConfig.Storage = storage
+	backupConfig.StorageID = &storage.ID
+	backupConfig.IsRetryIfFailed = true
+	backupConfig.MaxFailedTriesCount = 3
+
+	_, err = backups_config.GetBackupConfigService().SaveBackupConfig(backupConfig)
+	assert.NoError(t, err)
+
+	failMessage := "backup failed"
+
+	for range 3 {
+		backupRepository.Save(&backups_core.Backup{
+			DatabaseID: database.ID,
+			StorageID:  storage.ID,
+
+			Status:      backups_core.BackupStatusFailed,
+			FailMessage: &failMessage,
+
+			CreatedAt: time.Now().UTC().Add(-1 * time.Hour),
+		})
+	}
+
+	GetBackupsScheduler().runPendingBackups()
+
+	time.Sleep(100 * time.Millisecond)
+
+	// assertions
+	backups, err := backupRepository.FindByDatabaseID(database.ID)
+	assert.NoError(t, err)
+	assert.Len(t, backups, 3) // Should have 3 backups, not more than max
+
+	// Wait for any cleanup operations to complete before defer cleanup runs
+	time.Sleep(200 * time.Millisecond)
+}
+
+func Test_RunPendingBackups_WhenBackupsDisabled_SkipsBackup(t *testing.T) {
+	cache_utils.ClearAllCache()
+	backuperNode := CreateTestBackuperNode()
+	cancel := StartBackuperNodeForTest(t, backuperNode)
+	defer StopBackuperNodeForTest(t, cancel, backuperNode)
+
+	user := users_testing.CreateTestUser(users_enums.UserRoleAdmin)
+	router := CreateTestRouter()
+	workspace := workspaces_testing.CreateTestWorkspace("Test Workspace", user, router)
+	storage := storages.CreateTestStorage(workspace.ID)
+	notifier := notifiers.CreateTestNotifier(workspace.ID)
+	database := databases.CreateTestDatabase(workspace.ID, storage, notifier)
+
+	defer func() {
+		backups, _ := backupRepository.FindByDatabaseID(database.ID)
+		for _, backup := range backups {
+			backupRepository.DeleteByID(backup.ID)
+		}
+
+		databases.RemoveTestDatabase(database)
+		time.Sleep(50 * time.Millisecond)
+		notifiers.RemoveTestNotifier(notifier)
+		storages.RemoveTestStorage(storage.ID)
+		workspaces_testing.RemoveTestWorkspace(workspace, router)
+	}()
+
+	backupConfig, err := backups_config.GetBackupConfigService().GetBackupConfigByDbId(database.ID)
+	assert.NoError(t, err)
+
+	timeOfDay := "04:00"
+	backupConfig.BackupInterval = &intervals.Interval{
+		Interval:  intervals.IntervalDaily,
+		TimeOfDay: &timeOfDay,
+	}
+	backupConfig.IsBackupsEnabled = false
+	backupConfig.StorePeriod = period.PeriodWeek
+	backupConfig.Storage = storage
+	backupConfig.StorageID = &storage.ID
+
+	_, err = backups_config.GetBackupConfigService().SaveBackupConfig(backupConfig)
+	assert.NoError(t, err)
+
+	// add old backup that would trigger new backup if enabled
+	backupRepository.Save(&backups_core.Backup{
+		DatabaseID: database.ID,
+		StorageID:  storage.ID,
+
+		Status: backups_core.BackupStatusCompleted,
+
+		CreatedAt: time.Now().UTC().Add(-24 * time.Hour),
+	})
+
+	GetBackupsScheduler().runPendingBackups()
+
+	time.Sleep(100 * time.Millisecond)
+
+	backups, err := backupRepository.FindByDatabaseID(database.ID)
+	assert.NoError(t, err)
+	assert.Len(t, backups, 1)
+
+	// Wait for any cleanup operations to complete before defer cleanup runs
+	time.Sleep(200 * time.Millisecond)
+}
+
+func Test_CheckDeadNodesAndFailBackups_WhenNodeDies_FailsBackupAndCleansUpRegistry(t *testing.T) {
+	cache_utils.ClearAllCache()
+
+	user := users_testing.CreateTestUser(users_enums.UserRoleAdmin)
+	router := CreateTestRouter()
+	workspace := workspaces_testing.CreateTestWorkspace("Test Workspace", user, router)
+	storage := storages.CreateTestStorage(workspace.ID)
+	notifier := notifiers.CreateTestNotifier(workspace.ID)
+	database := databases.CreateTestDatabase(workspace.ID, storage, notifier)
+
+	defer func() {
+		backups, _ := backupRepository.FindByDatabaseID(database.ID)
+		for _, backup := range backups {
+			backupRepository.DeleteByID(backup.ID)
+		}
+
+		databases.RemoveTestDatabase(database)
+		time.Sleep(50 * time.Millisecond)
+		notifiers.RemoveTestNotifier(notifier)
+		storages.RemoveTestStorage(storage.ID)
+		workspaces_testing.RemoveTestWorkspace(workspace, router)
+	}()
+
+	backupConfig, err := backups_config.GetBackupConfigService().GetBackupConfigByDbId(database.ID)
+	assert.NoError(t, err)
+
+	timeOfDay := "04:00"
+	backupConfig.BackupInterval = &intervals.Interval{
+		Interval:  intervals.IntervalDaily,
+		TimeOfDay: &timeOfDay,
+	}
+	backupConfig.IsBackupsEnabled = true
+	backupConfig.StorePeriod = period.PeriodWeek
+	backupConfig.Storage = storage
+	backupConfig.StorageID = &storage.ID
+
+	_, err = backups_config.GetBackupConfigService().SaveBackupConfig(backupConfig)
+	assert.NoError(t, err)
+
+	// Register mock node without subscribing to backups (simulates node crash after registration)
+	mockNodeID := uuid.New()
+	err = CreateMockNodeInRegistry(mockNodeID, 100, time.Now().UTC())
+	assert.NoError(t, err)
+
+	// Scheduler assigns backup to mock node
+	GetBackupsScheduler().StartBackup(database.ID, false)
+	time.Sleep(100 * time.Millisecond)
+
+	backups, err := backupRepository.FindByDatabaseID(database.ID)
+	assert.NoError(t, err)
+	assert.Len(t, backups, 1)
+	assert.Equal(t, backups_core.BackupStatusInProgress, backups[0].Status)
+
+	// Verify Valkey counter was incremented when backup was assigned
+	stats, err := nodesRegistry.GetBackupNodesStats()
+	assert.NoError(t, err)
+	foundStat := false
+	for _, stat := range stats {
+		if stat.ID == mockNodeID {
+			assert.Equal(t, 1, stat.ActiveBackups)
+			foundStat = true
+			break
+		}
+	}
+	assert.True(t, foundStat, "Node stats should be present")
+
+	// Simulate node death by setting heartbeat older than 2-minute threshold
+	oldHeartbeat := time.Now().UTC().Add(-3 * time.Minute)
+	err = UpdateNodeHeartbeatDirectly(mockNodeID, 100, oldHeartbeat)
+	assert.NoError(t, err)
+
+	// Trigger dead node detection
+	err = GetBackupsScheduler().checkDeadNodesAndFailBackups()
+	assert.NoError(t, err)
+
+	// Verify backup was failed with appropriate error message
+	backups, err = backupRepository.FindByDatabaseID(database.ID)
+	assert.NoError(t, err)
+	assert.Len(t, backups, 1)
+	assert.Equal(t, backups_core.BackupStatusFailed, backups[0].Status)
+	assert.NotNil(t, backups[0].FailMessage)
+	assert.Contains(t, *backups[0].FailMessage, "node unavailability")
+
+	// Verify Valkey counter was decremented after backup failed
+	stats, err = nodesRegistry.GetBackupNodesStats()
+	assert.NoError(t, err)
+	for _, stat := range stats {
+		if stat.ID == mockNodeID {
+			assert.Equal(t, 0, stat.ActiveBackups)
+		}
+	}
+
+	// Node info should still exist in registry (not removed by checkDeadNodesAndFailBackups)
+	node, err := GetNodeFromRegistry(mockNodeID)
+	assert.NoError(t, err)
+	assert.NotNil(t, node)
+	assert.Equal(t, mockNodeID, node.ID)
+
+	time.Sleep(200 * time.Millisecond)
+}
+
+func Test_CalculateLeastBusyNode_SelectsNodeWithBestScore(t *testing.T) {
+	t.Run("Nodes with same throughput", func(t *testing.T) {
+		cache_utils.ClearAllCache()
+
+		node1ID := uuid.New()
+		node2ID := uuid.New()
+		node3ID := uuid.New()
+		now := time.Now().UTC()
+
+		err := CreateMockNodeInRegistry(node1ID, 100, now)
+		assert.NoError(t, err)
+		err = CreateMockNodeInRegistry(node2ID, 100, now)
+		assert.NoError(t, err)
+		err = CreateMockNodeInRegistry(node3ID, 100, now)
+		assert.NoError(t, err)
+
+		for range 5 {
+			err = nodesRegistry.IncrementBackupsInProgress(node1ID.String())
+			assert.NoError(t, err)
+		}
+
+		for range 2 {
+			err = nodesRegistry.IncrementBackupsInProgress(node2ID.String())
+			assert.NoError(t, err)
+		}
+
+		for range 8 {
+			err = nodesRegistry.IncrementBackupsInProgress(node3ID.String())
+			assert.NoError(t, err)
+		}
+
+		leastBusyNodeID, err := GetBackupsScheduler().calculateLeastBusyNode()
+		assert.NoError(t, err)
+		assert.NotNil(t, leastBusyNodeID)
+		assert.Equal(t, node2ID, *leastBusyNodeID)
+	})
+
+	t.Run("Nodes with different throughput", func(t *testing.T) {
+		cache_utils.ClearAllCache()
+
+		node100MBsID := uuid.New()
+		node50MBsID := uuid.New()
+		now := time.Now().UTC()
+
+		err := CreateMockNodeInRegistry(node100MBsID, 100, now)
+		assert.NoError(t, err)
+		err = CreateMockNodeInRegistry(node50MBsID, 50, now)
+		assert.NoError(t, err)
+
+		for range 10 {
+			err = nodesRegistry.IncrementBackupsInProgress(node100MBsID.String())
+			assert.NoError(t, err)
+		}
+
+		err = nodesRegistry.IncrementBackupsInProgress(node50MBsID.String())
+		assert.NoError(t, err)
+
+		leastBusyNodeID, err := GetBackupsScheduler().calculateLeastBusyNode()
+		assert.NoError(t, err)
+		assert.NotNil(t, leastBusyNodeID)
+		assert.Equal(t, node50MBsID, *leastBusyNodeID)
+	})
+}
+
+func Test_FailBackupsInProgress_WhenSchedulerStarts_CancelsBackupsAndUpdatesStatus(t *testing.T) {
+	cache_utils.ClearAllCache()
+
+	user := users_testing.CreateTestUser(users_enums.UserRoleAdmin)
+	router := CreateTestRouter()
+	workspace := workspaces_testing.CreateTestWorkspace("Test Workspace", user, router)
+	storage := storages.CreateTestStorage(workspace.ID)
+	notifier := notifiers.CreateTestNotifier(workspace.ID)
+	database := databases.CreateTestDatabase(workspace.ID, storage, notifier)
+
+	defer func() {
+		backups, _ := backupRepository.FindByDatabaseID(database.ID)
+		for _, backup := range backups {
+			backupRepository.DeleteByID(backup.ID)
+		}
+
+		databases.RemoveTestDatabase(database)
+		time.Sleep(50 * time.Millisecond)
+		notifiers.RemoveTestNotifier(notifier)
+		storages.RemoveTestStorage(storage.ID)
+		workspaces_testing.RemoveTestWorkspace(workspace, router)
+	}()
+
+	backupConfig, err := backups_config.GetBackupConfigService().GetBackupConfigByDbId(database.ID)
+	assert.NoError(t, err)
+
+	timeOfDay := "04:00"
+	backupConfig.BackupInterval = &intervals.Interval{
+		Interval:  intervals.IntervalDaily,
+		TimeOfDay: &timeOfDay,
+	}
+	backupConfig.IsBackupsEnabled = true
+	backupConfig.StorePeriod = period.PeriodWeek
+	backupConfig.Storage = storage
+	backupConfig.StorageID = &storage.ID
+
+	_, err = backups_config.GetBackupConfigService().SaveBackupConfig(backupConfig)
+	assert.NoError(t, err)
+
+	// Create two in-progress backups that should be failed on scheduler restart
+	backup1 := &backups_core.Backup{
+		DatabaseID:   database.ID,
+		StorageID:    storage.ID,
+		Status:       backups_core.BackupStatusInProgress,
+		BackupSizeMb: 10.5,
+		CreatedAt:    time.Now().UTC().Add(-30 * time.Minute),
+	}
+	err = backupRepository.Save(backup1)
+	assert.NoError(t, err)
+
+	backup2 := &backups_core.Backup{
+		DatabaseID:   database.ID,
+		StorageID:    storage.ID,
+		Status:       backups_core.BackupStatusInProgress,
+		BackupSizeMb: 5.2,
+		CreatedAt:    time.Now().UTC().Add(-15 * time.Minute),
+	}
+	err = backupRepository.Save(backup2)
+	assert.NoError(t, err)
+
+	// Create a completed backup to verify it's not affected by failBackupsInProgress
+	completedBackup := &backups_core.Backup{
+		DatabaseID:   database.ID,
+		StorageID:    storage.ID,
+		Status:       backups_core.BackupStatusCompleted,
+		BackupSizeMb: 20.0,
+		CreatedAt:    time.Now().UTC().Add(-1 * time.Hour),
+	}
+	err = backupRepository.Save(completedBackup)
+	assert.NoError(t, err)
+
+	// Trigger the scheduler's failBackupsInProgress logic
+	// This should cancel in-progress backups and mark them as failed
+	err = GetBackupsScheduler().failBackupsInProgress()
+	assert.NoError(t, err)
+
+	// Verify all backups exist and were processed correctly
+	backups, err := backupRepository.FindByDatabaseID(database.ID)
+	assert.NoError(t, err)
+	assert.Len(t, backups, 3)
+
+	var failedCount int
+	var completedCount int
+	for _, backup := range backups {
+		switch backup.Status {
+		case backups_core.BackupStatusFailed:
+			failedCount++
+			// Verify fail message indicates application restart
+			assert.NotNil(t, backup.FailMessage)
+			assert.Equal(t, "Backup failed due to application restart", *backup.FailMessage)
+			// Verify backup size was reset to 0
+			assert.Equal(t, float64(0), backup.BackupSizeMb)
+		case backups_core.BackupStatusCompleted:
+			completedCount++
+		}
+	}
+
+	// Verify correct number of backups in each state
+	assert.Equal(t, 2, failedCount)
+	assert.Equal(t, 1, completedCount)
+
+	time.Sleep(200 * time.Millisecond)
+}
--- a/backend/internal/features/backups/backups/backuping/testing.go
+++ b/backend/internal/features/backups/backups/backuping/testing.go
@@ -0,0 +1,206 @@
+package backuping
+
+import (
+	"context"
+	"fmt"
+	"testing"
+	"time"
+
+	backups_core "databasus-backend/internal/features/backups/backups/core"
+	"databasus-backend/internal/features/backups/backups/usecases"
+	backups_config "databasus-backend/internal/features/backups/config"
+	"databasus-backend/internal/features/databases"
+	"databasus-backend/internal/features/notifiers"
+	"databasus-backend/internal/features/storages"
+	workspaces_controllers "databasus-backend/internal/features/workspaces/controllers"
+	workspaces_services "databasus-backend/internal/features/workspaces/services"
+	workspaces_testing "databasus-backend/internal/features/workspaces/testing"
+	"databasus-backend/internal/util/encryption"
+	"databasus-backend/internal/util/logger"
+
+	"github.com/gin-gonic/gin"
+	"github.com/google/uuid"
+)
+
+func CreateTestRouter() *gin.Engine {
+	router := workspaces_testing.CreateTestRouter(
+		workspaces_controllers.GetWorkspaceController(),
+		workspaces_controllers.GetMembershipController(),
+		databases.GetDatabaseController(),
+		backups_config.GetBackupConfigController(),
+	)
+
+	return router
+}
+
+func CreateTestBackuperNode() *BackuperNode {
+	return &BackuperNode{
+		databases.GetDatabaseService(),
+		encryption.GetFieldEncryptor(),
+		workspaces_services.GetWorkspaceService(),
+		backupRepository,
+		backups_config.GetBackupConfigService(),
+		storages.GetStorageService(),
+		notifiers.GetNotifierService(),
+		backupCancelManager,
+		nodesRegistry,
+		logger.GetLogger(),
+		usecases.GetCreateBackupUsecase(),
+		uuid.New(),
+		time.Time{},
+	}
+}
+
+// WaitForBackupCompletion waits for a new backup to be created and completed (or failed)
+// for the given database. It checks for backups with count greater than expectedInitialCount.
+func WaitForBackupCompletion(
+	t *testing.T,
+	databaseID uuid.UUID,
+	expectedInitialCount int,
+	timeout time.Duration,
+) {
+	deadline := time.Now().UTC().Add(timeout)
+
+	for time.Now().UTC().Before(deadline) {
+		backups, err := backupRepository.FindByDatabaseID(databaseID)
+		if err != nil {
+			t.Logf("WaitForBackupCompletion: error finding backups: %v", err)
+			time.Sleep(50 * time.Millisecond)
+			continue
+		}
+
+		t.Logf(
+			"WaitForBackupCompletion: found %d backups (expected > %d)",
+			len(backups),
+			expectedInitialCount,
+		)
+
+		if len(backups) > expectedInitialCount {
+			// Check if the newest backup has completed or failed
+			newestBackup := backups[0]
+			t.Logf("WaitForBackupCompletion: newest backup status: %s", newestBackup.Status)
+
+			if newestBackup.Status == backups_core.BackupStatusCompleted ||
+				newestBackup.Status == backups_core.BackupStatusFailed ||
+				newestBackup.Status == backups_core.BackupStatusCanceled {
+				t.Logf(
+					"WaitForBackupCompletion: backup finished with status %s",
+					newestBackup.Status,
+				)
+				return
+			}
+		}
+
+		time.Sleep(50 * time.Millisecond)
+	}
+
+	t.Logf("WaitForBackupCompletion: timeout waiting for backup to complete")
+}
+
+// StartBackuperNodeForTest starts a BackuperNode in a goroutine for testing.
+// The node registers itself in the registry and subscribes to backup assignments.
+// Returns a context cancel function that should be deferred to stop the node.
+func StartBackuperNodeForTest(t *testing.T, backuperNode *BackuperNode) context.CancelFunc {
+	ctx, cancel := context.WithCancel(context.Background())
+
+	done := make(chan struct{})
+
+	go func() {
+		backuperNode.Run(ctx)
+		close(done)
+	}()
+
+	// Poll registry for node presence instead of fixed sleep
+	deadline := time.Now().UTC().Add(5 * time.Second)
+	for time.Now().UTC().Before(deadline) {
+		nodes, err := nodesRegistry.GetAvailableNodes()
+		if err == nil {
+			for _, node := range nodes {
+				if node.ID == backuperNode.nodeID {
+					t.Logf("BackuperNode registered in registry: %s", backuperNode.nodeID)
+
+					return func() {
+						cancel()
+						select {
+						case <-done:
+							t.Log("BackuperNode stopped gracefully")
+						case <-time.After(2 * time.Second):
+							t.Log("BackuperNode stop timeout")
+						}
+					}
+				}
+			}
+		}
+		time.Sleep(50 * time.Millisecond)
+	}
+
+	t.Fatalf("BackuperNode failed to register in registry within timeout")
+	return nil
+}
+
+// StopBackuperNodeForTest stops the BackuperNode by canceling its context.
+// It waits for the node to unregister from the registry.
+func StopBackuperNodeForTest(t *testing.T, cancel context.CancelFunc, backuperNode *BackuperNode) {
+	cancel()
+
+	// Wait for node to unregister from registry
+	deadline := time.Now().UTC().Add(2 * time.Second)
+	for time.Now().UTC().Before(deadline) {
+		nodes, err := nodesRegistry.GetAvailableNodes()
+		if err == nil {
+			found := false
+			for _, node := range nodes {
+				if node.ID == backuperNode.nodeID {
+					found = true
+					break
+				}
+			}
+			if !found {
+				t.Logf("BackuperNode unregistered from registry: %s", backuperNode.nodeID)
+				return
+			}
+		}
+		time.Sleep(50 * time.Millisecond)
+	}
+
+	t.Logf("BackuperNode stop completed for %s", backuperNode.nodeID)
+}
+
+func CreateMockNodeInRegistry(nodeID uuid.UUID, throughputMBs int, lastHeartbeat time.Time) error {
+	backupNode := BackupNode{
+		ID:            nodeID,
+		ThroughputMBs: throughputMBs,
+		LastHeartbeat: lastHeartbeat,
+	}
+
+	return nodesRegistry.HearthbeatNodeInRegistry(lastHeartbeat, backupNode)
+}
+
+func UpdateNodeHeartbeatDirectly(
+	nodeID uuid.UUID,
+	throughputMBs int,
+	lastHeartbeat time.Time,
+) error {
+	backupNode := BackupNode{
+		ID:            nodeID,
+		ThroughputMBs: throughputMBs,
+		LastHeartbeat: lastHeartbeat,
+	}
+
+	return nodesRegistry.HearthbeatNodeInRegistry(lastHeartbeat, backupNode)
+}
+
+func GetNodeFromRegistry(nodeID uuid.UUID) (*BackupNode, error) {
+	nodes, err := nodesRegistry.GetAvailableNodes()
+	if err != nil {
+		return nil, err
+	}
+
+	for _, node := range nodes {
+		if node.ID == nodeID {
+			return &node, nil
+		}
+	}
+
+	return nil, fmt.Errorf("node not found")
+}
--- a/backend/internal/features/backups/backups/cancellation/backup_cancel_manager.go
+++ b/backend/internal/features/backups/backups/cancellation/backup_cancel_manager.go
@@ -0,0 +1,75 @@
+package backups_cancellation
+
+import (
+	"context"
+	cache_utils "databasus-backend/internal/util/cache"
+	"log/slog"
+	"sync"
+
+	"github.com/google/uuid"
+)
+
+const backupCancelChannel = "backup:cancel"
+
+type BackupCancelManager struct {
+	mu          sync.RWMutex
+	cancelFuncs map[uuid.UUID]context.CancelFunc
+	pubsub      *cache_utils.PubSubManager
+	logger      *slog.Logger
+}
+
+func (m *BackupCancelManager) StartSubscription() {
+	ctx := context.Background()
+
+	handler := func(message string) {
+		backupID, err := uuid.Parse(message)
+		if err != nil {
+			m.logger.Error("Invalid backup ID in cancel message", "message", message, "error", err)
+			return
+		}
+
+		m.mu.Lock()
+		defer m.mu.Unlock()
+
+		cancelFunc, exists := m.cancelFuncs[backupID]
+		if exists {
+			cancelFunc()
+			delete(m.cancelFuncs, backupID)
+			m.logger.Info("Cancelled backup via Pub/Sub", "backupID", backupID)
+		}
+	}
+
+	err := m.pubsub.Subscribe(ctx, backupCancelChannel, handler)
+	if err != nil {
+		m.logger.Error("Failed to subscribe to backup cancel channel", "error", err)
+	} else {
+		m.logger.Info("Successfully subscribed to backup cancel channel")
+	}
+}
+
+func (m *BackupCancelManager) RegisterBackup(backupID uuid.UUID, cancelFunc context.CancelFunc) {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+	m.cancelFuncs[backupID] = cancelFunc
+	m.logger.Debug("Registered backup", "backupID", backupID)
+}
+
+func (m *BackupCancelManager) CancelBackup(backupID uuid.UUID) error {
+	ctx := context.Background()
+
+	err := m.pubsub.Publish(ctx, backupCancelChannel, backupID.String())
+	if err != nil {
+		m.logger.Error("Failed to publish cancel message", "backupID", backupID, "error", err)
+		return err
+	}
+
+	m.logger.Info("Published backup cancel message", "backupID", backupID)
+	return nil
+}
+
+func (m *BackupCancelManager) UnregisterBackup(backupID uuid.UUID) {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+	delete(m.cancelFuncs, backupID)
+	m.logger.Debug("Unregistered backup", "backupID", backupID)
+}
--- a/backend/internal/features/backups/backups/cancellation/backup_cancel_manager_test.go
+++ b/backend/internal/features/backups/backups/cancellation/backup_cancel_manager_test.go
@@ -0,0 +1,200 @@
+package backups_cancellation
+
+import (
+	"context"
+	"sync"
+	"testing"
+	"time"
+
+	"github.com/google/uuid"
+	"github.com/stretchr/testify/assert"
+)
+
+func Test_RegisterBackup_BackupRegisteredSuccessfully(t *testing.T) {
+	manager := backupCancelManager
+
+	backupID := uuid.New()
+	_, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	manager.RegisterBackup(backupID, cancel)
+
+	manager.mu.RLock()
+	_, exists := manager.cancelFuncs[backupID]
+	manager.mu.RUnlock()
+	assert.True(t, exists, "Backup should be registered")
+}
+
+func Test_UnregisterBackup_BackupUnregisteredSuccessfully(t *testing.T) {
+	manager := backupCancelManager
+
+	backupID := uuid.New()
+	_, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	manager.RegisterBackup(backupID, cancel)
+	manager.UnregisterBackup(backupID)
+
+	manager.mu.RLock()
+	_, exists := manager.cancelFuncs[backupID]
+	manager.mu.RUnlock()
+	assert.False(t, exists, "Backup should be unregistered")
+}
+
+func Test_CancelBackup_OnSameInstance_BackupCancelledViaPubSub(t *testing.T) {
+	manager := backupCancelManager
+
+	backupID := uuid.New()
+	ctx, cancel := context.WithCancel(context.Background())
+
+	cancelled := false
+	var mu sync.Mutex
+
+	wrappedCancel := func() {
+		mu.Lock()
+		cancelled = true
+		mu.Unlock()
+		cancel()
+	}
+
+	manager.RegisterBackup(backupID, wrappedCancel)
+	manager.StartSubscription()
+	time.Sleep(100 * time.Millisecond)
+
+	err := manager.CancelBackup(backupID)
+	assert.NoError(t, err, "Cancel should not return error")
+
+	time.Sleep(500 * time.Millisecond)
+
+	mu.Lock()
+	wasCancelled := cancelled
+	mu.Unlock()
+
+	assert.True(t, wasCancelled, "Cancel function should have been called")
+	assert.Error(t, ctx.Err(), "Context should be cancelled")
+}
+
+func Test_CancelBackup_FromDifferentInstance_BackupCancelledOnRunningInstance(t *testing.T) {
+	manager1 := backupCancelManager
+	manager2 := backupCancelManager
+
+	backupID := uuid.New()
+	ctx, cancel := context.WithCancel(context.Background())
+
+	cancelled := false
+	var mu sync.Mutex
+
+	wrappedCancel := func() {
+		mu.Lock()
+		cancelled = true
+		mu.Unlock()
+		cancel()
+	}
+
+	manager1.RegisterBackup(backupID, wrappedCancel)
+
+	manager1.StartSubscription()
+	manager2.StartSubscription()
+	time.Sleep(100 * time.Millisecond)
+
+	err := manager2.CancelBackup(backupID)
+	assert.NoError(t, err, "Cancel should not return error")
+
+	time.Sleep(500 * time.Millisecond)
+
+	mu.Lock()
+	wasCancelled := cancelled
+	mu.Unlock()
+
+	assert.True(t, wasCancelled, "Cancel function should have been called on instance 1")
+	assert.Error(t, ctx.Err(), "Context should be cancelled")
+}
+
+func Test_CancelBackup_WhenBackupDoesNotExist_NoErrorReturned(t *testing.T) {
+	manager := backupCancelManager
+
+	manager.StartSubscription()
+	time.Sleep(100 * time.Millisecond)
+
+	nonExistentID := uuid.New()
+	err := manager.CancelBackup(nonExistentID)
+	assert.NoError(t, err, "Cancelling non-existent backup should not error")
+}
+
+func Test_CancelBackup_WithMultipleBackups_AllBackupsCancelled(t *testing.T) {
+	manager := backupCancelManager
+
+	numBackups := 5
+	backupIDs := make([]uuid.UUID, numBackups)
+	contexts := make([]context.Context, numBackups)
+	cancels := make([]context.CancelFunc, numBackups)
+	cancelledFlags := make([]bool, numBackups)
+	var mu sync.Mutex
+
+	for i := 0; i < numBackups; i++ {
+		backupIDs[i] = uuid.New()
+		contexts[i], cancels[i] = context.WithCancel(context.Background())
+
+		idx := i
+		wrappedCancel := func() {
+			mu.Lock()
+			cancelledFlags[idx] = true
+			mu.Unlock()
+			cancels[idx]()
+		}
+
+		manager.RegisterBackup(backupIDs[i], wrappedCancel)
+	}
+
+	manager.StartSubscription()
+	time.Sleep(100 * time.Millisecond)
+
+	for i := 0; i < numBackups; i++ {
+		err := manager.CancelBackup(backupIDs[i])
+		assert.NoError(t, err, "Cancel should not return error")
+	}
+
+	time.Sleep(1 * time.Second)
+
+	mu.Lock()
+	for i := 0; i < numBackups; i++ {
+		assert.True(t, cancelledFlags[i], "Backup %d should be cancelled", i)
+		assert.Error(t, contexts[i].Err(), "Context %d should be cancelled", i)
+	}
+	mu.Unlock()
+}
+
+func Test_CancelBackup_AfterUnregister_BackupNotCancelled(t *testing.T) {
+	manager := backupCancelManager
+
+	backupID := uuid.New()
+	_, cancel := context.WithCancel(context.Background())
+	defer cancel()
+
+	cancelled := false
+	var mu sync.Mutex
+
+	wrappedCancel := func() {
+		mu.Lock()
+		cancelled = true
+		mu.Unlock()
+		cancel()
+	}
+
+	manager.RegisterBackup(backupID, wrappedCancel)
+	manager.StartSubscription()
+	time.Sleep(100 * time.Millisecond)
+
+	manager.UnregisterBackup(backupID)
+
+	err := manager.CancelBackup(backupID)
+	assert.NoError(t, err, "Cancel should not return error")
+
+	time.Sleep(500 * time.Millisecond)
+
+	mu.Lock()
+	wasCancelled := cancelled
+	mu.Unlock()
+
+	assert.False(t, wasCancelled, "Cancel function should not be called after unregister")
+}
--- a/backend/internal/features/backups/backups/cancellation/di.go
+++ b/backend/internal/features/backups/backups/cancellation/di.go
@@ -0,0 +1,25 @@
+package backups_cancellation
+
+import (
+	"context"
+	cache_utils "databasus-backend/internal/util/cache"
+	"databasus-backend/internal/util/logger"
+	"sync"
+
+	"github.com/google/uuid"
+)
+
+var backupCancelManager = &BackupCancelManager{
+	sync.RWMutex{},
+	make(map[uuid.UUID]context.CancelFunc),
+	cache_utils.NewPubSubManager(),
+	logger.GetLogger(),
+}
+
+func GetBackupCancelManager() *BackupCancelManager {
+	return backupCancelManager
+}
+
+func SetupDependencies() {
+	backupCancelManager.StartSubscription()
+}
--- a/backend/internal/features/backups/backups/common/dto.go
+++ b/backend/internal/features/backups/backups/common/dto.go
@@ -0,0 +1,17 @@
+package common
+
+import backups_config "databasus-backend/internal/features/backups/config"
+
+type BackupType string
+
+const (
+	BackupTypeDefault   BackupType = "DEFAULT"   // For MySQL, MongoDB, PostgreSQL legacy (-Fc)
+	BackupTypeDirectory BackupType = "DIRECTORY" // PostgreSQL directory type (-Fd)
+)
+
+type BackupMetadata struct {
+	EncryptionSalt *string
+	EncryptionIV   *string
+	Encryption     backups_config.BackupEncryption
+	Type           BackupType
+}
--- a/backend/internal/features/backups/backups/usecases/common/interfaces.go
+++ b/backend/internal/features/backups/backups/usecases/common/interfaces.go
--- a/backend/internal/features/backups/backups/controller.go
+++ b/backend/internal/features/backups/backups/controller.go
@@ -1,6 +1,7 @@
 package backups

 import (
+	backups_core "databasus-backend/internal/features/backups/backups/core"
 	"databasus-backend/internal/features/databases"
 	users_middleware "databasus-backend/internal/features/users/middleware"
 	"fmt"
@@ -18,11 +19,17 @@ type BackupController struct {
 func (c *BackupController) RegisterRoutes(router *gin.RouterGroup) {
 	router.GET("/backups", c.GetBackups)
 	router.POST("/backups", c.MakeBackup)
-	router.GET("/backups/:id/file", c.GetFile)
+	router.POST("/backups/:id/download-token", c.GenerateDownloadToken)
 	router.DELETE("/backups/:id", c.DeleteBackup)
 	router.POST("/backups/:id/cancel", c.CancelBackup)
 }

+// RegisterPublicRoutes registers routes that don't require Bearer authentication
+// (they have their own authentication mechanisms like download tokens)
+func (c *BackupController) RegisterPublicRoutes(router *gin.RouterGroup) {
+	router.GET("/backups/:id/file", c.GetFile)
+}
+
 // GetBackups
 // @Summary Get backups for a database
 // @Description Get paginated backups for the specified database
@@ -159,17 +166,16 @@ func (c *BackupController) CancelBackup(ctx *gin.Context) {
 	ctx.Status(http.StatusNoContent)
 }

-// GetFile
-// @Summary Download a backup file
-// @Description Download the backup file for the specified backup
+// GenerateDownloadToken
+// @Summary Generate short-lived download token
+// @Description Generate a token for downloading a backup file (valid for 5 minutes)
 // @Tags backups
 // @Param id path string true "Backup ID"
-// @Success 200 {file} file
+// @Success 200 {object} backups_download.GenerateDownloadTokenResponse
 // @Failure 400
 // @Failure 401
-// @Failure 500
-// @Router /backups/{id}/file [get]
-func (c *BackupController) GetFile(ctx *gin.Context) {
+// @Router /backups/{id}/download-token [post]
+func (c *BackupController) GenerateDownloadToken(ctx *gin.Context) {
 	user, ok := users_middleware.GetUserFromContext(ctx)
 	if !ok {
 		ctx.JSON(http.StatusUnauthorized, gin.H{"error": "User not authenticated"})
@@ -182,7 +188,56 @@ func (c *BackupController) GetFile(ctx *gin.Context) {
 		return
 	}

-	fileReader, dbType, err := c.backupService.GetBackupFile(user, id)
+	response, err := c.backupService.GenerateDownloadToken(user, id)
+	if err != nil {
+		ctx.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
+		return
+	}
+
+	ctx.JSON(http.StatusOK, response)
+}
+
+// GetFile
+// @Summary Download a backup file
+// @Description Download the backup file for the specified backup using a download token
+// @Tags backups
+// @Param id path string true "Backup ID"
+// @Param token query string true "Download token"
+// @Success 200 {file} file
+// @Failure 400
+// @Failure 401
+// @Failure 500
+// @Router /backups/{id}/file [get]
+func (c *BackupController) GetFile(ctx *gin.Context) {
+	token := ctx.Query("token")
+	if token == "" {
+		ctx.JSON(http.StatusUnauthorized, gin.H{"error": "download token is required"})
+		return
+	}
+
+	// Get backup ID from URL
+	backupIDParam := ctx.Param("id")
+	backupID, err := uuid.Parse(backupIDParam)
+	if err != nil {
+		ctx.JSON(http.StatusBadRequest, gin.H{"error": "invalid backup ID"})
+		return
+	}
+
+	downloadToken, err := c.backupService.ValidateDownloadToken(token)
+	if err != nil {
+		ctx.JSON(http.StatusUnauthorized, gin.H{"error": "invalid or expired download token"})
+		return
+	}
+
+	// Verify token is for the requested backup
+	if downloadToken.BackupID != backupID {
+		ctx.JSON(http.StatusUnauthorized, gin.H{"error": "invalid or expired download token"})
+		return
+	}
+
+	fileReader, backup, database, err := c.backupService.GetBackupFileWithoutAuth(
+		downloadToken.BackupID,
+	)
 	if err != nil {
 		ctx.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
 		return
@@ -193,24 +248,89 @@ func (c *BackupController) GetFile(ctx *gin.Context) {
 		}
 	}()

-	extension := ".dump.zst"
-	if dbType == databases.DatabaseTypeMysql {
-		extension = ".sql.zst"
+	filename := c.generateBackupFilename(backup, database)
+
+	// Set Content-Length for progress tracking
+	if backup.BackupSizeMb > 0 {
+		sizeBytes := int64(backup.BackupSizeMb * 1024 * 1024)
+		ctx.Header("Content-Length", fmt.Sprintf("%d", sizeBytes))
 	}

 	ctx.Header("Content-Type", "application/octet-stream")
 	ctx.Header(
 		"Content-Disposition",
-		fmt.Sprintf("attachment; filename=\"backup_%s%s\"", id.String(), extension),
+		fmt.Sprintf("attachment; filename=\"%s\"", filename),
 	)

 	_, err = io.Copy(ctx.Writer, fileReader)
 	if err != nil {
-		ctx.JSON(http.StatusInternalServerError, gin.H{"error": "failed to stream file"})
+		fmt.Printf("Error streaming file: %v\n", err)
 		return
 	}
+
+	// Write audit log after successful download
+	c.backupService.WriteAuditLogForDownload(downloadToken.UserID, backup, database)
 }

 type MakeBackupRequest struct {
 	DatabaseID uuid.UUID `json:"database_id" binding:"required"`
 }
+
+func (c *BackupController) generateBackupFilename(
+	backup *backups_core.Backup,
+	database *databases.Database,
+) string {
+	// Format timestamp as YYYY-MM-DD_HH-mm-ss
+	timestamp := backup.CreatedAt.Format("2006-01-02_15-04-05")
+
+	// Sanitize database name for filename (replace spaces and special chars)
+	safeName := sanitizeFilename(database.Name)
+
+	// Determine extension based on database type
+	extension := c.getBackupExtension(database.Type)
+
+	return fmt.Sprintf("%s_backup_%s%s", safeName, timestamp, extension)
+}
+
+func (c *BackupController) getBackupExtension(
+	dbType databases.DatabaseType,
+) string {
+	switch dbType {
+	case databases.DatabaseTypeMysql, databases.DatabaseTypeMariadb:
+		return ".sql.zst"
+	case databases.DatabaseTypePostgres:
+		// PostgreSQL custom format
+		return ".dump"
+	case databases.DatabaseTypeMongodb:
+		return ".archive"
+	default:
+		return ".backup"
+	}
+}
+
+func sanitizeFilename(name string) string {
+	// Replace characters that are invalid in filenames
+	replacer := map[rune]rune{
+		' ':  '_',
+		'/':  '-',
+		'\\': '-',
+		':':  '-',
+		'*':  '-',
+		'?':  '-',
+		'"':  '-',
+		'<':  '-',
+		'>':  '-',
+		'|':  '-',
+	}
+
+	result := make([]rune, 0, len(name))
+	for _, char := range name {
+		if replacement, exists := replacer[char]; exists {
+			result = append(result, replacement)
+		} else {
+			result = append(result, char)
+		}
+	}
+
+	return string(result)
+}
--- a/backend/internal/features/backups/backups/controller_test.go
+++ b/backend/internal/features/backups/backups/controller_test.go
@@ -7,6 +7,7 @@ import (
 	"io"
 	"log/slog"
 	"net/http"
+	"strconv"
 	"strings"
 	"testing"
 	"time"
@@ -15,7 +16,10 @@ import (
 	"github.com/google/uuid"
 	"github.com/stretchr/testify/assert"

+	"databasus-backend/internal/config"
 	audit_logs "databasus-backend/internal/features/audit_logs"
+	backups_core "databasus-backend/internal/features/backups/backups/core"
+	backups_download "databasus-backend/internal/features/backups/backups/download"
 	backups_config "databasus-backend/internal/features/backups/config"
 	"databasus-backend/internal/features/databases"
 	"databasus-backend/internal/features/databases/databases/postgresql"
@@ -87,7 +91,13 @@ func Test_GetBackups_PermissionsEnforced(t *testing.T) {
 					testUserToken = owner.Token
 				} else {
 					member := users_testing.CreateTestUser(users_enums.UserRoleMember)
-					workspaces_testing.AddMemberToWorkspace(workspace, member, *tt.workspaceRole, owner.Token, router)
+					workspaces_testing.AddMemberToWorkspace(
+						workspace,
+						member,
+						*tt.workspaceRole,
+						owner.Token,
+						router,
+					)
 					testUserToken = member.Token
 				}
 			} else {
@@ -179,7 +189,13 @@ func Test_CreateBackup_PermissionsEnforced(t *testing.T) {
 					testUserToken = owner.Token
 				} else {
 					member := users_testing.CreateTestUser(users_enums.UserRoleMember)
-					workspaces_testing.AddMemberToWorkspace(workspace, member, *tt.workspaceRole, owner.Token, router)
+					workspaces_testing.AddMemberToWorkspace(
+						workspace,
+						member,
+						*tt.workspaceRole,
+						owner.Token,
+						router,
+					)
 					testUserToken = member.Token
 				}
 			} else {
@@ -309,7 +325,13 @@ func Test_DeleteBackup_PermissionsEnforced(t *testing.T) {
 					testUserToken = owner.Token
 				} else {
 					member := users_testing.CreateTestUser(users_enums.UserRoleMember)
-					workspaces_testing.AddMemberToWorkspace(workspace, member, *tt.workspaceRole, owner.Token, router)
+					workspaces_testing.AddMemberToWorkspace(
+						workspace,
+						member,
+						*tt.workspaceRole,
+						owner.Token,
+						router,
+					)
 					testUserToken = member.Token
 				}
 			} else {
@@ -378,7 +400,7 @@ func Test_DeleteBackup_AuditLogWritten(t *testing.T) {
 	assert.True(t, found, "Audit log for backup deletion not found")
 }

-func Test_DownloadBackup_PermissionsEnforced(t *testing.T) {
+func Test_GenerateDownloadToken_PermissionsEnforced(t *testing.T) {
 	tests := []struct {
 		name               string
 		workspaceRole      *users_enums.WorkspaceRole
@@ -387,28 +409,28 @@ func Test_DownloadBackup_PermissionsEnforced(t *testing.T) {
 		expectedStatusCode int
 	}{
 		{
-			name:               "workspace viewer can download backup",
+			name:               "workspace viewer can generate token",
 			workspaceRole:      func() *users_enums.WorkspaceRole { r := users_enums.WorkspaceRoleViewer; return &r }(),
 			isGlobalAdmin:      false,
 			expectSuccess:      true,
 			expectedStatusCode: http.StatusOK,
 		},
 		{
-			name:               "workspace member can download backup",
+			name:               "workspace member can generate token",
 			workspaceRole:      func() *users_enums.WorkspaceRole { r := users_enums.WorkspaceRoleMember; return &r }(),
 			isGlobalAdmin:      false,
 			expectSuccess:      true,
 			expectedStatusCode: http.StatusOK,
 		},
 		{
-			name:               "non-member cannot download backup",
+			name:               "non-member cannot generate token",
 			workspaceRole:      nil,
 			isGlobalAdmin:      false,
 			expectSuccess:      false,
 			expectedStatusCode: http.StatusBadRequest,
 		},
 		{
-			name:               "global admin can download backup",
+			name:               "global admin can generate token",
 			workspaceRole:      nil,
 			isGlobalAdmin:      true,
 			expectSuccess:      true,
@@ -433,7 +455,13 @@ func Test_DownloadBackup_PermissionsEnforced(t *testing.T) {
 					testUserToken = owner.Token
 				} else {
 					member := users_testing.CreateTestUser(users_enums.UserRoleMember)
-					workspaces_testing.AddMemberToWorkspace(workspace, member, *tt.workspaceRole, owner.Token, router)
+					workspaces_testing.AddMemberToWorkspace(
+						workspace,
+						member,
+						*tt.workspaceRole,
+						owner.Token,
+						router,
+					)
 					testUserToken = member.Token
 				}
 			} else {
@@ -441,21 +469,244 @@ func Test_DownloadBackup_PermissionsEnforced(t *testing.T) {
 				testUserToken = nonMember.Token
 			}

-			testResp := test_utils.MakeGetRequest(
+			testResp := test_utils.MakePostRequest(
 				t,
 				router,
-				fmt.Sprintf("/api/v1/backups/%s/file", backup.ID.String()),
+				fmt.Sprintf("/api/v1/backups/%s/download-token", backup.ID.String()),
 				"Bearer "+testUserToken,
+				nil,
 				tt.expectedStatusCode,
 			)

-			if !tt.expectSuccess {
+			if tt.expectSuccess {
+				var response backups_download.GenerateDownloadTokenResponse
+				err := json.Unmarshal(testResp.Body, &response)
+				assert.NoError(t, err)
+				assert.NotEmpty(t, response.Token)
+				assert.NotEmpty(t, response.Filename)
+				assert.Equal(t, backup.ID, response.BackupID)
+			} else {
 				assert.Contains(t, string(testResp.Body), "insufficient permissions")
 			}
 		})
 	}
 }

+func Test_DownloadBackup_WithValidToken_Success(t *testing.T) {
+	router := createTestRouter()
+	owner := users_testing.CreateTestUser(users_enums.UserRoleMember)
+	workspace := workspaces_testing.CreateTestWorkspace("Test Workspace", owner, router)
+
+	_, backup := createTestDatabaseWithBackups(workspace, owner, router)
+
+	// Generate download token
+	var tokenResponse backups_download.GenerateDownloadTokenResponse
+	test_utils.MakePostRequestAndUnmarshal(
+		t,
+		router,
+		fmt.Sprintf("/api/v1/backups/%s/download-token", backup.ID.String()),
+		"Bearer "+owner.Token,
+		nil,
+		http.StatusOK,
+		&tokenResponse,
+	)
+
+	// Download with token
+	testResp := test_utils.MakeGetRequest(
+		t,
+		router,
+		fmt.Sprintf("/api/v1/backups/%s/file?token=%s", backup.ID.String(), tokenResponse.Token),
+		"",
+		http.StatusOK,
+	)
+
+	// Verify response
+	contentDisposition := testResp.Headers.Get("Content-Disposition")
+	assert.Contains(t, contentDisposition, "attachment")
+	assert.Contains(t, contentDisposition, tokenResponse.Filename)
+}
+
+func Test_DownloadBackup_WithoutToken_Unauthorized(t *testing.T) {
+	router := createTestRouter()
+	owner := users_testing.CreateTestUser(users_enums.UserRoleMember)
+	workspace := workspaces_testing.CreateTestWorkspace("Test Workspace", owner, router)
+
+	_, backup := createTestDatabaseWithBackups(workspace, owner, router)
+
+	// Try to download without token
+	testResp := test_utils.MakeGetRequest(
+		t,
+		router,
+		fmt.Sprintf("/api/v1/backups/%s/file", backup.ID.String()),
+		"",
+		http.StatusUnauthorized,
+	)
+
+	assert.Contains(t, string(testResp.Body), "download token is required")
+}
+
+func Test_DownloadBackup_WithInvalidToken_Unauthorized(t *testing.T) {
+	router := createTestRouter()
+	owner := users_testing.CreateTestUser(users_enums.UserRoleMember)
+	workspace := workspaces_testing.CreateTestWorkspace("Test Workspace", owner, router)
+
+	_, backup := createTestDatabaseWithBackups(workspace, owner, router)
+
+	// Try to download with invalid token
+	testResp := test_utils.MakeGetRequest(
+		t,
+		router,
+		fmt.Sprintf("/api/v1/backups/%s/file?token=%s", backup.ID.String(), "invalid-token-xyz"),
+		"",
+		http.StatusUnauthorized,
+	)
+
+	assert.Contains(t, string(testResp.Body), "invalid or expired download token")
+}
+
+func Test_DownloadBackup_WithExpiredToken_Unauthorized(t *testing.T) {
+	router := createTestRouter()
+	owner := users_testing.CreateTestUser(users_enums.UserRoleMember)
+	workspace := workspaces_testing.CreateTestWorkspace("Test Workspace", owner, router)
+
+	database, backup := createTestDatabaseWithBackups(workspace, owner, router)
+
+	// Get user for token generation
+	userService := users_services.GetUserService()
+	user, err := userService.GetUserFromToken(owner.Token)
+	assert.NoError(t, err)
+
+	// Create an expired token directly in the database
+	expiredToken := createExpiredDownloadToken(backup.ID, user.ID)
+
+	// Try to download with expired token
+	testResp := test_utils.MakeGetRequest(
+		t,
+		router,
+		fmt.Sprintf("/api/v1/backups/%s/file?token=%s", backup.ID.String(), expiredToken),
+		"",
+		http.StatusUnauthorized,
+	)
+
+	assert.Contains(t, string(testResp.Body), "invalid or expired download token")
+
+	// Verify audit log was NOT created for failed download
+	time.Sleep(100 * time.Millisecond)
+	auditLogService := audit_logs.GetAuditLogService()
+	auditLogs, err := auditLogService.GetWorkspaceAuditLogs(
+		workspace.ID,
+		&audit_logs.GetAuditLogsRequest{
+			Limit:  100,
+			Offset: 0,
+		},
+	)
+	assert.NoError(t, err)
+
+	found := false
+	for _, log := range auditLogs.AuditLogs {
+		if strings.Contains(log.Message, "Backup file downloaded") &&
+			strings.Contains(log.Message, database.Name) {
+			found = true
+			break
+		}
+	}
+	assert.False(t, found, "Audit log should NOT be created for failed download with expired token")
+}
+
+func Test_DownloadBackup_TokenUsedOnce_CannotReuseToken(t *testing.T) {
+	router := createTestRouter()
+	owner := users_testing.CreateTestUser(users_enums.UserRoleMember)
+	workspace := workspaces_testing.CreateTestWorkspace("Test Workspace", owner, router)
+
+	_, backup := createTestDatabaseWithBackups(workspace, owner, router)
+
+	// Generate download token
+	var tokenResponse backups_download.GenerateDownloadTokenResponse
+	test_utils.MakePostRequestAndUnmarshal(
+		t,
+		router,
+		fmt.Sprintf("/api/v1/backups/%s/download-token", backup.ID.String()),
+		"Bearer "+owner.Token,
+		nil,
+		http.StatusOK,
+		&tokenResponse,
+	)
+
+	// Download with token (first time - should succeed)
+	test_utils.MakeGetRequest(
+		t,
+		router,
+		fmt.Sprintf("/api/v1/backups/%s/file?token=%s", backup.ID.String(), tokenResponse.Token),
+		"",
+		http.StatusOK,
+	)
+
+	// Try to download again with same token (should fail)
+	testResp := test_utils.MakeGetRequest(
+		t,
+		router,
+		fmt.Sprintf("/api/v1/backups/%s/file?token=%s", backup.ID.String(), tokenResponse.Token),
+		"",
+		http.StatusUnauthorized,
+	)
+
+	assert.Contains(t, string(testResp.Body), "invalid or expired download token")
+}
+
+func Test_DownloadBackup_WithDifferentBackupToken_Unauthorized(t *testing.T) {
+	router := createTestRouter()
+	owner := users_testing.CreateTestUser(users_enums.UserRoleMember)
+	workspace := workspaces_testing.CreateTestWorkspace("Test Workspace", owner, router)
+
+	database1 := createTestDatabase("Database 1", workspace.ID, owner.Token, router)
+	storage := createTestStorage(workspace.ID)
+
+	configService := backups_config.GetBackupConfigService()
+	config1, err := configService.GetBackupConfigByDbId(database1.ID)
+	assert.NoError(t, err)
+	config1.IsBackupsEnabled = true
+	config1.StorageID = &storage.ID
+	config1.Storage = storage
+	_, err = configService.SaveBackupConfig(config1)
+	assert.NoError(t, err)
+
+	backup1 := createTestBackup(database1, owner)
+
+	database2 := createTestDatabase("Database 2", workspace.ID, owner.Token, router)
+	config2, err := configService.GetBackupConfigByDbId(database2.ID)
+	assert.NoError(t, err)
+	config2.IsBackupsEnabled = true
+	config2.StorageID = &storage.ID
+	config2.Storage = storage
+	_, err = configService.SaveBackupConfig(config2)
+	assert.NoError(t, err)
+
+	backup2 := createTestBackup(database2, owner)
+
+	// Generate token for backup1
+	var tokenResponse backups_download.GenerateDownloadTokenResponse
+	test_utils.MakePostRequestAndUnmarshal(
+		t,
+		router,
+		fmt.Sprintf("/api/v1/backups/%s/download-token", backup1.ID.String()),
+		"Bearer "+owner.Token,
+		nil,
+		http.StatusOK,
+		&tokenResponse,
+	)
+
+	// Try to use backup1's token to download backup2 (should fail)
+	testResp := test_utils.MakeGetRequest(
+		t,
+		router,
+		fmt.Sprintf("/api/v1/backups/%s/file?token=%s", backup2.ID.String(), tokenResponse.Token),
+		"",
+		http.StatusUnauthorized,
+	)
+
+	assert.Contains(t, string(testResp.Body), "invalid or expired download token")
+}
+
 func Test_DownloadBackup_AuditLogWritten(t *testing.T) {
 	router := createTestRouter()
 	owner := users_testing.CreateTestUser(users_enums.UserRoleMember)
@@ -463,11 +714,24 @@ func Test_DownloadBackup_AuditLogWritten(t *testing.T) {

 	database, backup := createTestDatabaseWithBackups(workspace, owner, router)

+	// Generate download token
+	var tokenResponse backups_download.GenerateDownloadTokenResponse
+	test_utils.MakePostRequestAndUnmarshal(
+		t,
+		router,
+		fmt.Sprintf("/api/v1/backups/%s/download-token", backup.ID.String()),
+		"Bearer "+owner.Token,
+		nil,
+		http.StatusOK,
+		&tokenResponse,
+	)
+
+	// Download with token
 	test_utils.MakeGetRequest(
 		t,
 		router,
-		fmt.Sprintf("/api/v1/backups/%s/file", backup.ID.String()),
-		"Bearer "+owner.Token,
+		fmt.Sprintf("/api/v1/backups/%s/file?token=%s", backup.ID.String(), tokenResponse.Token),
+		"",
 		http.StatusOK,
 	)

@@ -494,6 +758,129 @@ func Test_DownloadBackup_AuditLogWritten(t *testing.T) {
 	assert.True(t, found, "Audit log for backup download not found")
 }

+func Test_DownloadBackup_ProperFilenameForPostgreSQL(t *testing.T) {
+	tests := []struct {
+		name           string
+		databaseName   string
+		expectedExt    string
+		expectedInName string
+	}{
+		{
+			name:           "PostgreSQL database",
+			databaseName:   "my_postgres_db",
+			expectedExt:    ".dump",
+			expectedInName: "my_postgres_db_backup_",
+		},
+		{
+			name:           "Database name with spaces",
+			databaseName:   "my test db",
+			expectedExt:    ".dump",
+			expectedInName: "my_test_db_backup_",
+		},
+		{
+			name:           "Database name with special characters",
+			databaseName:   "my:db/test",
+			expectedExt:    ".dump",
+			expectedInName: "my-db-test_backup_",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			router := createTestRouter()
+			owner := users_testing.CreateTestUser(users_enums.UserRoleMember)
+			workspace := workspaces_testing.CreateTestWorkspace("Test Workspace", owner, router)
+
+			database := createTestDatabase(tt.databaseName, workspace.ID, owner.Token, router)
+			storage := createTestStorage(workspace.ID)
+
+			configService := backups_config.GetBackupConfigService()
+			config, err := configService.GetBackupConfigByDbId(database.ID)
+			assert.NoError(t, err)
+
+			config.IsBackupsEnabled = true
+			config.StorageID = &storage.ID
+			config.Storage = storage
+			_, err = configService.SaveBackupConfig(config)
+			assert.NoError(t, err)
+
+			backup := createTestBackup(database, owner)
+
+			// Generate download token
+			var tokenResponse backups_download.GenerateDownloadTokenResponse
+			test_utils.MakePostRequestAndUnmarshal(
+				t,
+				router,
+				fmt.Sprintf("/api/v1/backups/%s/download-token", backup.ID.String()),
+				"Bearer "+owner.Token,
+				nil,
+				http.StatusOK,
+				&tokenResponse,
+			)
+
+			// Download with token
+			resp := test_utils.MakeGetRequest(
+				t,
+				router,
+				fmt.Sprintf(
+					"/api/v1/backups/%s/file?token=%s",
+					backup.ID.String(),
+					tokenResponse.Token,
+				),
+				"",
+				http.StatusOK,
+			)
+
+			contentDisposition := resp.Headers.Get("Content-Disposition")
+			assert.NotEmpty(t, contentDisposition, "Content-Disposition header should be present")
+
+			// Verify the filename contains expected parts
+			assert.Contains(
+				t,
+				contentDisposition,
+				tt.expectedInName,
+				"Filename should contain sanitized database name",
+			)
+			assert.Contains(
+				t,
+				contentDisposition,
+				tt.expectedExt,
+				"Filename should have correct extension",
+			)
+			assert.Contains(t, contentDisposition, "attachment", "Should be an attachment")
+
+			// Verify timestamp format (YYYY-MM-DD_HH-mm-ss)
+			assert.Regexp(
+				t,
+				`\d{4}-\d{2}-\d{2}_\d{2}-\d{2}-\d{2}`,
+				contentDisposition,
+				"Filename should contain timestamp",
+			)
+		})
+	}
+}
+
+func Test_SanitizeFilename(t *testing.T) {
+	tests := []struct {
+		input    string
+		expected string
+	}{
+		{input: "simple_name", expected: "simple_name"},
+		{input: "name with spaces", expected: "name_with_spaces"},
+		{input: "name/with\\slashes", expected: "name-with-slashes"},
+		{input: "name:with*special?chars", expected: "name-with-special-chars"},
+		{input: "name<with>pipes|", expected: "name-with-pipes-"},
+		{input: `name"with"quotes`, expected: "name-with-quotes"},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.input, func(t *testing.T) {
+			result := sanitizeFilename(tt.input)
+			assert.Equal(t, tt.expected, result)
+		})
+	}
+}
+
 func Test_CancelBackup_InProgressBackup_SuccessfullyCancelled(t *testing.T) {
 	router := createTestRouter()
 	owner := users_testing.CreateTestUser(users_enums.UserRoleMember)
@@ -511,22 +898,22 @@ func Test_CancelBackup_InProgressBackup_SuccessfullyCancelled(t *testing.T) {
 	_, err = configService.SaveBackupConfig(config)
 	assert.NoError(t, err)

-	backup := &Backup{
+	backup := &backups_core.Backup{
 		ID:               uuid.New(),
 		DatabaseID:       database.ID,
 		StorageID:        storage.ID,
-		Status:           BackupStatusInProgress,
+		Status:           backups_core.BackupStatusInProgress,
 		BackupSizeMb:     0,
 		BackupDurationMs: 0,
 		CreatedAt:        time.Now().UTC(),
 	}

-	repo := &BackupRepository{}
+	repo := &backups_core.BackupRepository{}
 	err = repo.Save(backup)
 	assert.NoError(t, err)

 	// Register a cancellable context for the backup
-	GetBackupService().backupContextManager.RegisterBackup(backup.ID, func() {})
+	GetBackupService().backupCancelManager.RegisterBackup(backup.ID, func() {})

 	resp := test_utils.MakePostRequest(
 		t,
@@ -573,7 +960,13 @@ func createTestDatabase(
 	token string,
 	router *gin.Engine,
 ) *databases.Database {
-	testDbName := "test_db"
+	env := config.GetEnv()
+	port, err := strconv.Atoi(env.TestPostgres16Port)
+	if err != nil {
+		panic(fmt.Sprintf("Failed to parse TEST_POSTGRES_16_PORT: %v", err))
+	}
+
+	testDbName := "testdb"
 	request := databases.Database{
 		Name:        name,
 		WorkspaceID: &workspaceID,
@@ -581,9 +974,9 @@ func createTestDatabase(
 		Postgresql: &postgresql.PostgresqlDatabase{
 			Version:  tools.PostgresqlVersion16,
 			Host:     "localhost",
-			Port:     5432,
-			Username: "postgres",
-			Password: "postgres",
+			Port:     port,
+			Username: "testuser",
+			Password: "testpassword",
 			Database: &testDbName,
 			CpuCount: 1,
 		},
@@ -646,7 +1039,7 @@ func createTestDatabaseWithBackups(
 	workspace *workspaces_models.Workspace,
 	owner *users_dto.SignInResponseDTO,
 	router *gin.Engine,
-) (*databases.Database, *Backup) {
+) (*databases.Database, *backups_core.Backup) {
 	database := createTestDatabase("Test Database", workspace.ID, owner.Token, router)
 	storage := createTestStorage(workspace.ID)

@@ -672,7 +1065,7 @@ func createTestDatabaseWithBackups(
 func createTestBackup(
 	database *databases.Database,
 	owner *users_dto.SignInResponseDTO,
-) *Backup {
+) *backups_core.Backup {
 	userService := users_services.GetUserService()
 	user, err := userService.GetUserFromToken(owner.Token)
 	if err != nil {
@@ -684,17 +1077,17 @@ func createTestBackup(
 		panic("No storage found for workspace")
 	}

-	backup := &Backup{
+	backup := &backups_core.Backup{
 		ID:               uuid.New(),
 		DatabaseID:       database.ID,
 		StorageID:        storages[0].ID,
-		Status:           BackupStatusCompleted,
+		Status:           backups_core.BackupStatusCompleted,
 		BackupSizeMb:     10.5,
 		BackupDurationMs: 1000,
 		CreatedAt:        time.Now().UTC(),
 	}

-	repo := &BackupRepository{}
+	repo := &backups_core.BackupRepository{}
 	if err := repo.Save(backup); err != nil {
 		panic(err)
 	}
@@ -703,9 +1096,38 @@ func createTestBackup(
 	dummyContent := []byte("dummy backup content for testing")
 	reader := strings.NewReader(string(dummyContent))
 	logger := slog.New(slog.NewTextHandler(io.Discard, nil))
-	if err := storages[0].SaveFile(context.Background(), encryption.GetFieldEncryptor(), logger, backup.ID, reader); err != nil {
+	if err := storages[0].SaveFile(
+		context.Background(),
+		encryption.GetFieldEncryptor(),
+		logger,
+		backup.ID,
+		reader,
+	); err != nil {
 		panic(fmt.Sprintf("Failed to create test backup file: %v", err))
 	}

 	return backup
 }
+
+func createExpiredDownloadToken(backupID, userID uuid.UUID) string {
+	tokenService := GetBackupService().downloadTokenService
+	token, err := tokenService.Generate(backupID, userID)
+	if err != nil {
+		panic(fmt.Sprintf("Failed to generate download token: %v", err))
+	}
+
+	// Manually update the token to be expired
+	repo := &backups_download.DownloadTokenRepository{}
+	downloadToken, err := repo.FindByToken(token)
+	if err != nil || downloadToken == nil {
+		panic(fmt.Sprintf("Failed to find generated token: %v", err))
+	}
+
+	// Set expiration to 10 minutes ago
+	downloadToken.ExpiresAt = time.Now().UTC().Add(-10 * time.Minute)
+	if err := repo.Update(downloadToken); err != nil {
+		panic(fmt.Sprintf("Failed to update token expiration: %v", err))
+	}
+
+	return token
+}
--- a/backend/internal/features/backups/backups/core/enums.go
+++ b/backend/internal/features/backups/backups/core/enums.go
@@ -1,4 +1,4 @@
-package backups
+package backups_core

 type BackupStatus string

--- a/backend/internal/features/backups/backups/core/interfaces.go
+++ b/backend/internal/features/backups/backups/core/interfaces.go
@@ -1,9 +1,9 @@
-package backups
+package backups_core

 import (
 	"context"

-	usecases_common "databasus-backend/internal/features/backups/backups/usecases/common"
+	usecases_common "databasus-backend/internal/features/backups/backups/common"
 	backups_config "databasus-backend/internal/features/backups/config"
 	"databasus-backend/internal/features/databases"
 	"databasus-backend/internal/features/notifiers"
--- a/backend/internal/features/backups/backups/core/model.go
+++ b/backend/internal/features/backups/backups/core/model.go
@@ -1,4 +1,4 @@
-package backups
+package backups_core

 import (
 	backups_config "databasus-backend/internal/features/backups/config"
--- a/backend/internal/features/backups/backups/core/repository.go
+++ b/backend/internal/features/backups/backups/core/repository.go
@@ -1,4 +1,4 @@
-package backups
+package backups_core

 import (
 	"databasus-backend/internal/storage"
--- a/backend/internal/features/backups/backups/di.go
+++ b/backend/internal/features/backups/backups/di.go
@@ -1,9 +1,11 @@
 package backups

 import (
-	"time"
-
 	audit_logs "databasus-backend/internal/features/audit_logs"
+	"databasus-backend/internal/features/backups/backups/backuping"
+	backups_cancellation "databasus-backend/internal/features/backups/backups/cancellation"
+	backups_core "databasus-backend/internal/features/backups/backups/core"
+	backups_download "databasus-backend/internal/features/backups/backups/download"
 	"databasus-backend/internal/features/backups/backups/usecases"
 	backups_config "databasus-backend/internal/features/backups/config"
 	"databasus-backend/internal/features/databases"
@@ -15,47 +17,31 @@ import (
 	"databasus-backend/internal/util/logger"
 )

-var backupRepository = &BackupRepository{}
+var backupRepository = &backups_core.BackupRepository{}

-var backupContextManager = NewBackupContextManager()
+var backupCancelManager = backups_cancellation.GetBackupCancelManager()

 var backupService = &BackupService{
-	databases.GetDatabaseService(),
-	storages.GetStorageService(),
-	backupRepository,
-	notifiers.GetNotifierService(),
-	notifiers.GetNotifierService(),
-	backups_config.GetBackupConfigService(),
-	encryption_secrets.GetSecretKeyService(),
-	encryption.GetFieldEncryptor(),
-	usecases.GetCreateBackupUsecase(),
-	logger.GetLogger(),
-	[]BackupRemoveListener{},
-	workspaces_services.GetWorkspaceService(),
-	audit_logs.GetAuditLogService(),
-	backupContextManager,
-}
-
-var backupBackgroundService = &BackupBackgroundService{
-	backupService,
-	backupRepository,
-	backups_config.GetBackupConfigService(),
-	storages.GetStorageService(),
-	time.Now().UTC(),
-	logger.GetLogger(),
+	databaseService:        databases.GetDatabaseService(),
+	storageService:         storages.GetStorageService(),
+	backupRepository:       backupRepository,
+	notifierService:        notifiers.GetNotifierService(),
+	notificationSender:     notifiers.GetNotifierService(),
+	backupConfigService:    backups_config.GetBackupConfigService(),
+	secretKeyService:       encryption_secrets.GetSecretKeyService(),
+	fieldEncryptor:         encryption.GetFieldEncryptor(),
+	createBackupUseCase:    usecases.GetCreateBackupUsecase(),
+	logger:                 logger.GetLogger(),
+	backupRemoveListeners:  []backups_core.BackupRemoveListener{},
+	workspaceService:       workspaces_services.GetWorkspaceService(),
+	auditLogService:        audit_logs.GetAuditLogService(),
+	backupCancelManager:    backupCancelManager,
+	downloadTokenService:   backups_download.GetDownloadTokenService(),
+	backupSchedulerService: backuping.GetBackupsScheduler(),
 }

 var backupController = &BackupController{
-	backupService,
-}
-
-func SetupDependencies() {
-	backups_config.
-		GetBackupConfigService().
-		SetDatabaseStorageChangeListener(backupService)
-
-	databases.GetDatabaseService().AddDbRemoveListener(backupService)
-	databases.GetDatabaseService().AddDbCopyListener(backups_config.GetBackupConfigService())
+	backupService: backupService,
 }

 func GetBackupService() *BackupService {
@@ -66,6 +52,11 @@ func GetBackupController() *BackupController {
 	return backupController
 }

-func GetBackupBackgroundService() *BackupBackgroundService {
-	return backupBackgroundService
+func SetupDependencies() {
+	backups_config.
+		GetBackupConfigService().
+		SetDatabaseStorageChangeListener(backupService)
+
+	databases.GetDatabaseService().AddDbRemoveListener(backupService)
+	databases.GetDatabaseService().AddDbCopyListener(backups_config.GetBackupConfigService())
 }
--- a/backend/internal/features/backups/backups/download/background.go
+++ b/backend/internal/features/backups/backups/download/background.go
@@ -0,0 +1,34 @@
+package backups_download
+
+import (
+	"context"
+	"log/slog"
+	"time"
+)
+
+type DownloadTokenBackgroundService struct {
+	downloadTokenService *DownloadTokenService
+	logger               *slog.Logger
+}
+
+func (s *DownloadTokenBackgroundService) Run(ctx context.Context) {
+	s.logger.Info("Starting download token cleanup background service")
+
+	if ctx.Err() != nil {
+		return
+	}
+
+	ticker := time.NewTicker(1 * time.Minute)
+	defer ticker.Stop()
+
+	for {
+		select {
+		case <-ctx.Done():
+			return
+		case <-ticker.C:
+			if err := s.downloadTokenService.CleanExpiredTokens(); err != nil {
+				s.logger.Error("Failed to clean expired download tokens", "error", err)
+			}
+		}
+	}
+}
--- a/backend/internal/features/backups/backups/download/di.go
+++ b/backend/internal/features/backups/backups/download/di.go
@@ -0,0 +1,25 @@
+package backups_download
+
+import (
+	"databasus-backend/internal/util/logger"
+)
+
+var downloadTokenRepository = &DownloadTokenRepository{}
+
+var downloadTokenService = &DownloadTokenService{
+	downloadTokenRepository,
+	logger.GetLogger(),
+}
+
+var downloadTokenBackgroundService = &DownloadTokenBackgroundService{
+	downloadTokenService,
+	logger.GetLogger(),
+}
+
+func GetDownloadTokenService() *DownloadTokenService {
+	return downloadTokenService
+}
+
+func GetDownloadTokenBackgroundService() *DownloadTokenBackgroundService {
+	return downloadTokenBackgroundService
+}
--- a/backend/internal/features/backups/backups/download/dto.go
+++ b/backend/internal/features/backups/backups/download/dto.go
@@ -0,0 +1,9 @@
+package backups_download
+
+import "github.com/google/uuid"
+
+type GenerateDownloadTokenResponse struct {
+	Token    string    `json:"token"`
+	Filename string    `json:"filename"`
+	BackupID uuid.UUID `json:"backupId"`
+}
--- a/backend/internal/features/backups/backups/download/model.go
+++ b/backend/internal/features/backups/backups/download/model.go
@@ -0,0 +1,21 @@
+package backups_download
+
+import (
+	"time"
+
+	"github.com/google/uuid"
+)
+
+type DownloadToken struct {
+	ID        uuid.UUID `json:"id"        gorm:"column:id;primaryKey"`
+	Token     string    `json:"token"     gorm:"column:token;uniqueIndex;not null"`
+	BackupID  uuid.UUID `json:"backupId"  gorm:"column:backup_id;not null"`
+	UserID    uuid.UUID `json:"userId"    gorm:"column:user_id;not null"`
+	ExpiresAt time.Time `json:"expiresAt" gorm:"column:expires_at;not null"`
+	Used      bool      `json:"used"      gorm:"column:used;not null;default:false"`
+	CreatedAt time.Time `json:"createdAt" gorm:"column:created_at;not null"`
+}
+
+func (DownloadToken) TableName() string {
+	return "download_tokens"
+}
--- a/backend/internal/features/backups/backups/download/repository.go
+++ b/backend/internal/features/backups/backups/download/repository.go
@@ -0,0 +1,60 @@
+package backups_download
+
+import (
+	"crypto/rand"
+	"databasus-backend/internal/storage"
+	"encoding/base64"
+	"time"
+
+	"github.com/google/uuid"
+	"gorm.io/gorm"
+)
+
+type DownloadTokenRepository struct{}
+
+func (r *DownloadTokenRepository) Create(token *DownloadToken) error {
+	if token.ID == uuid.Nil {
+		token.ID = uuid.New()
+	}
+	if token.CreatedAt.IsZero() {
+		token.CreatedAt = time.Now().UTC()
+	}
+	return storage.GetDb().Create(token).Error
+}
+
+func (r *DownloadTokenRepository) FindByToken(token string) (*DownloadToken, error) {
+	var downloadToken DownloadToken
+
+	err := storage.GetDb().
+		Where("token = ?", token).
+		First(&downloadToken).Error
+
+	if err != nil {
+		if err == gorm.ErrRecordNotFound {
+			return nil, nil
+		}
+		return nil, err
+	}
+
+	return &downloadToken, nil
+}
+
+func (r *DownloadTokenRepository) Update(token *DownloadToken) error {
+	return storage.GetDb().Save(token).Error
+}
+
+func (r *DownloadTokenRepository) DeleteExpired(before time.Time) error {
+	return storage.GetDb().
+		Where("expires_at < ?", before).
+		Delete(&DownloadToken{}).Error
+}
+
+func GenerateSecureToken() string {
+	b := make([]byte, 32)
+
+	if _, err := rand.Read(b); err != nil {
+		panic("failed to generate secure random token: " + err.Error())
+	}
+
+	return base64.URLEncoding.EncodeToString(b)
+}
--- a/backend/internal/features/backups/backups/download/service.go
+++ b/backend/internal/features/backups/backups/download/service.go
@@ -0,0 +1,69 @@
+package backups_download
+
+import (
+	"errors"
+	"log/slog"
+	"time"
+
+	"github.com/google/uuid"
+)
+
+type DownloadTokenService struct {
+	repository *DownloadTokenRepository
+	logger     *slog.Logger
+}
+
+func (s *DownloadTokenService) Generate(backupID, userID uuid.UUID) (string, error) {
+	token := GenerateSecureToken()
+
+	downloadToken := &DownloadToken{
+		Token:     token,
+		BackupID:  backupID,
+		UserID:    userID,
+		ExpiresAt: time.Now().UTC().Add(5 * time.Minute),
+		Used:      false,
+	}
+
+	if err := s.repository.Create(downloadToken); err != nil {
+		return "", err
+	}
+
+	s.logger.Info("Generated download token", "backupId", backupID, "userId", userID)
+	return token, nil
+}
+
+func (s *DownloadTokenService) ValidateAndConsume(token string) (*DownloadToken, error) {
+	dt, err := s.repository.FindByToken(token)
+	if err != nil {
+		return nil, err
+	}
+
+	if dt == nil {
+		return nil, errors.New("invalid token")
+	}
+
+	if dt.Used {
+		return nil, errors.New("token already used")
+	}
+
+	if time.Now().UTC().After(dt.ExpiresAt) {
+		return nil, errors.New("token expired")
+	}
+
+	dt.Used = true
+	if err := s.repository.Update(dt); err != nil {
+		s.logger.Error("Failed to mark token as used", "error", err)
+	}
+
+	s.logger.Info("Token validated and consumed", "backupId", dt.BackupID)
+	return dt, nil
+}
+
+func (s *DownloadTokenService) CleanExpiredTokens() error {
+	now := time.Now().UTC()
+	if err := s.repository.DeleteExpired(now); err != nil {
+		return err
+	}
+	s.logger.Debug("Cleaned expired download tokens")
+	return nil
+}
--- a/backend/internal/features/backups/backups/dto.go
+++ b/backend/internal/features/backups/backups/dto.go
@@ -1,6 +1,7 @@
 package backups

 import (
+	backups_core "databasus-backend/internal/features/backups/backups/core"
 	"databasus-backend/internal/features/backups/backups/encryption"
 	"io"
 )
@@ -12,17 +13,17 @@ type GetBackupsRequest struct {
 }

 type GetBackupsResponse struct {
-	Backups []*Backup `json:"backups"`
-	Total   int64     `json:"total"`
-	Limit   int       `json:"limit"`
-	Offset  int       `json:"offset"`
+	Backups []*backups_core.Backup `json:"backups"`
+	Total   int64                  `json:"total"`
+	Limit   int                    `json:"limit"`
+	Offset  int                    `json:"offset"`
 }

-type decryptionReaderCloser struct {
+type DecryptionReaderCloser struct {
 	*encryption.DecryptionReader
-	baseReader io.ReadCloser
+	BaseReader io.ReadCloser
 }

-func (r *decryptionReaderCloser) Close() error {
-	return r.baseReader.Close()
+func (r *DecryptionReaderCloser) Close() error {
+	return r.BaseReader.Close()
 }
--- a/backend/internal/features/backups/backups/service.go
+++ b/backend/internal/features/backups/backups/service.go
@@ -1,17 +1,17 @@
 package backups

 import (
-	"context"
 	"encoding/base64"
 	"errors"
 	"fmt"
 	"io"
 	"log/slog"
-	"slices"
-	"strings"
-	"time"

 	audit_logs "databasus-backend/internal/features/audit_logs"
+	"databasus-backend/internal/features/backups/backups/backuping"
+	backups_cancellation "databasus-backend/internal/features/backups/backups/cancellation"
+	backups_core "databasus-backend/internal/features/backups/backups/core"
+	backups_download "databasus-backend/internal/features/backups/backups/download"
 	"databasus-backend/internal/features/backups/backups/encryption"
 	backups_config "databasus-backend/internal/features/backups/config"
 	"databasus-backend/internal/features/databases"
@@ -28,25 +28,27 @@ import (
 type BackupService struct {
 	databaseService     *databases.DatabaseService
 	storageService      *storages.StorageService
-	backupRepository    *BackupRepository
+	backupRepository    *backups_core.BackupRepository
 	notifierService     *notifiers.NotifierService
-	notificationSender  NotificationSender
+	notificationSender  backups_core.NotificationSender
 	backupConfigService *backups_config.BackupConfigService
 	secretKeyService    *encryption_secrets.SecretKeyService
 	fieldEncryptor      util_encryption.FieldEncryptor

-	createBackupUseCase CreateBackupUsecase
+	createBackupUseCase backups_core.CreateBackupUsecase

 	logger *slog.Logger

-	backupRemoveListeners []BackupRemoveListener
+	backupRemoveListeners []backups_core.BackupRemoveListener

-	workspaceService     *workspaces_services.WorkspaceService
-	auditLogService      *audit_logs.AuditLogService
-	backupContextManager *BackupContextManager
+	workspaceService       *workspaces_services.WorkspaceService
+	auditLogService        *audit_logs.AuditLogService
+	backupCancelManager    *backups_cancellation.BackupCancelManager
+	downloadTokenService   *backups_download.DownloadTokenService
+	backupSchedulerService *backuping.BackupsScheduler
 }

-func (s *BackupService) AddBackupRemoveListener(listener BackupRemoveListener) {
+func (s *BackupService) AddBackupRemoveListener(listener backups_core.BackupRemoveListener) {
 	s.backupRemoveListeners = append(s.backupRemoveListeners, listener)
 }

@@ -89,7 +91,7 @@ func (s *BackupService) MakeBackupWithAuth(
 		return errors.New("insufficient permissions to create backup for this database")
 	}

-	go s.MakeBackup(databaseID, true)
+	s.backupSchedulerService.StartBackup(databaseID, true)

 	s.auditLogService.WriteAuditLog(
 		fmt.Sprintf("Backup manually initiated for database: %s", database.Name),
@@ -173,7 +175,7 @@ func (s *BackupService) DeleteBackup(
 		return errors.New("insufficient permissions to delete backup for this database")
 	}

-	if backup.Status == BackupStatusInProgress {
+	if backup.Status == backups_core.BackupStatusInProgress {
 		return errors.New("backup is in progress")
 	}

@@ -190,265 +192,7 @@ func (s *BackupService) DeleteBackup(
 	return s.deleteBackup(backup)
 }

-func (s *BackupService) MakeBackup(databaseID uuid.UUID, isLastTry bool) {
-	database, err := s.databaseService.GetDatabaseByID(databaseID)
-	if err != nil {
-		s.logger.Error("Failed to get database by ID", "error", err)
-		return
-	}
-
-	lastBackup, err := s.backupRepository.FindLastByDatabaseID(databaseID)
-	if err != nil {
-		s.logger.Error("Failed to find last backup by database ID", "error", err)
-		return
-	}
-
-	if lastBackup != nil && lastBackup.Status == BackupStatusInProgress {
-		s.logger.Error("Backup is in progress")
-		return
-	}
-
-	backupConfig, err := s.backupConfigService.GetBackupConfigByDbId(databaseID)
-	if err != nil {
-		s.logger.Error("Failed to get backup config by database ID", "error", err)
-		return
-	}
-
-	if !backupConfig.IsBackupsEnabled {
-		s.logger.Info("Backups are not enabled for this database")
-		return
-	}
-
-	if backupConfig.StorageID == nil {
-		s.logger.Error("Backup config storage ID is not defined")
-		return
-	}
-
-	storage, err := s.storageService.GetStorageByID(*backupConfig.StorageID)
-	if err != nil {
-		s.logger.Error("Failed to get storage by ID", "error", err)
-		return
-	}
-
-	backup := &Backup{
-		DatabaseID: databaseID,
-		StorageID:  storage.ID,
-
-		Status: BackupStatusInProgress,
-
-		BackupSizeMb: 0,
-
-		CreatedAt: time.Now().UTC(),
-	}
-
-	if err := s.backupRepository.Save(backup); err != nil {
-		s.logger.Error("Failed to save backup", "error", err)
-		return
-	}
-
-	start := time.Now().UTC()
-
-	backupProgressListener := func(
-		completedMBs float64,
-	) {
-		backup.BackupSizeMb = completedMBs
-		backup.BackupDurationMs = time.Since(start).Milliseconds()
-
-		if err := s.backupRepository.Save(backup); err != nil {
-			s.logger.Error("Failed to update backup progress", "error", err)
-		}
-	}
-
-	ctx, cancel := context.WithCancel(context.Background())
-	s.backupContextManager.RegisterBackup(backup.ID, cancel)
-	defer s.backupContextManager.UnregisterBackup(backup.ID)
-
-	backupMetadata, err := s.createBackupUseCase.Execute(
-		ctx,
-		backup.ID,
-		backupConfig,
-		database,
-		storage,
-		backupProgressListener,
-	)
-	if err != nil {
-		errMsg := err.Error()
-
-		// Check if backup was cancelled (not due to shutdown)
-		isCancelled := strings.Contains(errMsg, "backup cancelled") ||
-			strings.Contains(errMsg, "context canceled") ||
-			errors.Is(err, context.Canceled)
-		isShutdown := strings.Contains(errMsg, "shutdown")
-
-		if isCancelled && !isShutdown {
-			backup.Status = BackupStatusCanceled
-			backup.BackupDurationMs = time.Since(start).Milliseconds()
-			backup.BackupSizeMb = 0
-
-			if err := s.backupRepository.Save(backup); err != nil {
-				s.logger.Error("Failed to save cancelled backup", "error", err)
-			}
-
-			// Delete partial backup from storage
-			storage, storageErr := s.storageService.GetStorageByID(backup.StorageID)
-			if storageErr == nil {
-				if deleteErr := storage.DeleteFile(s.fieldEncryptor, backup.ID); deleteErr != nil {
-					s.logger.Error(
-						"Failed to delete partial backup file",
-						"backupId",
-						backup.ID,
-						"error",
-						deleteErr,
-					)
-				}
-			}
-
-			return
-		}
-
-		backup.FailMessage = &errMsg
-		backup.Status = BackupStatusFailed
-		backup.BackupDurationMs = time.Since(start).Milliseconds()
-		backup.BackupSizeMb = 0
-
-		if updateErr := s.databaseService.SetBackupError(databaseID, errMsg); updateErr != nil {
-			s.logger.Error(
-				"Failed to update database last backup time",
-				"databaseId",
-				databaseID,
-				"error",
-				updateErr,
-			)
-		}
-
-		if err := s.backupRepository.Save(backup); err != nil {
-			s.logger.Error("Failed to save backup", "error", err)
-		}
-
-		s.SendBackupNotification(
-			backupConfig,
-			backup,
-			backups_config.NotificationBackupFailed,
-			&errMsg,
-		)
-
-		return
-	}
-
-	backup.Status = BackupStatusCompleted
-	backup.BackupDurationMs = time.Since(start).Milliseconds()
-
-	// Update backup with encryption metadata if provided
-	if backupMetadata != nil {
-		backup.EncryptionSalt = backupMetadata.EncryptionSalt
-		backup.EncryptionIV = backupMetadata.EncryptionIV
-		backup.Encryption = backupMetadata.Encryption
-	}
-
-	if err := s.backupRepository.Save(backup); err != nil {
-		s.logger.Error("Failed to save backup", "error", err)
-		return
-	}
-
-	// Update database last backup time
-	now := time.Now().UTC()
-	if updateErr := s.databaseService.SetLastBackupTime(databaseID, now); updateErr != nil {
-		s.logger.Error(
-			"Failed to update database last backup time",
-			"databaseId",
-			databaseID,
-			"error",
-			updateErr,
-		)
-	}
-
-	if backup.Status != BackupStatusCompleted && !isLastTry {
-		return
-	}
-
-	s.SendBackupNotification(
-		backupConfig,
-		backup,
-		backups_config.NotificationBackupSuccess,
-		nil,
-	)
-}
-
-func (s *BackupService) SendBackupNotification(
-	backupConfig *backups_config.BackupConfig,
-	backup *Backup,
-	notificationType backups_config.BackupNotificationType,
-	errorMessage *string,
-) {
-	database, err := s.databaseService.GetDatabaseByID(backupConfig.DatabaseID)
-	if err != nil {
-		return
-	}
-
-	workspace, err := s.workspaceService.GetWorkspaceByID(*database.WorkspaceID)
-	if err != nil {
-		return
-	}
-
-	for _, notifier := range database.Notifiers {
-		if !slices.Contains(
-			backupConfig.SendNotificationsOn,
-			notificationType,
-		) {
-			continue
-		}
-
-		title := ""
-		switch notificationType {
-		case backups_config.NotificationBackupFailed:
-			title = fmt.Sprintf(
-				"❌ Backup failed for database \"%s\" (workspace \"%s\")",
-				database.Name,
-				workspace.Name,
-			)
-		case backups_config.NotificationBackupSuccess:
-			title = fmt.Sprintf(
-				"✅ Backup completed for database \"%s\" (workspace \"%s\")",
-				database.Name,
-				workspace.Name,
-			)
-		}
-
-		message := ""
-		if errorMessage != nil {
-			message = *errorMessage
-		} else {
-			// Format size conditionally
-			var sizeStr string
-			if backup.BackupSizeMb < 1024 {
-				sizeStr = fmt.Sprintf("%.2f MB", backup.BackupSizeMb)
-			} else {
-				sizeGB := backup.BackupSizeMb / 1024
-				sizeStr = fmt.Sprintf("%.2f GB", sizeGB)
-			}
-
-			// Format duration as "0m 0s 0ms"
-			totalMs := backup.BackupDurationMs
-			minutes := totalMs / (1000 * 60)
-			seconds := (totalMs % (1000 * 60)) / 1000
-			durationStr := fmt.Sprintf("%dm %ds", minutes, seconds)
-
-			message = fmt.Sprintf(
-				"Backup completed successfully in %s.\nCompressed backup size: %s",
-				durationStr,
-				sizeStr,
-			)
-		}
-
-		s.notificationSender.SendNotification(
-			&notifier,
-			title,
-			message,
-		)
-	}
-}
-
-func (s *BackupService) GetBackup(backupID uuid.UUID) (*Backup, error) {
+func (s *BackupService) GetBackup(backupID uuid.UUID) (*backups_core.Backup, error) {
 	return s.backupRepository.FindByID(backupID)
 }

@@ -478,11 +222,11 @@ func (s *BackupService) CancelBackup(
 		return errors.New("insufficient permissions to cancel backup for this database")
 	}

-	if backup.Status != BackupStatusInProgress {
+	if backup.Status != backups_core.BackupStatusInProgress {
 		return errors.New("backup is not in progress")
 	}

-	if err := s.backupContextManager.CancelBackup(backupID); err != nil {
+	if err := s.backupCancelManager.CancelBackup(backupID); err != nil {
 		return err
 	}

@@ -502,19 +246,19 @@ func (s *BackupService) CancelBackup(
 func (s *BackupService) GetBackupFile(
 	user *users_models.User,
 	backupID uuid.UUID,
-) (io.ReadCloser, databases.DatabaseType, error) {
+) (io.ReadCloser, *backups_core.Backup, *databases.Database, error) {
 	backup, err := s.backupRepository.FindByID(backupID)
 	if err != nil {
-		return nil, "", err
+		return nil, nil, nil, err
 	}

 	database, err := s.databaseService.GetDatabaseByID(backup.DatabaseID)
 	if err != nil {
-		return nil, "", err
+		return nil, nil, nil, err
 	}

 	if database.WorkspaceID == nil {
-		return nil, "", errors.New("cannot download backup for database without workspace")
+		return nil, nil, nil, errors.New("cannot download backup for database without workspace")
 	}

 	canAccess, _, err := s.workspaceService.CanUserAccessWorkspace(
@@ -522,10 +266,12 @@ func (s *BackupService) GetBackupFile(
 		user,
 	)
 	if err != nil {
-		return nil, "", err
+		return nil, nil, nil, err
 	}
 	if !canAccess {
-		return nil, "", errors.New("insufficient permissions to download backup for this database")
+		return nil, nil, nil, errors.New(
+			"insufficient permissions to download backup for this database",
+		)
 	}

 	s.auditLogService.WriteAuditLog(
@@ -540,13 +286,13 @@ func (s *BackupService) GetBackupFile(

 	reader, err := s.getBackupReader(backupID)
 	if err != nil {
-		return nil, "", err
+		return nil, nil, nil, err
 	}

-	return reader, database.Type, nil
+	return reader, backup, database, nil
 }

-func (s *BackupService) deleteBackup(backup *Backup) error {
+func (s *BackupService) deleteBackup(backup *backups_core.Backup) error {
 	for _, listener := range s.backupRemoveListeners {
 		if err := listener.OnBeforeBackupRemove(backup); err != nil {
 			return err
@@ -572,7 +318,7 @@ func (s *BackupService) deleteBackup(backup *Backup) error {
 func (s *BackupService) deleteDbBackups(databaseID uuid.UUID) error {
 	dbBackupsInProgress, err := s.backupRepository.FindByDatabaseIdAndStatus(
 		databaseID,
-		BackupStatusInProgress,
+		backups_core.BackupStatusInProgress,
 	)
 	if err != nil {
 		return err
@@ -681,8 +427,120 @@ func (s *BackupService) getBackupReader(backupID uuid.UUID) (io.ReadCloser, erro

 	s.logger.Info("Returning encrypted backup with decryption", "backupId", backupID)

-	return &decryptionReaderCloser{
-		decryptionReader,
-		fileReader,
+	return &DecryptionReaderCloser{
+		DecryptionReader: decryptionReader,
+		BaseReader:       fileReader,
 	}, nil
 }
+
+func (s *BackupService) GenerateDownloadToken(
+	user *users_models.User,
+	backupID uuid.UUID,
+) (*backups_download.GenerateDownloadTokenResponse, error) {
+	backup, err := s.backupRepository.FindByID(backupID)
+	if err != nil {
+		return nil, err
+	}
+
+	database, err := s.databaseService.GetDatabaseByID(backup.DatabaseID)
+	if err != nil {
+		return nil, err
+	}
+
+	if database.WorkspaceID == nil {
+		return nil, errors.New("cannot download backup for database without workspace")
+	}
+
+	canAccess, _, err := s.workspaceService.CanUserAccessWorkspace(*database.WorkspaceID, user)
+	if err != nil {
+		return nil, err
+	}
+	if !canAccess {
+		return nil, errors.New("insufficient permissions to download backup for this database")
+	}
+
+	token, err := s.downloadTokenService.Generate(backupID, user.ID)
+	if err != nil {
+		return nil, err
+	}
+
+	filename := s.generateBackupFilename(backup, database)
+
+	s.auditLogService.WriteAuditLog(
+		fmt.Sprintf("Download token generated for backup of database: %s", database.Name),
+		&user.ID,
+		database.WorkspaceID,
+	)
+
+	return &backups_download.GenerateDownloadTokenResponse{
+		Token:    token,
+		Filename: filename,
+		BackupID: backupID,
+	}, nil
+}
+
+func (s *BackupService) ValidateDownloadToken(
+	token string,
+) (*backups_download.DownloadToken, error) {
+	return s.downloadTokenService.ValidateAndConsume(token)
+}
+
+func (s *BackupService) GetBackupFileWithoutAuth(
+	backupID uuid.UUID,
+) (io.ReadCloser, *backups_core.Backup, *databases.Database, error) {
+	backup, err := s.backupRepository.FindByID(backupID)
+	if err != nil {
+		return nil, nil, nil, err
+	}
+
+	database, err := s.databaseService.GetDatabaseByID(backup.DatabaseID)
+	if err != nil {
+		return nil, nil, nil, err
+	}
+
+	reader, err := s.getBackupReader(backupID)
+	if err != nil {
+		return nil, nil, nil, err
+	}
+
+	return reader, backup, database, nil
+}
+
+func (s *BackupService) WriteAuditLogForDownload(
+	userID uuid.UUID,
+	backup *backups_core.Backup,
+	database *databases.Database,
+) {
+	s.auditLogService.WriteAuditLog(
+		fmt.Sprintf(
+			"Backup file downloaded for database: %s (ID: %s)",
+			database.Name,
+			backup.ID.String(),
+		),
+		&userID,
+		database.WorkspaceID,
+	)
+}
+
+func (s *BackupService) generateBackupFilename(
+	backup *backups_core.Backup,
+	database *databases.Database,
+) string {
+	timestamp := backup.CreatedAt.Format("2006-01-02_15-04-05")
+	safeName := sanitizeFilename(database.Name)
+	extension := s.getBackupExtension(database.Type)
+	return fmt.Sprintf("%s_backup_%s%s", safeName, timestamp, extension)
+}
+
+func (s *BackupService) getBackupExtension(dbType databases.DatabaseType) string {
+	switch dbType {
+	case databases.DatabaseTypeMysql, databases.DatabaseTypeMariadb:
+		return ".sql.zst"
+	case databases.DatabaseTypePostgres:
+		return ".dump"
+	case databases.DatabaseTypeMongodb:
+		return ".archive"
+	default:
+		return ".backup"
+	}
+}
--- a/backend/internal/features/backups/backups/testing.go
+++ b/backend/internal/features/backups/backups/testing.go
@@ -1,20 +1,77 @@
 package backups

 import (
+	"testing"
+	"time"
+
+	backups_core "databasus-backend/internal/features/backups/backups/core"
 	backups_config "databasus-backend/internal/features/backups/config"
 	"databasus-backend/internal/features/databases"
 	workspaces_controllers "databasus-backend/internal/features/workspaces/controllers"
 	workspaces_testing "databasus-backend/internal/features/workspaces/testing"

 	"github.com/gin-gonic/gin"
+	"github.com/google/uuid"
 )

 func CreateTestRouter() *gin.Engine {
-	return workspaces_testing.CreateTestRouter(
+	router := workspaces_testing.CreateTestRouter(
 		workspaces_controllers.GetWorkspaceController(),
 		workspaces_controllers.GetMembershipController(),
 		databases.GetDatabaseController(),
 		backups_config.GetBackupConfigController(),
 		GetBackupController(),
 	)
+
+	// Register public routes (no auth required - token-based)
+	v1 := router.Group("/api/v1")
+	GetBackupController().RegisterPublicRoutes(v1)
+
+	return router
+}
+
+// WaitForBackupCompletion waits for a new backup to be created and completed (or failed)
+// for the given database. It checks for backups with count greater than expectedInitialCount.
+func WaitForBackupCompletion(
+	t *testing.T,
+	databaseID uuid.UUID,
+	expectedInitialCount int,
+	timeout time.Duration,
+) {
+	deadline := time.Now().UTC().Add(timeout)
+
+	for time.Now().UTC().Before(deadline) {
+		backups, err := backupRepository.FindByDatabaseID(databaseID)
+		if err != nil {
+			t.Logf("WaitForBackupCompletion: error finding backups: %v", err)
+			time.Sleep(50 * time.Millisecond)
+			continue
+		}
+
+		t.Logf(
+			"WaitForBackupCompletion: found %d backups (expected > %d)",
+			len(backups),
+			expectedInitialCount,
+		)
+
+		if len(backups) > expectedInitialCount {
+			// Check if the newest backup has completed or failed
+			newestBackup := backups[0]
+			t.Logf("WaitForBackupCompletion: newest backup status: %s", newestBackup.Status)
+
+			if newestBackup.Status == backups_core.BackupStatusCompleted ||
+				newestBackup.Status == backups_core.BackupStatusFailed ||
+				newestBackup.Status == backups_core.BackupStatusCanceled {
+				t.Logf(
+					"WaitForBackupCompletion: backup finished with status %s",
+					newestBackup.Status,
+				)
+				return
+			}
+		}
+
+		time.Sleep(50 * time.Millisecond)
+	}
+
+	t.Logf("WaitForBackupCompletion: timeout waiting for backup to complete")
 }
--- a/backend/internal/features/backups/backups/usecases/common/dto.go
+++ b/backend/internal/features/backups/backups/usecases/common/dto.go
@@ -1,9 +0,0 @@
-package common
-
-import backups_config "databasus-backend/internal/features/backups/config"
-
-type BackupMetadata struct {
-	EncryptionSalt *string
-	EncryptionIV   *string
-	Encryption     backups_config.BackupEncryption
-}
--- a/backend/internal/features/backups/backups/usecases/create_backup_uc.go
+++ b/backend/internal/features/backups/backups/usecases/create_backup_uc.go
@@ -4,7 +4,7 @@ import (
 	"context"
 	"errors"

-	usecases_common "databasus-backend/internal/features/backups/backups/usecases/common"
+	common "databasus-backend/internal/features/backups/backups/common"
 	usecases_mariadb "databasus-backend/internal/features/backups/backups/usecases/mariadb"
 	usecases_mongodb "databasus-backend/internal/features/backups/backups/usecases/mongodb"
 	usecases_mysql "databasus-backend/internal/features/backups/backups/usecases/mysql"
@@ -30,7 +30,7 @@ func (uc *CreateBackupUsecase) Execute(
 	database *databases.Database,
 	storage *storages.Storage,
 	backupProgressListener func(completedMBs float64),
-) (*usecases_common.BackupMetadata, error) {
+) (*common.BackupMetadata, error) {
 	switch database.Type {
 	case databases.DatabaseTypePostgres:
 		return uc.CreatePostgresqlBackupUsecase.Execute(
--- a/backend/internal/features/backups/backups/usecases/mariadb/create_backup_uc.go
+++ b/backend/internal/features/backups/backups/usecases/mariadb/create_backup_uc.go
@@ -18,8 +18,8 @@ import (
 	"github.com/klauspost/compress/zstd"

 	"databasus-backend/internal/config"
+	common "databasus-backend/internal/features/backups/backups/common"
 	backup_encryption "databasus-backend/internal/features/backups/backups/encryption"
-	usecases_common "databasus-backend/internal/features/backups/backups/usecases/common"
 	backups_config "databasus-backend/internal/features/backups/config"
 	"databasus-backend/internal/features/databases"
 	mariadbtypes "databasus-backend/internal/features/databases/databases/mariadb"
@@ -57,17 +57,13 @@ func (uc *CreateMariadbBackupUsecase) Execute(
 	db *databases.Database,
 	storage *storages.Storage,
 	backupProgressListener func(completedMBs float64),
-) (*usecases_common.BackupMetadata, error) {
+) (*common.BackupMetadata, error) {
 	uc.logger.Info(
 		"Creating MariaDB backup via mariadb-dump",
 		"databaseId", db.ID,
 		"storageId", storage.ID,
 	)

-	if !backupConfig.IsBackupsEnabled {
-		return nil, fmt.Errorf("backups are not enabled for this database: \"%s\"", db.Name)
-	}
-
 	mdb := db.Mariadb
 	if mdb == nil {
 		return nil, fmt.Errorf("mariadb database configuration is required")
@@ -111,16 +107,22 @@ func (uc *CreateMariadbBackupUsecase) buildMariadbDumpArgs(
 		"--user=" + mdb.Username,
 		"--single-transaction",
 		"--routines",
-		"--triggers",
-		"--events",
 		"--quick",
 		"--verbose",
 	}

+	if mdb.HasPrivilege("TRIGGER") {
+		args = append(args, "--triggers")
+	}
+	if mdb.HasPrivilege("EVENT") {
+		args = append(args, "--events")
+	}
+
 	args = append(args, "--compress")

 	if mdb.IsHttps {
 		args = append(args, "--ssl")
+		args = append(args, "--skip-ssl-verify-server-cert")
 	}

 	if mdb.Database != nil && *mdb.Database != "" {
@@ -140,7 +142,7 @@ func (uc *CreateMariadbBackupUsecase) streamToStorage(
 	storage *storages.Storage,
 	backupProgressListener func(completedMBs float64),
 	mdbConfig *mariadbtypes.MariadbDatabase,
-) (*usecases_common.BackupMetadata, error) {
+) (*common.BackupMetadata, error) {
 	uc.logger.Info("Streaming MariaDB backup to storage", "mariadbBin", mariadbBin)

 	ctx, cancel := uc.createBackupContext(parentCtx)
@@ -196,7 +198,7 @@ func (uc *CreateMariadbBackupUsecase) streamToStorage(
 	if err != nil {
 		return nil, fmt.Errorf("failed to create zstd writer: %w", err)
 	}
-	countingWriter := usecases_common.NewCountingWriter(zstdWriter)
+	countingWriter := common.NewCountingWriter(zstdWriter)

 	saveErrCh := make(chan error, 1)
 	go func() {
@@ -264,11 +266,24 @@ func (uc *CreateMariadbBackupUsecase) createTempMyCnfFile(
 	mdbConfig *mariadbtypes.MariadbDatabase,
 	password string,
 ) (string, error) {
-	tempDir, err := os.MkdirTemp("", "mycnf")
+	tempFolder := config.GetEnv().TempFolder
+	if err := os.MkdirAll(tempFolder, 0700); err != nil {
+		return "", fmt.Errorf("failed to ensure temp folder exists: %w", err)
+	}
+	if err := os.Chmod(tempFolder, 0700); err != nil {
+		return "", fmt.Errorf("failed to set temp folder permissions: %w", err)
+	}
+
+	tempDir, err := os.MkdirTemp(tempFolder, "mycnf_"+uuid.New().String())
 	if err != nil {
 		return "", fmt.Errorf("failed to create temp directory: %w", err)
 	}

+	if err := os.Chmod(tempDir, 0700); err != nil {
+		_ = os.RemoveAll(tempDir)
+		return "", fmt.Errorf("failed to set temp directory permissions: %w", err)
+	}
+
 	myCnfFile := filepath.Join(tempDir, ".my.cnf")

 	content := fmt.Sprintf(`[client]
@@ -286,6 +301,7 @@ port=%d

 	err = os.WriteFile(myCnfFile, []byte(content), 0600)
 	if err != nil {
+		_ = os.RemoveAll(tempDir)
 		return "", fmt.Errorf("failed to write .my.cnf: %w", err)
 	}

@@ -401,8 +417,8 @@ func (uc *CreateMariadbBackupUsecase) setupBackupEncryption(
 	backupID uuid.UUID,
 	backupConfig *backups_config.BackupConfig,
 	storageWriter io.WriteCloser,
-) (io.Writer, *backup_encryption.EncryptionWriter, usecases_common.BackupMetadata, error) {
-	metadata := usecases_common.BackupMetadata{}
+) (io.Writer, *backup_encryption.EncryptionWriter, common.BackupMetadata, error) {
+	metadata := common.BackupMetadata{}

 	if backupConfig.Encryption != backups_config.BackupEncryptionEncrypted {
 		metadata.Encryption = backups_config.BackupEncryptionNone
--- a/backend/internal/features/backups/backups/usecases/mongodb/create_backup_uc.go
+++ b/backend/internal/features/backups/backups/usecases/mongodb/create_backup_uc.go
@@ -15,8 +15,8 @@ import (
 	"github.com/google/uuid"

 	"databasus-backend/internal/config"
+	common "databasus-backend/internal/features/backups/backups/common"
 	backup_encryption "databasus-backend/internal/features/backups/backups/encryption"
-	usecases_common "databasus-backend/internal/features/backups/backups/usecases/common"
 	backups_config "databasus-backend/internal/features/backups/config"
 	"databasus-backend/internal/features/databases"
 	mongodbtypes "databasus-backend/internal/features/databases/databases/mongodb"
@@ -51,17 +51,13 @@ func (uc *CreateMongodbBackupUsecase) Execute(
 	db *databases.Database,
 	storage *storages.Storage,
 	backupProgressListener func(completedMBs float64),
-) (*usecases_common.BackupMetadata, error) {
+) (*common.BackupMetadata, error) {
 	uc.logger.Info(
 		"Creating MongoDB backup via mongodump",
 		"databaseId", db.ID,
 		"storageId", storage.ID,
 	)

-	if !backupConfig.IsBackupsEnabled {
-		return nil, fmt.Errorf("backups are not enabled for this database: \"%s\"", db.Name)
-	}
-
 	mdb := db.Mongodb
 	if mdb == nil {
 		return nil, fmt.Errorf("mongodb database configuration is required")
@@ -124,7 +120,7 @@ func (uc *CreateMongodbBackupUsecase) streamToStorage(
 	args []string,
 	storage *storages.Storage,
 	backupProgressListener func(completedMBs float64),
-) (*usecases_common.BackupMetadata, error) {
+) (*common.BackupMetadata, error) {
 	uc.logger.Info("Streaming MongoDB backup to storage", "mongodumpBin", mongodumpBin)

 	ctx, cancel := uc.createBackupContext(parentCtx)
@@ -175,7 +171,7 @@ func (uc *CreateMongodbBackupUsecase) streamToStorage(
 		return nil, err
 	}

-	countingWriter := usecases_common.NewCountingWriter(finalWriter)
+	countingWriter := common.NewCountingWriter(finalWriter)

 	saveErrCh := make(chan error, 1)
 	go func() {
@@ -264,8 +260,8 @@ func (uc *CreateMongodbBackupUsecase) setupBackupEncryption(
 	backupID uuid.UUID,
 	backupConfig *backups_config.BackupConfig,
 	storageWriter io.WriteCloser,
-) (io.Writer, *backup_encryption.EncryptionWriter, usecases_common.BackupMetadata, error) {
-	backupMetadata := usecases_common.BackupMetadata{
+) (io.Writer, *backup_encryption.EncryptionWriter, common.BackupMetadata, error) {
+	backupMetadata := common.BackupMetadata{
 		Encryption: backups_config.BackupEncryptionNone,
 	}

--- a/backend/internal/features/backups/backups/usecases/mysql/create_backup_uc.go
+++ b/backend/internal/features/backups/backups/usecases/mysql/create_backup_uc.go
@@ -18,8 +18,8 @@ import (
 	"github.com/klauspost/compress/zstd"

 	"databasus-backend/internal/config"
+	common "databasus-backend/internal/features/backups/backups/common"
 	backup_encryption "databasus-backend/internal/features/backups/backups/encryption"
-	usecases_common "databasus-backend/internal/features/backups/backups/usecases/common"
 	backups_config "databasus-backend/internal/features/backups/config"
 	"databasus-backend/internal/features/databases"
 	mysqltypes "databasus-backend/internal/features/databases/databases/mysql"
@@ -57,17 +57,13 @@ func (uc *CreateMysqlBackupUsecase) Execute(
 	db *databases.Database,
 	storage *storages.Storage,
 	backupProgressListener func(completedMBs float64),
-) (*usecases_common.BackupMetadata, error) {
+) (*common.BackupMetadata, error) {
 	uc.logger.Info(
 		"Creating MySQL backup via mysqldump",
 		"databaseId", db.ID,
 		"storageId", storage.ID,
 	)

-	if !backupConfig.IsBackupsEnabled {
-		return nil, fmt.Errorf("backups are not enabled for this database: \"%s\"", db.Name)
-	}
-
 	my := db.Mysql
 	if my == nil {
 		return nil, fmt.Errorf("mysql database configuration is required")
@@ -109,13 +105,18 @@ func (uc *CreateMysqlBackupUsecase) buildMysqldumpArgs(my *mysqltypes.MysqlDatab
 		"--user=" + my.Username,
 		"--single-transaction",
 		"--routines",
-		"--triggers",
-		"--events",
 		"--set-gtid-purged=OFF",
 		"--quick",
 		"--verbose",
 	}

+	if my.HasPrivilege("TRIGGER") {
+		args = append(args, "--triggers")
+	}
+	if my.HasPrivilege("EVENT") {
+		args = append(args, "--events")
+	}
+
 	args = append(args, uc.getNetworkCompressionArgs(my.Version)...)

 	if my.IsHttps {
@@ -155,7 +156,7 @@ func (uc *CreateMysqlBackupUsecase) streamToStorage(
 	storage *storages.Storage,
 	backupProgressListener func(completedMBs float64),
 	myConfig *mysqltypes.MysqlDatabase,
-) (*usecases_common.BackupMetadata, error) {
+) (*common.BackupMetadata, error) {
 	uc.logger.Info("Streaming MySQL backup to storage", "mysqlBin", mysqlBin)

 	ctx, cancel := uc.createBackupContext(parentCtx)
@@ -211,7 +212,7 @@ func (uc *CreateMysqlBackupUsecase) streamToStorage(
 	if err != nil {
 		return nil, fmt.Errorf("failed to create zstd writer: %w", err)
 	}
-	countingWriter := usecases_common.NewCountingWriter(zstdWriter)
+	countingWriter := common.NewCountingWriter(zstdWriter)

 	saveErrCh := make(chan error, 1)
 	go func() {
@@ -279,11 +280,24 @@ func (uc *CreateMysqlBackupUsecase) createTempMyCnfFile(
 	myConfig *mysqltypes.MysqlDatabase,
 	password string,
 ) (string, error) {
-	tempDir, err := os.MkdirTemp("", "mycnf")
+	tempFolder := config.GetEnv().TempFolder
+	if err := os.MkdirAll(tempFolder, 0700); err != nil {
+		return "", fmt.Errorf("failed to ensure temp folder exists: %w", err)
+	}
+	if err := os.Chmod(tempFolder, 0700); err != nil {
+		return "", fmt.Errorf("failed to set temp folder permissions: %w", err)
+	}
+
+	tempDir, err := os.MkdirTemp(tempFolder, "mycnf_"+uuid.New().String())
 	if err != nil {
 		return "", fmt.Errorf("failed to create temp directory: %w", err)
 	}

+	if err := os.Chmod(tempDir, 0700); err != nil {
+		_ = os.RemoveAll(tempDir)
+		return "", fmt.Errorf("failed to set temp directory permissions: %w", err)
+	}
+
 	myCnfFile := filepath.Join(tempDir, ".my.cnf")

 	content := fmt.Sprintf(`[client]
@@ -299,6 +313,7 @@ port=%d

 	err = os.WriteFile(myCnfFile, []byte(content), 0600)
 	if err != nil {
+		_ = os.RemoveAll(tempDir)
 		return "", fmt.Errorf("failed to write .my.cnf: %w", err)
 	}

@@ -414,8 +429,8 @@ func (uc *CreateMysqlBackupUsecase) setupBackupEncryption(
 	backupID uuid.UUID,
 	backupConfig *backups_config.BackupConfig,
 	storageWriter io.WriteCloser,
-) (io.Writer, *backup_encryption.EncryptionWriter, usecases_common.BackupMetadata, error) {
-	metadata := usecases_common.BackupMetadata{}
+) (io.Writer, *backup_encryption.EncryptionWriter, common.BackupMetadata, error) {
+	metadata := common.BackupMetadata{}

 	if backupConfig.Encryption != backups_config.BackupEncryptionEncrypted {
 		metadata.Encryption = backups_config.BackupEncryptionNone
--- a/backend/internal/features/backups/backups/usecases/postgresql/create_backup_uc.go
+++ b/backend/internal/features/backups/backups/usecases/postgresql/create_backup_uc.go
@@ -15,8 +15,8 @@ import (
 	"time"

 	"databasus-backend/internal/config"
+	common "databasus-backend/internal/features/backups/backups/common"
 	backup_encryption "databasus-backend/internal/features/backups/backups/encryption"
-	usecases_common "databasus-backend/internal/features/backups/backups/usecases/common"
 	backups_config "databasus-backend/internal/features/backups/config"
 	"databasus-backend/internal/features/databases"
 	pgtypes "databasus-backend/internal/features/databases/databases/postgresql"
@@ -60,7 +60,7 @@ func (uc *CreatePostgresqlBackupUsecase) Execute(
 	backupProgressListener func(
 		completedMBs float64,
 	),
-) (*usecases_common.BackupMetadata, error) {
+) (*common.BackupMetadata, error) {
 	uc.logger.Info(
 		"Creating PostgreSQL backup via pg_dump custom format",
 		"databaseId",
@@ -69,10 +69,6 @@ func (uc *CreatePostgresqlBackupUsecase) Execute(
 		storage.ID,
 	)

-	if !backupConfig.IsBackupsEnabled {
-		return nil, fmt.Errorf("backups are not enabled for this database: \"%s\"", db.Name)
-	}
-
 	pg := db.Postgresql

 	if pg == nil {
@@ -119,7 +115,7 @@ func (uc *CreatePostgresqlBackupUsecase) streamToStorage(
 	storage *storages.Storage,
 	db *databases.Database,
 	backupProgressListener func(completedMBs float64),
-) (*usecases_common.BackupMetadata, error) {
+) (*common.BackupMetadata, error) {
 	uc.logger.Info("Streaming PostgreSQL backup to storage", "pgBin", pgBin, "args", args)

 	ctx, cancel := uc.createBackupContext(parentCtx)
@@ -139,7 +135,14 @@ func (uc *CreatePostgresqlBackupUsecase) streamToStorage(
 	cmd := exec.CommandContext(ctx, pgBin, args...)
 	uc.logger.Info("Executing PostgreSQL backup command", "command", cmd.String())

-	if err := uc.setupPgEnvironment(cmd, pgpassFile, db.Postgresql.IsHttps, password, db.Postgresql.CpuCount, pgBin); err != nil {
+	if err := uc.setupPgEnvironment(
+		cmd,
+		pgpassFile,
+		db.Postgresql.IsHttps,
+		password,
+		db.Postgresql.CpuCount,
+		pgBin,
+	); err != nil {
 		return nil, err
 	}

@@ -171,7 +174,7 @@ func (uc *CreatePostgresqlBackupUsecase) streamToStorage(
 		return nil, err
 	}

-	countingWriter := usecases_common.NewCountingWriter(finalWriter)
+	countingWriter := common.NewCountingWriter(finalWriter)

 	// The backup ID becomes the object key / filename in storage

@@ -335,11 +338,6 @@ func (uc *CreatePostgresqlBackupUsecase) buildPgDumpArgs(pg *pgtypes.PostgresqlD
 		"--verbose",
 	}

-	// Add parallel jobs based on CPU count
-	if pg.CpuCount > 1 {
-		args = append(args, "-j", strconv.Itoa(pg.CpuCount))
-	}
-
 	for _, schema := range pg.IncludeSchemas {
 		args = append(args, "-n", schema)
 	}
@@ -476,8 +474,8 @@ func (uc *CreatePostgresqlBackupUsecase) setupBackupEncryption(
 	backupID uuid.UUID,
 	backupConfig *backups_config.BackupConfig,
 	storageWriter io.WriteCloser,
-) (io.Writer, *backup_encryption.EncryptionWriter, usecases_common.BackupMetadata, error) {
-	metadata := usecases_common.BackupMetadata{}
+) (io.Writer, *backup_encryption.EncryptionWriter, common.BackupMetadata, error) {
+	metadata := common.BackupMetadata{}

 	if backupConfig.Encryption != backups_config.BackupEncryptionEncrypted {
 		metadata.Encryption = backups_config.BackupEncryptionNone
@@ -759,14 +757,28 @@ func (uc *CreatePostgresqlBackupUsecase) createTempPgpassFile(
 		escapedPassword,
 	)

-	tempDir, err := os.MkdirTemp("", "pgpass")
+	tempFolder := config.GetEnv().TempFolder
+	if err := os.MkdirAll(tempFolder, 0700); err != nil {
+		return "", fmt.Errorf("failed to ensure temp folder exists: %w", err)
+	}
+	if err := os.Chmod(tempFolder, 0700); err != nil {
+		return "", fmt.Errorf("failed to set temp folder permissions: %w", err)
+	}
+
+	tempDir, err := os.MkdirTemp(tempFolder, "pgpass_"+uuid.New().String())
 	if err != nil {
 		return "", fmt.Errorf("failed to create temporary directory: %w", err)
 	}

+	if err := os.Chmod(tempDir, 0700); err != nil {
+		_ = os.RemoveAll(tempDir)
+		return "", fmt.Errorf("failed to set temporary directory permissions: %w", err)
+	}
+
 	pgpassFile := filepath.Join(tempDir, ".pgpass")
 	err = os.WriteFile(pgpassFile, []byte(pgpassContent), 0600)
 	if err != nil {
+		_ = os.RemoveAll(tempDir)
 		return "", fmt.Errorf("failed to write temporary .pgpass file: %w", err)
 	}

--- a/backend/internal/features/backups/config/controller.go
+++ b/backend/internal/features/backups/config/controller.go
@@ -1,9 +1,11 @@
 package backups_config

 import (
-	users_middleware "databasus-backend/internal/features/users/middleware"
+	"errors"
 	"net/http"

+	users_middleware "databasus-backend/internal/features/users/middleware"
+
 	"github.com/gin-gonic/gin"
 	"github.com/google/uuid"
 )
@@ -16,6 +18,8 @@ func (c *BackupConfigController) RegisterRoutes(router *gin.RouterGroup) {
 	router.POST("/backup-configs/save", c.SaveBackupConfig)
 	router.GET("/backup-configs/database/:id", c.GetBackupConfigByDbID)
 	router.GET("/backup-configs/storage/:id/is-using", c.IsStorageUsing)
+	router.GET("/backup-configs/storage/:id/databases-count", c.CountDatabasesForStorage)
+	router.POST("/backup-configs/database/:id/transfer", c.TransferDatabase)
 }

 // SaveBackupConfig
@@ -120,3 +124,86 @@ func (c *BackupConfigController) IsStorageUsing(ctx *gin.Context) {

 	ctx.JSON(http.StatusOK, gin.H{"isUsing": isUsing})
 }
+
+// CountDatabasesForStorage
+// @Summary Count databases using a storage
+// @Description Get the count of databases that are using a specific storage
+// @Tags backup-configs
+// @Produce json
+// @Param id path string true "Storage ID"
+// @Success 200 {object} map[string]int
+// @Failure 400
+// @Failure 401
+// @Failure 500
+// @Router /backup-configs/storage/{id}/databases-count [get]
+func (c *BackupConfigController) CountDatabasesForStorage(ctx *gin.Context) {
+	user, ok := users_middleware.GetUserFromContext(ctx)
+	if !ok {
+		ctx.JSON(http.StatusUnauthorized, gin.H{"error": "User not authenticated"})
+		return
+	}
+
+	id, err := uuid.Parse(ctx.Param("id"))
+	if err != nil {
+		ctx.JSON(http.StatusBadRequest, gin.H{"error": "invalid storage ID"})
+		return
+	}
+
+	count, err := c.backupConfigService.CountDatabasesForStorage(user, id)
+	if err != nil {
+		ctx.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
+		return
+	}
+
+	ctx.JSON(http.StatusOK, gin.H{"count": count})
+}
+
+// TransferDatabase
+// @Summary Transfer database to another workspace
+// @Description Transfer a database from one workspace to another. Can transfer to a new storage or transfer with the existing storage. Can also specify target notifiers from the target workspace.
+// @Tags backup-configs
+// @Accept json
+// @Produce json
+// @Param id path string true "Database ID"
+// @Param request body TransferDatabaseRequest true "Transfer request with targetWorkspaceId, storage options (targetStorageId or isTransferWithStorage), and optional targetNotifierIds"
+// @Success 200 {object} map[string]string "Database transferred successfully"
+// @Failure 400 {object} map[string]string "Invalid request, target storage/notifier not in target workspace, or transfer failed"
+// @Failure 401 {object} map[string]string "User not authenticated"
+// @Failure 403 {object} map[string]string "Insufficient permissions"
+// @Router /backup-configs/database/{id}/transfer [post]
+func (c *BackupConfigController) TransferDatabase(ctx *gin.Context) {
+	user, ok := users_middleware.GetUserFromContext(ctx)
+	if !ok {
+		ctx.JSON(http.StatusUnauthorized, gin.H{"error": "User not authenticated"})
+		return
+	}
+
+	id, err := uuid.Parse(ctx.Param("id"))
+	if err != nil {
+		ctx.JSON(http.StatusBadRequest, gin.H{"error": "invalid database ID"})
+		return
+	}
+
+	var request TransferDatabaseRequest
+	if err := ctx.ShouldBindJSON(&request); err != nil {
+		ctx.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
+		return
+	}
+
+	if request.TargetWorkspaceID == uuid.Nil {
+		ctx.JSON(http.StatusBadRequest, gin.H{"error": "targetWorkspaceId is required"})
+		return
+	}
+
+	if err := c.backupConfigService.TransferDatabaseToWorkspace(user, id, &request); err != nil {
+		if errors.Is(err, ErrInsufficientPermissionsInSourceWorkspace) ||
+			errors.Is(err, ErrInsufficientPermissionsInTargetWorkspace) {
+			ctx.JSON(http.StatusForbidden, gin.H{"error": err.Error()})
+			return
+		}
+		ctx.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
+		return
+	}
+
+	ctx.JSON(http.StatusOK, gin.H{"message": "database transferred successfully"})
+}
--- a/backend/internal/features/backups/config/controller_test.go
+++ b/backend/internal/features/backups/config/controller_test.go
--- a/backend/internal/features/backups/config/di.go
+++ b/backend/internal/features/backups/config/di.go
@@ -2,6 +2,7 @@ package backups_config

 import (
 	"databasus-backend/internal/features/databases"
+	"databasus-backend/internal/features/notifiers"
 	"databasus-backend/internal/features/storages"
 	workspaces_services "databasus-backend/internal/features/workspaces/services"
 )
@@ -11,6 +12,7 @@ var backupConfigService = &BackupConfigService{
 	backupConfigRepository,
 	databases.GetDatabaseService(),
 	storages.GetStorageService(),
+	notifiers.GetNotifierService(),
 	workspaces_services.GetWorkspaceService(),
 	nil,
 }
@@ -25,3 +27,7 @@ func GetBackupConfigController() *BackupConfigController {
 func GetBackupConfigService() *BackupConfigService {
 	return backupConfigService
 }
+
+func SetupDependencies() {
+	storages.GetStorageService().SetStorageDatabaseCounter(backupConfigService)
+}
--- a/backend/internal/features/backups/config/dto.go
+++ b/backend/internal/features/backups/config/dto.go
@@ -0,0 +1,11 @@
+package backups_config
+
+import "github.com/google/uuid"
+
+type TransferDatabaseRequest struct {
+	TargetWorkspaceID       uuid.UUID   `json:"targetWorkspaceId"                 binding:"required"`
+	TargetStorageID         *uuid.UUID  `json:"targetStorageId,omitempty"`
+	IsTransferWithStorage   bool        `json:"isTransferWithStorage,omitempty"`
+	IsTransferWithNotifiers bool        `json:"isTransferWithNotifiers,omitempty"`
+	TargetNotifierIDs       []uuid.UUID `json:"targetNotifierIds,omitempty"`
+}
--- a/backend/internal/features/backups/config/errors.go
+++ b/backend/internal/features/backups/config/errors.go
@@ -0,0 +1,30 @@
+package backups_config
+
+import "errors"
+
+var (
+	ErrInsufficientPermissionsInSourceWorkspace = errors.New(
+		"insufficient permissions to manage database in source workspace",
+	)
+	ErrInsufficientPermissionsInTargetWorkspace = errors.New(
+		"insufficient permissions to manage database in target workspace",
+	)
+	ErrTargetStorageNotInTargetWorkspace = errors.New(
+		"target storage does not belong to target workspace",
+	)
+	ErrTargetNotifierNotInTargetWorkspace = errors.New(
+		"target notifier does not belong to target workspace",
+	)
+	ErrStorageHasOtherAttachedDatabases = errors.New(
+		"storage has other attached databases and cannot be transferred with this database",
+	)
+	ErrDatabaseHasNoStorage = errors.New(
+		"database has no storage attached",
+	)
+	ErrDatabaseHasNoWorkspace = errors.New(
+		"database has no workspace",
+	)
+	ErrTargetStorageNotSpecified = errors.New(
+		"target storage is not specified",
+	)
+)
--- a/backend/internal/features/backups/config/notifiers_test.go
+++ b/backend/internal/features/backups/config/notifiers_test.go
@@ -0,0 +1,166 @@
+package backups_config
+
+import (
+	"fmt"
+	"net/http"
+	"testing"
+
+	"github.com/gin-gonic/gin"
+	"github.com/stretchr/testify/assert"
+
+	"databasus-backend/internal/features/databases"
+	"databasus-backend/internal/features/notifiers"
+	"databasus-backend/internal/features/storages"
+	users_enums "databasus-backend/internal/features/users/enums"
+	users_testing "databasus-backend/internal/features/users/testing"
+	workspaces_controllers "databasus-backend/internal/features/workspaces/controllers"
+	workspaces_testing "databasus-backend/internal/features/workspaces/testing"
+	test_utils "databasus-backend/internal/util/testing"
+)
+
+func Test_AttachNotifierFromSameWorkspace_SuccessfullyAttached(t *testing.T) {
+	router := createTestRouterWithNotifier()
+	owner := users_testing.CreateTestUser(users_enums.UserRoleMember)
+	workspace := workspaces_testing.CreateTestWorkspace("Test Workspace", owner, router)
+
+	database := createTestDatabaseViaAPI("Test Database", workspace.ID, owner.Token, router)
+	notifier := notifiers.CreateTestNotifier(workspace.ID)
+
+	database.Notifiers = []notifiers.Notifier{*notifier}
+
+	var response databases.Database
+	test_utils.MakePostRequestAndUnmarshal(
+		t,
+		router,
+		"/api/v1/databases/update",
+		"Bearer "+owner.Token,
+		database,
+		http.StatusOK,
+		&response,
+	)
+
+	assert.Equal(t, database.ID, response.ID)
+	assert.Len(t, response.Notifiers, 1)
+	assert.Equal(t, notifier.ID, response.Notifiers[0].ID)
+}
+
+func Test_AttachNotifierFromDifferentWorkspace_ReturnsForbidden(t *testing.T) {
+	router := createTestRouterWithNotifier()
+
+	owner1 := users_testing.CreateTestUser(users_enums.UserRoleMember)
+	workspace1 := workspaces_testing.CreateTestWorkspace("Workspace 1", owner1, router)
+	database := createTestDatabaseViaAPI("Test Database", workspace1.ID, owner1.Token, router)
+
+	owner2 := users_testing.CreateTestUser(users_enums.UserRoleMember)
+	workspace2 := workspaces_testing.CreateTestWorkspace("Workspace 2", owner2, router)
+	notifier := notifiers.CreateTestNotifier(workspace2.ID)
+
+	database.Notifiers = []notifiers.Notifier{*notifier}
+
+	testResp := test_utils.MakePostRequest(
+		t,
+		router,
+		"/api/v1/databases/update",
+		"Bearer "+owner1.Token,
+		database,
+		http.StatusBadRequest,
+	)
+
+	assert.Contains(t, string(testResp.Body), "notifier does not belong to this workspace")
+}
+
+func Test_DeleteNotifierWithAttachedDatabases_CannotDelete(t *testing.T) {
+	router := createTestRouterWithNotifier()
+	owner := users_testing.CreateTestUser(users_enums.UserRoleMember)
+	workspace := workspaces_testing.CreateTestWorkspace("Test Workspace", owner, router)
+
+	database := createTestDatabaseViaAPI("Test Database", workspace.ID, owner.Token, router)
+	notifier := notifiers.CreateTestNotifier(workspace.ID)
+
+	database.Notifiers = []notifiers.Notifier{*notifier}
+
+	var response databases.Database
+	test_utils.MakePostRequestAndUnmarshal(
+		t,
+		router,
+		"/api/v1/databases/update",
+		"Bearer "+owner.Token,
+		database,
+		http.StatusOK,
+		&response,
+	)
+
+	testResp := test_utils.MakeDeleteRequest(
+		t,
+		router,
+		fmt.Sprintf("/api/v1/notifiers/%s", notifier.ID.String()),
+		"Bearer "+owner.Token,
+		http.StatusBadRequest,
+	)
+
+	assert.Contains(
+		t,
+		string(testResp.Body),
+		"notifier has attached databases and cannot be deleted",
+	)
+}
+
+func Test_TransferNotifierWithAttachedDatabase_CannotTransfer(t *testing.T) {
+	router := createTestRouterWithNotifier()
+	owner := users_testing.CreateTestUser(users_enums.UserRoleMember)
+	workspace := workspaces_testing.CreateTestWorkspace("Test Workspace", owner, router)
+	targetWorkspace := workspaces_testing.CreateTestWorkspace("Target Workspace", owner, router)
+
+	database := createTestDatabaseViaAPI("Test Database", workspace.ID, owner.Token, router)
+	notifier := notifiers.CreateTestNotifier(workspace.ID)
+
+	database.Notifiers = []notifiers.Notifier{*notifier}
+
+	var response databases.Database
+	test_utils.MakePostRequestAndUnmarshal(
+		t,
+		router,
+		"/api/v1/databases/update",
+		"Bearer "+owner.Token,
+		database,
+		http.StatusOK,
+		&response,
+	)
+
+	transferRequest := notifiers.TransferNotifierRequest{
+		TargetWorkspaceID: targetWorkspace.ID,
+	}
+
+	testResp := test_utils.MakePostRequest(
+		t,
+		router,
+		fmt.Sprintf("/api/v1/notifiers/%s/transfer", notifier.ID.String()),
+		"Bearer "+owner.Token,
+		transferRequest,
+		http.StatusBadRequest,
+	)
+
+	assert.Contains(
+		t,
+		string(testResp.Body),
+		"notifier has attached databases and cannot be transferred",
+	)
+}
+
+func createTestRouterWithNotifier() *gin.Engine {
+	router := workspaces_testing.CreateTestRouter(
+		workspaces_controllers.GetWorkspaceController(),
+		workspaces_controllers.GetMembershipController(),
+		databases.GetDatabaseController(),
+		GetBackupConfigController(),
+		storages.GetStorageController(),
+		notifiers.GetNotifierController(),
+	)
+
+	storages.SetupDependencies()
+	databases.SetupDependencies()
+	notifiers.SetupDependencies()
+	SetupDependencies()
+
+	return router
+}
--- a/backend/internal/features/backups/config/repository.go
+++ b/backend/internal/features/backups/config/repository.go
@@ -102,3 +102,19 @@ func (r *BackupConfigRepository) IsStorageUsing(storageID uuid.UUID) (bool, erro

 	return count > 0, nil
 }
+
+func (r *BackupConfigRepository) GetDatabasesIDsByStorageID(
+	storageID uuid.UUID,
+) ([]uuid.UUID, error) {
+	var databasesIDs []uuid.UUID
+
+	if err := storage.
+		GetDb().
+		Table("backup_configs").
+		Where("storage_id = ?", storageID).
+		Pluck("database_id", &databasesIDs).Error; err != nil {
+		return nil, err
+	}
+
+	return databasesIDs, nil
+}
--- a/backend/internal/features/backups/config/service.go
+++ b/backend/internal/features/backups/config/service.go
@@ -5,6 +5,7 @@ import (

 	"databasus-backend/internal/features/databases"
 	"databasus-backend/internal/features/intervals"
+	"databasus-backend/internal/features/notifiers"
 	"databasus-backend/internal/features/storages"
 	users_models "databasus-backend/internal/features/users/models"
 	workspaces_services "databasus-backend/internal/features/workspaces/services"
@@ -17,6 +18,7 @@ type BackupConfigService struct {
 	backupConfigRepository *BackupConfigRepository
 	databaseService        *databases.DatabaseService
 	storageService         *storages.StorageService
+	notifierService        *notifiers.NotifierService
 	workspaceService       *workspaces_services.WorkspaceService

 	dbStorageChangeListener BackupConfigStorageChangeListener
@@ -28,6 +30,17 @@ func (s *BackupConfigService) SetDatabaseStorageChangeListener(
 	s.dbStorageChangeListener = dbStorageChangeListener
 }

+func (s *BackupConfigService) GetStorageAttachedDatabasesIDs(
+	storageID uuid.UUID,
+) ([]uuid.UUID, error) {
+	databasesIDs, err := s.backupConfigRepository.GetDatabasesIDsByStorageID(storageID)
+	if err != nil {
+		return nil, err
+	}
+
+	return databasesIDs, nil
+}
+
 func (s *BackupConfigService) SaveBackupConfigWithAuth(
 	user *users_models.User,
 	backupConfig *BackupConfig,
@@ -53,6 +66,16 @@ func (s *BackupConfigService) SaveBackupConfigWithAuth(
 		return nil, errors.New("insufficient permissions to modify backup configuration")
 	}

+	if backupConfig.Storage != nil && backupConfig.Storage.ID != uuid.Nil {
+		storage, err := s.storageService.GetStorageByID(backupConfig.Storage.ID)
+		if err != nil {
+			return nil, err
+		}
+		if storage.WorkspaceID != *database.WorkspaceID {
+			return nil, errors.New("storage does not belong to the same workspace as the database")
+		}
+	}
+
 	return s.SaveBackupConfig(backupConfig)
 }

@@ -129,6 +152,23 @@ func (s *BackupConfigService) IsStorageUsing(
 	return s.backupConfigRepository.IsStorageUsing(storageID)
 }

+func (s *BackupConfigService) CountDatabasesForStorage(
+	user *users_models.User,
+	storageID uuid.UUID,
+) (int, error) {
+	_, err := s.storageService.GetStorage(user, storageID)
+	if err != nil {
+		return 0, err
+	}
+
+	databaseIDs, err := s.backupConfigRepository.GetDatabasesIDsByStorageID(storageID)
+	if err != nil {
+		return 0, err
+	}
+
+	return len(databaseIDs), nil
+}
+
 func (s *BackupConfigService) GetBackupConfigsWithEnabledBackups() ([]*BackupConfig, error) {
 	return s.backupConfigRepository.GetWithEnabledBackups()
 }
@@ -176,6 +216,157 @@ func (s *BackupConfigService) initializeDefaultConfig(
 	return err
 }

+func (s *BackupConfigService) TransferDatabaseToWorkspace(
+	user *users_models.User,
+	databaseID uuid.UUID,
+	request *TransferDatabaseRequest,
+) error {
+	database, err := s.databaseService.GetDatabaseByID(databaseID)
+	if err != nil {
+		return err
+	}
+
+	if database.WorkspaceID == nil {
+		return ErrDatabaseHasNoWorkspace
+	}
+
+	canManageSource, err := s.workspaceService.CanUserManageDBs(*database.WorkspaceID, user)
+	if err != nil {
+		return err
+	}
+	if !canManageSource {
+		return ErrInsufficientPermissionsInSourceWorkspace
+	}
+
+	canManageTarget, err := s.workspaceService.CanUserManageDBs(request.TargetWorkspaceID, user)
+	if err != nil {
+		return err
+	}
+	if !canManageTarget {
+		return ErrInsufficientPermissionsInTargetWorkspace
+	}
+
+	if err := s.validateTargetNotifiers(request); err != nil {
+		return err
+	}
+
+	backupConfig, err := s.GetBackupConfigByDbId(databaseID)
+	if err != nil {
+		return err
+	}
+
+	if request.IsTransferWithNotifiers {
+		s.transferNotifiers(user, database, request.TargetWorkspaceID)
+	}
+
+	if request.IsTransferWithStorage {
+		if backupConfig.StorageID == nil {
+			return ErrDatabaseHasNoStorage
+		}
+
+		attachedDatabasesIDs, err := s.GetStorageAttachedDatabasesIDs(*backupConfig.StorageID)
+		if err != nil {
+			return err
+		}
+
+		for _, dbID := range attachedDatabasesIDs {
+			if dbID != databaseID {
+				return ErrStorageHasOtherAttachedDatabases
+			}
+		}
+
+		err = s.storageService.TransferStorageToWorkspace(
+			user,
+			*backupConfig.StorageID,
+			request.TargetWorkspaceID,
+			&databaseID,
+		)
+		if err != nil {
+			return err
+		}
+	} else if request.TargetStorageID != nil {
+		targetStorage, err := s.storageService.GetStorageByID(*request.TargetStorageID)
+		if err != nil {
+			return err
+		}
+
+		if targetStorage.WorkspaceID != request.TargetWorkspaceID {
+			return ErrTargetStorageNotInTargetWorkspace
+		}
+
+		backupConfig.StorageID = request.TargetStorageID
+		backupConfig.Storage = targetStorage
+
+		_, err = s.backupConfigRepository.Save(backupConfig)
+		if err != nil {
+			return err
+		}
+	} else {
+		return ErrTargetStorageNotSpecified
+	}
+
+	err = s.databaseService.TransferDatabaseToWorkspace(databaseID, request.TargetWorkspaceID)
+	if err != nil {
+		return err
+	}
+
+	if len(request.TargetNotifierIDs) > 0 {
+		err = s.assignTargetNotifiers(databaseID, request.TargetNotifierIDs)
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func (s *BackupConfigService) transferNotifiers(
+	user *users_models.User,
+	database *databases.Database,
+	targetWorkspaceID uuid.UUID,
+) {
+	for _, notifier := range database.Notifiers {
+		_ = s.notifierService.TransferNotifierToWorkspace(
+			user,
+			notifier.ID,
+			targetWorkspaceID,
+			&database.ID,
+		)
+	}
+}
+
+func (s *BackupConfigService) validateTargetNotifiers(request *TransferDatabaseRequest) error {
+	for _, notifierID := range request.TargetNotifierIDs {
+		notifier, err := s.notifierService.GetNotifierByID(notifierID)
+		if err != nil {
+			return err
+		}
+
+		if notifier.WorkspaceID != request.TargetWorkspaceID {
+			return ErrTargetNotifierNotInTargetWorkspace
+		}
+	}
+	return nil
+}
+
+func (s *BackupConfigService) assignTargetNotifiers(
+	databaseID uuid.UUID,
+	notifierIDs []uuid.UUID,
+) error {
+	targetNotifiers := make([]notifiers.Notifier, 0, len(notifierIDs))
+
+	for _, notifierID := range notifierIDs {
+		notifier, err := s.notifierService.GetNotifierByID(notifierID)
+		if err != nil {
+			return err
+		}
+
+		targetNotifiers = append(targetNotifiers, *notifier)
+	}
+
+	return s.databaseService.UpdateDatabaseNotifiers(databaseID, targetNotifiers)
+}
+
 func storageIDsEqual(id1, id2 *uuid.UUID) bool {
 	if id1 == nil && id2 == nil {
 		return true
--- a/backend/internal/features/backups/config/storages_test.go
+++ b/backend/internal/features/backups/config/storages_test.go
@@ -0,0 +1,229 @@
+package backups_config
+
+import (
+	"fmt"
+	"net/http"
+	"testing"
+
+	"github.com/gin-gonic/gin"
+	"github.com/stretchr/testify/assert"
+
+	"databasus-backend/internal/features/databases"
+	"databasus-backend/internal/features/intervals"
+	"databasus-backend/internal/features/storages"
+	users_enums "databasus-backend/internal/features/users/enums"
+	users_testing "databasus-backend/internal/features/users/testing"
+	workspaces_controllers "databasus-backend/internal/features/workspaces/controllers"
+	workspaces_testing "databasus-backend/internal/features/workspaces/testing"
+	"databasus-backend/internal/util/period"
+	test_utils "databasus-backend/internal/util/testing"
+)
+
+func Test_AttachStorageFromSameWorkspace_SuccessfullyAttached(t *testing.T) {
+	router := createTestRouterWithStorage()
+	owner := users_testing.CreateTestUser(users_enums.UserRoleMember)
+	workspace := workspaces_testing.CreateTestWorkspace("Test Workspace", owner, router)
+
+	database := createTestDatabaseViaAPI("Test Database", workspace.ID, owner.Token, router)
+	storage := createTestStorage(workspace.ID)
+
+	timeOfDay := "04:00"
+	request := BackupConfig{
+		DatabaseID:       database.ID,
+		IsBackupsEnabled: true,
+		StorePeriod:      period.PeriodWeek,
+		BackupInterval: &intervals.Interval{
+			Interval:  intervals.IntervalDaily,
+			TimeOfDay: &timeOfDay,
+		},
+		Storage: storage,
+		SendNotificationsOn: []BackupNotificationType{
+			NotificationBackupFailed,
+		},
+		IsRetryIfFailed:     true,
+		MaxFailedTriesCount: 3,
+		Encryption:          BackupEncryptionNone,
+	}
+
+	var response BackupConfig
+	test_utils.MakePostRequestAndUnmarshal(
+		t,
+		router,
+		"/api/v1/backup-configs/save",
+		"Bearer "+owner.Token,
+		request,
+		http.StatusOK,
+		&response,
+	)
+
+	assert.Equal(t, database.ID, response.DatabaseID)
+	assert.NotNil(t, response.StorageID)
+	assert.Equal(t, storage.ID, *response.StorageID)
+}
+
+func Test_AttachStorageFromDifferentWorkspace_ReturnsForbidden(t *testing.T) {
+	router := createTestRouterWithStorage()
+
+	owner1 := users_testing.CreateTestUser(users_enums.UserRoleMember)
+	workspace1 := workspaces_testing.CreateTestWorkspace("Workspace 1", owner1, router)
+	database := createTestDatabaseViaAPI("Test Database", workspace1.ID, owner1.Token, router)
+
+	owner2 := users_testing.CreateTestUser(users_enums.UserRoleMember)
+	workspace2 := workspaces_testing.CreateTestWorkspace("Workspace 2", owner2, router)
+	storage := createTestStorage(workspace2.ID)
+
+	timeOfDay := "04:00"
+	request := BackupConfig{
+		DatabaseID:       database.ID,
+		IsBackupsEnabled: true,
+		StorePeriod:      period.PeriodWeek,
+		BackupInterval: &intervals.Interval{
+			Interval:  intervals.IntervalDaily,
+			TimeOfDay: &timeOfDay,
+		},
+		Storage: storage,
+		SendNotificationsOn: []BackupNotificationType{
+			NotificationBackupFailed,
+		},
+		IsRetryIfFailed:     true,
+		MaxFailedTriesCount: 3,
+		Encryption:          BackupEncryptionNone,
+	}
+
+	testResp := test_utils.MakePostRequest(
+		t,
+		router,
+		"/api/v1/backup-configs/save",
+		"Bearer "+owner1.Token,
+		request,
+		http.StatusBadRequest,
+	)
+
+	assert.Contains(t, string(testResp.Body), "storage does not belong to the same workspace")
+}
+
+func Test_DeleteStorageWithAttachedDatabases_CannotDelete(t *testing.T) {
+	router := createTestRouterWithStorage()
+	owner := users_testing.CreateTestUser(users_enums.UserRoleMember)
+	workspace := workspaces_testing.CreateTestWorkspace("Test Workspace", owner, router)
+
+	database := createTestDatabaseViaAPI("Test Database", workspace.ID, owner.Token, router)
+	storage := createTestStorage(workspace.ID)
+
+	timeOfDay := "04:00"
+	request := BackupConfig{
+		DatabaseID:       database.ID,
+		IsBackupsEnabled: true,
+		StorePeriod:      period.PeriodWeek,
+		BackupInterval: &intervals.Interval{
+			Interval:  intervals.IntervalDaily,
+			TimeOfDay: &timeOfDay,
+		},
+		Storage: storage,
+		SendNotificationsOn: []BackupNotificationType{
+			NotificationBackupFailed,
+		},
+		IsRetryIfFailed:     true,
+		MaxFailedTriesCount: 3,
+		Encryption:          BackupEncryptionNone,
+	}
+
+	var response BackupConfig
+	test_utils.MakePostRequestAndUnmarshal(
+		t,
+		router,
+		"/api/v1/backup-configs/save",
+		"Bearer "+owner.Token,
+		request,
+		http.StatusOK,
+		&response,
+	)
+
+	testResp := test_utils.MakeDeleteRequest(
+		t,
+		router,
+		fmt.Sprintf("/api/v1/storages/%s", storage.ID.String()),
+		"Bearer "+owner.Token,
+		http.StatusBadRequest,
+	)
+
+	assert.Contains(
+		t,
+		string(testResp.Body),
+		"storage has attached databases and cannot be deleted",
+	)
+}
+
+func Test_TransferStorageWithAttachedDatabase_CannotTransfer(t *testing.T) {
+	router := createTestRouterWithStorage()
+	owner := users_testing.CreateTestUser(users_enums.UserRoleMember)
+	workspace := workspaces_testing.CreateTestWorkspace("Test Workspace", owner, router)
+	targetWorkspace := workspaces_testing.CreateTestWorkspace("Target Workspace", owner, router)
+
+	database := createTestDatabaseViaAPI("Test Database", workspace.ID, owner.Token, router)
+	storage := createTestStorage(workspace.ID)
+
+	timeOfDay := "04:00"
+	request := BackupConfig{
+		DatabaseID:       database.ID,
+		IsBackupsEnabled: true,
+		StorePeriod:      period.PeriodWeek,
+		BackupInterval: &intervals.Interval{
+			Interval:  intervals.IntervalDaily,
+			TimeOfDay: &timeOfDay,
+		},
+		Storage: storage,
+		SendNotificationsOn: []BackupNotificationType{
+			NotificationBackupFailed,
+		},
+		IsRetryIfFailed:     true,
+		MaxFailedTriesCount: 3,
+		Encryption:          BackupEncryptionNone,
+	}
+
+	var response BackupConfig
+	test_utils.MakePostRequestAndUnmarshal(
+		t,
+		router,
+		"/api/v1/backup-configs/save",
+		"Bearer "+owner.Token,
+		request,
+		http.StatusOK,
+		&response,
+	)
+
+	transferRequest := storages.TransferStorageRequest{
+		TargetWorkspaceID: targetWorkspace.ID,
+	}
+
+	testResp := test_utils.MakePostRequest(
+		t,
+		router,
+		fmt.Sprintf("/api/v1/storages/%s/transfer", storage.ID.String()),
+		"Bearer "+owner.Token,
+		transferRequest,
+		http.StatusBadRequest,
+	)
+
+	assert.Contains(
+		t,
+		string(testResp.Body),
+		"storage has attached databases and cannot be transferred",
+	)
+}
+
+func createTestRouterWithStorage() *gin.Engine {
+	router := workspaces_testing.CreateTestRouter(
+		workspaces_controllers.GetWorkspaceController(),
+		workspaces_controllers.GetMembershipController(),
+		databases.GetDatabaseController(),
+		GetBackupConfigController(),
+		storages.GetStorageController(),
+	)
+
+	storages.SetupDependencies()
+	databases.SetupDependencies()
+	SetupDependencies()
+
+	return router
+}
--- a/backend/internal/features/databases/controller.go
+++ b/backend/internal/features/databases/controller.go
@@ -26,6 +26,7 @@ func (c *DatabaseController) RegisterRoutes(router *gin.RouterGroup) {
 	router.POST("/databases/test-connection-direct", c.TestDatabaseConnectionDirect)
 	router.POST("/databases/:id/copy", c.CopyDatabase)
 	router.GET("/databases/notifier/:id/is-using", c.IsNotifierUsing)
+	router.GET("/databases/notifier/:id/databases-count", c.CountDatabasesByNotifier)
 	router.POST("/databases/is-readonly", c.IsUserReadOnly)
 	router.POST("/databases/create-readonly-user", c.CreateReadOnlyUser)
 }
@@ -299,6 +300,39 @@ func (c *DatabaseController) IsNotifierUsing(ctx *gin.Context) {
 	ctx.JSON(http.StatusOK, gin.H{"isUsing": isUsing})
 }

+// CountDatabasesByNotifier
+// @Summary Count databases using a notifier
+// @Description Get the count of databases that are using a specific notifier
+// @Tags databases
+// @Produce json
+// @Param id path string true "Notifier ID"
+// @Success 200 {object} map[string]int
+// @Failure 400
+// @Failure 401
+// @Failure 500
+// @Router /databases/notifier/{id}/databases-count [get]
+func (c *DatabaseController) CountDatabasesByNotifier(ctx *gin.Context) {
+	user, ok := users_middleware.GetUserFromContext(ctx)
+	if !ok {
+		ctx.JSON(http.StatusUnauthorized, gin.H{"error": "User not authenticated"})
+		return
+	}
+
+	id, err := uuid.Parse(ctx.Param("id"))
+	if err != nil {
+		ctx.JSON(http.StatusBadRequest, gin.H{"error": "invalid notifier ID"})
+		return
+	}
+
+	count, err := c.databaseService.CountDatabasesByNotifier(user, id)
+	if err != nil {
+		ctx.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
+		return
+	}
+
+	ctx.JSON(http.StatusOK, gin.H{"count": count})
+}
+
 // CopyDatabase
 // @Summary Copy a database
 // @Description Copy an existing database configuration
@@ -358,13 +392,13 @@ func (c *DatabaseController) IsUserReadOnly(ctx *gin.Context) {
 		return
 	}

-	isReadOnly, err := c.databaseService.IsUserReadOnly(user, &request)
+	isReadOnly, privileges, err := c.databaseService.IsUserReadOnly(user, &request)
 	if err != nil {
 		ctx.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
 		return
 	}

-	ctx.JSON(http.StatusOK, IsReadOnlyResponse{IsReadOnly: isReadOnly})
+	ctx.JSON(http.StatusOK, IsReadOnlyResponse{IsReadOnly: isReadOnly, Privileges: privileges})
 }

 // CreateReadOnlyUser
--- a/backend/internal/features/databases/controller_test.go
+++ b/backend/internal/features/databases/controller_test.go
@@ -4,6 +4,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"net/http"
+	"strconv"
 	"strings"
 	"testing"

@@ -11,6 +12,7 @@ import (
 	"github.com/google/uuid"
 	"github.com/stretchr/testify/assert"

+	"databasus-backend/internal/config"
 	"databasus-backend/internal/features/databases/databases/mariadb"
 	"databasus-backend/internal/features/databases/databases/mongodb"
 	"databasus-backend/internal/features/databases/databases/postgresql"
@@ -32,6 +34,71 @@ func createTestRouter() *gin.Engine {
 	return router
 }

+func getTestPostgresConfig() *postgresql.PostgresqlDatabase {
+	env := config.GetEnv()
+	port, err := strconv.Atoi(env.TestPostgres16Port)
+	if err != nil {
+		panic(fmt.Sprintf("Failed to parse TEST_POSTGRES_16_PORT: %v", err))
+	}
+
+	testDbName := "testdb"
+	return &postgresql.PostgresqlDatabase{
+		Version:  tools.PostgresqlVersion16,
+		Host:     "localhost",
+		Port:     port,
+		Username: "testuser",
+		Password: "testpassword",
+		Database: &testDbName,
+		CpuCount: 1,
+	}
+}
+
+func getTestMariadbConfig() *mariadb.MariadbDatabase {
+	env := config.GetEnv()
+	portStr := env.TestMariadb1011Port
+	if portStr == "" {
+		portStr = "33111"
+	}
+	port, err := strconv.Atoi(portStr)
+	if err != nil {
+		panic(fmt.Sprintf("Failed to parse TEST_MARIADB_1011_PORT: %v", err))
+	}
+
+	testDbName := "testdb"
+	return &mariadb.MariadbDatabase{
+		Version:  tools.MariadbVersion1011,
+		Host:     "localhost",
+		Port:     port,
+		Username: "testuser",
+		Password: "testpassword",
+		Database: &testDbName,
+	}
+}
+
+func getTestMongodbConfig() *mongodb.MongodbDatabase {
+	env := config.GetEnv()
+	portStr := env.TestMongodb70Port
+	if portStr == "" {
+		portStr = "27070"
+	}
+	port, err := strconv.Atoi(portStr)
+	if err != nil {
+		panic(fmt.Sprintf("Failed to parse TEST_MONGODB_70_PORT: %v", err))
+	}
+
+	return &mongodb.MongodbDatabase{
+		Version:      tools.MongodbVersion7,
+		Host:         "localhost",
+		Port:         port,
+		Username:     "root",
+		Password:     "rootpassword",
+		Database:     "testdb",
+		AuthDatabase: "admin",
+		IsHttps:      false,
+		CpuCount:     1,
+	}
+}
+
 func Test_CreateDatabase_PermissionsEnforced(t *testing.T) {
 	tests := []struct {
 		name               string
@@ -84,24 +151,21 @@ func Test_CreateDatabase_PermissionsEnforced(t *testing.T) {
 				testUserToken = owner.Token
 			} else if tt.workspaceRole != nil {
 				member := users_testing.CreateTestUser(users_enums.UserRoleMember)
-				workspaces_testing.AddMemberToWorkspace(workspace, member, *tt.workspaceRole, owner.Token, router)
+				workspaces_testing.AddMemberToWorkspace(
+					workspace,
+					member,
+					*tt.workspaceRole,
+					owner.Token,
+					router,
+				)
 				testUserToken = member.Token
 			}

-			testDbName := "test_db"
 			request := Database{
 				Name:        "Test Database",
 				WorkspaceID: &workspace.ID,
 				Type:        DatabaseTypePostgres,
-				Postgresql: &postgresql.PostgresqlDatabase{
-					Version:  tools.PostgresqlVersion16,
-					Host:     "localhost",
-					Port:     5432,
-					Username: "postgres",
-					Password: "postgres",
-					Database: &testDbName,
-					CpuCount: 1,
-				},
+				Postgresql:  getTestPostgresConfig(),
 			}

 			var response Database
@@ -132,20 +196,11 @@ func Test_CreateDatabase_WhenUserIsNotWorkspaceMember_ReturnsForbidden(t *testin

 	nonMember := users_testing.CreateTestUser(users_enums.UserRoleMember)

-	testDbName := "test_db"
 	request := Database{
 		Name:        "Test Database",
 		WorkspaceID: &workspace.ID,
 		Type:        DatabaseTypePostgres,
-		Postgresql: &postgresql.PostgresqlDatabase{
-			Version:  tools.PostgresqlVersion16,
-			Host:     "localhost",
-			Port:     5432,
-			Username: "postgres",
-			Password: "postgres",
-			Database: &testDbName,
-			CpuCount: 1,
-		},
+		Postgresql:  getTestPostgresConfig(),
 	}

 	testResp := test_utils.MakePostRequest(
@@ -214,7 +269,13 @@ func Test_UpdateDatabase_PermissionsEnforced(t *testing.T) {
 				testUserToken = owner.Token
 			} else if tt.workspaceRole != nil {
 				member := users_testing.CreateTestUser(users_enums.UserRoleMember)
-				workspaces_testing.AddMemberToWorkspace(workspace, member, *tt.workspaceRole, owner.Token, router)
+				workspaces_testing.AddMemberToWorkspace(
+					workspace,
+					member,
+					*tt.workspaceRole,
+					owner.Token,
+					router,
+				)
 				testUserToken = member.Token
 			}

@@ -316,7 +377,13 @@ func Test_DeleteDatabase_PermissionsEnforced(t *testing.T) {
 				testUserToken = owner.Token
 			} else if tt.workspaceRole != nil {
 				member := users_testing.CreateTestUser(users_enums.UserRoleMember)
-				workspaces_testing.AddMemberToWorkspace(workspace, member, *tt.workspaceRole, owner.Token, router)
+				workspaces_testing.AddMemberToWorkspace(
+					workspace,
+					member,
+					*tt.workspaceRole,
+					owner.Token,
+					router,
+				)
 				testUserToken = member.Token
 			}

@@ -381,7 +448,13 @@ func Test_GetDatabase_PermissionsEnforced(t *testing.T) {
 				testUser = admin.Token
 			} else if tt.userRole != nil {
 				member := users_testing.CreateTestUser(users_enums.UserRoleMember)
-				workspaces_testing.AddMemberToWorkspace(workspace, member, *tt.userRole, owner.Token, router)
+				workspaces_testing.AddMemberToWorkspace(
+					workspace,
+					member,
+					*tt.userRole,
+					owner.Token,
+					router,
+				)
 				testUser = member.Token
 			} else {
 				nonMember := users_testing.CreateTestUser(users_enums.UserRoleMember)
@@ -605,7 +678,13 @@ func Test_CopyDatabase_PermissionsEnforced(t *testing.T) {
 				testUserToken = owner.Token
 			} else if tt.workspaceRole != nil {
 				member := users_testing.CreateTestUser(users_enums.UserRoleMember)
-				workspaces_testing.AddMemberToWorkspace(workspace, member, *tt.workspaceRole, owner.Token, router)
+				workspaces_testing.AddMemberToWorkspace(
+					workspace,
+					member,
+					*tt.workspaceRole,
+					owner.Token,
+					router,
+				)
 				testUserToken = member.Token
 			}

@@ -737,7 +816,13 @@ func createTestDatabaseViaAPI(
 	token string,
 	router *gin.Engine,
 ) *Database {
-	testDbName := "test_db"
+	env := config.GetEnv()
+	port, err := strconv.Atoi(env.TestPostgres16Port)
+	if err != nil {
+		panic(fmt.Sprintf("Failed to parse TEST_POSTGRES_16_PORT: %v", err))
+	}
+
+	testDbName := "testdb"
 	request := Database{
 		Name:        name,
 		WorkspaceID: &workspaceID,
@@ -745,9 +830,9 @@ func createTestDatabaseViaAPI(
 		Postgresql: &postgresql.PostgresqlDatabase{
 			Version:  tools.PostgresqlVersion16,
 			Host:     "localhost",
-			Port:     5432,
-			Username: "postgres",
-			Password: "postgres",
+			Port:     port,
+			Username: "testuser",
+			Password: "testpassword",
 			Database: &testDbName,
 			CpuCount: 1,
 		},
@@ -780,21 +865,14 @@ func Test_CreateDatabase_PasswordIsEncryptedInDB(t *testing.T) {
 	owner := users_testing.CreateTestUser(users_enums.UserRoleMember)
 	workspace := workspaces_testing.CreateTestWorkspace("Test Workspace", owner, router)

-	testDbName := "test_db"
-	plainPassword := "my-super-secret-password-123"
+	pgConfig := getTestPostgresConfig()
+	plainPassword := "testpassword"
+	pgConfig.Password = plainPassword
 	request := Database{
 		Name:        "Test Database",
 		WorkspaceID: &workspace.ID,
 		Type:        DatabaseTypePostgres,
-		Postgresql: &postgresql.PostgresqlDatabase{
-			Version:  tools.PostgresqlVersion16,
-			Host:     "localhost",
-			Port:     5432,
-			Username: "postgres",
-			Password: plainPassword,
-			Database: &testDbName,
-			CpuCount: 1,
-		},
+		Postgresql:  pgConfig,
 	}

 	var createdDatabase Database
@@ -854,38 +932,23 @@ func Test_DatabaseSensitiveDataLifecycle_AllTypes(t *testing.T) {
 			name:         "PostgreSQL Database",
 			databaseType: DatabaseTypePostgres,
 			createDatabase: func(workspaceID uuid.UUID) *Database {
-				testDbName := "test_db"
+				pgConfig := getTestPostgresConfig()
 				return &Database{
 					WorkspaceID: &workspaceID,
 					Name:        "Test PostgreSQL Database",
 					Type:        DatabaseTypePostgres,
-					Postgresql: &postgresql.PostgresqlDatabase{
-						Version:  tools.PostgresqlVersion16,
-						Host:     "localhost",
-						Port:     5432,
-						Username: "postgres",
-						Password: "original-password-secret",
-						Database: &testDbName,
-						CpuCount: 1,
-					},
+					Postgresql:  pgConfig,
 				}
 			},
 			updateDatabase: func(workspaceID uuid.UUID, databaseID uuid.UUID) *Database {
-				testDbName := "updated_test_db"
+				pgConfig := getTestPostgresConfig()
+				pgConfig.Password = ""
 				return &Database{
 					ID:          databaseID,
 					WorkspaceID: &workspaceID,
 					Name:        "Updated PostgreSQL Database",
 					Type:        DatabaseTypePostgres,
-					Postgresql: &postgresql.PostgresqlDatabase{
-						Version:  tools.PostgresqlVersion17,
-						Host:     "updated-host",
-						Port:     5433,
-						Username: "updated_user",
-						Password: "",
-						Database: &testDbName,
-						CpuCount: 1,
-					},
+					Postgresql:  pgConfig,
 				}
 			},
 			verifySensitiveData: func(t *testing.T, database *Database) {
@@ -895,7 +958,7 @@ func Test_DatabaseSensitiveDataLifecycle_AllTypes(t *testing.T) {
 				encryptor := encryption.GetFieldEncryptor()
 				decrypted, err := encryptor.Decrypt(database.ID, database.Postgresql.Password)
 				assert.NoError(t, err)
-				assert.Equal(t, "original-password-secret", decrypted)
+				assert.Equal(t, "testpassword", decrypted)
 			},
 			verifyHiddenData: func(t *testing.T, database *Database) {
 				assert.Equal(t, "", database.Postgresql.Password)
@@ -905,36 +968,23 @@ func Test_DatabaseSensitiveDataLifecycle_AllTypes(t *testing.T) {
 			name:         "MariaDB Database",
 			databaseType: DatabaseTypeMariadb,
 			createDatabase: func(workspaceID uuid.UUID) *Database {
-				testDbName := "test_db"
+				mariaConfig := getTestMariadbConfig()
 				return &Database{
 					WorkspaceID: &workspaceID,
 					Name:        "Test MariaDB Database",
 					Type:        DatabaseTypeMariadb,
-					Mariadb: &mariadb.MariadbDatabase{
-						Version:  tools.MariadbVersion1011,
-						Host:     "localhost",
-						Port:     3306,
-						Username: "root",
-						Password: "original-password-secret",
-						Database: &testDbName,
-					},
+					Mariadb:     mariaConfig,
 				}
 			},
 			updateDatabase: func(workspaceID uuid.UUID, databaseID uuid.UUID) *Database {
-				testDbName := "updated_test_db"
+				mariaConfig := getTestMariadbConfig()
+				mariaConfig.Password = ""
 				return &Database{
 					ID:          databaseID,
 					WorkspaceID: &workspaceID,
 					Name:        "Updated MariaDB Database",
 					Type:        DatabaseTypeMariadb,
-					Mariadb: &mariadb.MariadbDatabase{
-						Version:  tools.MariadbVersion114,
-						Host:     "updated-host",
-						Port:     3307,
-						Username: "updated_user",
-						Password: "",
-						Database: &testDbName,
-					},
+					Mariadb:     mariaConfig,
 				}
 			},
 			verifySensitiveData: func(t *testing.T, database *Database) {
@@ -944,7 +994,7 @@ func Test_DatabaseSensitiveDataLifecycle_AllTypes(t *testing.T) {
 				encryptor := encryption.GetFieldEncryptor()
 				decrypted, err := encryptor.Decrypt(database.ID, database.Mariadb.Password)
 				assert.NoError(t, err)
-				assert.Equal(t, "original-password-secret", decrypted)
+				assert.Equal(t, "testpassword", decrypted)
 			},
 			verifyHiddenData: func(t *testing.T, database *Database) {
 				assert.Equal(t, "", database.Mariadb.Password)
@@ -954,40 +1004,23 @@ func Test_DatabaseSensitiveDataLifecycle_AllTypes(t *testing.T) {
 			name:         "MongoDB Database",
 			databaseType: DatabaseTypeMongodb,
 			createDatabase: func(workspaceID uuid.UUID) *Database {
+				mongoConfig := getTestMongodbConfig()
 				return &Database{
 					WorkspaceID: &workspaceID,
 					Name:        "Test MongoDB Database",
 					Type:        DatabaseTypeMongodb,
-					Mongodb: &mongodb.MongodbDatabase{
-						Version:      tools.MongodbVersion7,
-						Host:         "localhost",
-						Port:         27017,
-						Username:     "root",
-						Password:     "original-password-secret",
-						Database:     "test_db",
-						AuthDatabase: "admin",
-						IsHttps:      false,
-						CpuCount:     1,
-					},
+					Mongodb:     mongoConfig,
 				}
 			},
 			updateDatabase: func(workspaceID uuid.UUID, databaseID uuid.UUID) *Database {
+				mongoConfig := getTestMongodbConfig()
+				mongoConfig.Password = ""
 				return &Database{
 					ID:          databaseID,
 					WorkspaceID: &workspaceID,
 					Name:        "Updated MongoDB Database",
 					Type:        DatabaseTypeMongodb,
-					Mongodb: &mongodb.MongodbDatabase{
-						Version:      tools.MongodbVersion8,
-						Host:         "updated-host",
-						Port:         27018,
-						Username:     "updated_user",
-						Password:     "",
-						Database:     "updated_test_db",
-						AuthDatabase: "admin",
-						IsHttps:      false,
-						CpuCount:     1,
-					},
+					Mongodb:     mongoConfig,
 				}
 			},
 			verifySensitiveData: func(t *testing.T, database *Database) {
@@ -997,7 +1030,7 @@ func Test_DatabaseSensitiveDataLifecycle_AllTypes(t *testing.T) {
 				encryptor := encryption.GetFieldEncryptor()
 				decrypted, err := encryptor.Decrypt(database.ID, database.Mongodb.Password)
 				assert.NoError(t, err)
-				assert.Equal(t, "original-password-secret", decrypted)
+				assert.Equal(t, "rootpassword", decrypted)
 			},
 			verifyHiddenData: func(t *testing.T, database *Database) {
 				assert.Equal(t, "", database.Mongodb.Password)
--- a/backend/internal/features/databases/databases/mariadb/model.go
+++ b/backend/internal/features/databases/databases/mariadb/model.go
@@ -2,18 +2,20 @@ package mariadb

 import (
 	"context"
+	"crypto/tls"
 	"database/sql"
 	"errors"
 	"fmt"
 	"log/slog"
 	"regexp"
+	"sort"
 	"strings"
 	"time"

 	"databasus-backend/internal/util/encryption"
 	"databasus-backend/internal/util/tools"

-	_ "github.com/go-sql-driver/mysql"
+	"github.com/go-sql-driver/mysql"
 	"github.com/google/uuid"
 )

@@ -23,12 +25,13 @@ type MariadbDatabase struct {

 	Version tools.MariadbVersion `json:"version" gorm:"type:text;not null"`

-	Host     string  `json:"host"     gorm:"type:text;not null"`
-	Port     int     `json:"port"     gorm:"type:int;not null"`
-	Username string  `json:"username" gorm:"type:text;not null"`
-	Password string  `json:"password" gorm:"type:text;not null"`
-	Database *string `json:"database" gorm:"type:text"`
-	IsHttps  bool    `json:"isHttps"  gorm:"type:boolean;default:false"`
+	Host       string  `json:"host"       gorm:"type:text;not null"`
+	Port       int     `json:"port"       gorm:"type:int;not null"`
+	Username   string  `json:"username"   gorm:"type:text;not null"`
+	Password   string  `json:"password"   gorm:"type:text;not null"`
+	Database   *string `json:"database"   gorm:"type:text"`
+	IsHttps    bool    `json:"isHttps"    gorm:"type:boolean;default:false"`
+	Privileges string  `json:"privileges" gorm:"column:privileges;type:text;not null;default:''"`
 }

 func (m *MariadbDatabase) TableName() string {
@@ -94,6 +97,16 @@ func (m *MariadbDatabase) TestConnection(
 	}
 	m.Version = detectedVersion

+	privileges, err := detectPrivileges(ctx, db, *m.Database)
+	if err != nil {
+		return err
+	}
+	m.Privileges = privileges
+
+	if err := checkBackupPermissions(m.Privileges); err != nil {
+		return err
+	}
+
 	return nil
 }

@@ -111,6 +124,7 @@ func (m *MariadbDatabase) Update(incoming *MariadbDatabase) {
 	m.Username = incoming.Username
 	m.Database = incoming.Database
 	m.IsHttps = incoming.IsHttps
+	m.Privileges = incoming.Privileges

 	if incoming.Password != "" {
 		m.Password = incoming.Password
@@ -131,15 +145,48 @@ func (m *MariadbDatabase) EncryptSensitiveFields(
 	return nil
 }

-func (m *MariadbDatabase) PopulateVersionIfEmpty(
+func (m *MariadbDatabase) PopulateDbData(
 	logger *slog.Logger,
 	encryptor encryption.FieldEncryptor,
 	databaseID uuid.UUID,
 ) error {
-	if m.Version != "" {
+	if m.Database == nil || *m.Database == "" {
 		return nil
 	}
-	return m.PopulateVersion(logger, encryptor, databaseID)
+
+	ctx, cancel := context.WithTimeout(context.Background(), 15*time.Second)
+	defer cancel()
+
+	password, err := decryptPasswordIfNeeded(m.Password, encryptor, databaseID)
+	if err != nil {
+		return fmt.Errorf("failed to decrypt password: %w", err)
+	}
+
+	dsn := m.buildDSN(password, *m.Database)
+
+	db, err := sql.Open("mysql", dsn)
+	if err != nil {
+		return fmt.Errorf("failed to connect to database: %w", err)
+	}
+	defer func() {
+		if closeErr := db.Close(); closeErr != nil {
+			logger.Error("Failed to close connection", "error", closeErr)
+		}
+	}()
+
+	detectedVersion, err := detectMariadbVersion(ctx, db)
+	if err != nil {
+		return err
+	}
+	m.Version = detectedVersion
+
+	privileges, err := detectPrivileges(ctx, db, *m.Database)
+	if err != nil {
+		return err
+	}
+	m.Privileges = privileges
+
+	return nil
 }

 func (m *MariadbDatabase) PopulateVersion(
@@ -175,8 +222,8 @@ func (m *MariadbDatabase) PopulateVersion(
 	if err != nil {
 		return err
 	}
-
 	m.Version = detectedVersion
+
 	return nil
 }

@@ -185,17 +232,17 @@ func (m *MariadbDatabase) IsUserReadOnly(
 	logger *slog.Logger,
 	encryptor encryption.FieldEncryptor,
 	databaseID uuid.UUID,
-) (bool, error) {
+) (bool, []string, error) {
 	password, err := decryptPasswordIfNeeded(m.Password, encryptor, databaseID)
 	if err != nil {
-		return false, fmt.Errorf("failed to decrypt password: %w", err)
+		return false, nil, fmt.Errorf("failed to decrypt password: %w", err)
 	}

 	dsn := m.buildDSN(password, *m.Database)

 	db, err := sql.Open("mysql", dsn)
 	if err != nil {
-		return false, fmt.Errorf("failed to connect to database: %w", err)
+		return false, nil, fmt.Errorf("failed to connect to database: %w", err)
 	}
 	defer func() {
 		if closeErr := db.Close(); closeErr != nil {
@@ -205,33 +252,44 @@ func (m *MariadbDatabase) IsUserReadOnly(

 	rows, err := db.QueryContext(ctx, "SHOW GRANTS FOR CURRENT_USER()")
 	if err != nil {
-		return false, fmt.Errorf("failed to check grants: %w", err)
+		return false, nil, fmt.Errorf("failed to check grants: %w", err)
 	}
 	defer func() { _ = rows.Close() }()

 	writePrivileges := []string{
 		"INSERT", "UPDATE", "DELETE", "CREATE", "DROP", "ALTER",
 		"INDEX", "GRANT OPTION", "ALL PRIVILEGES", "SUPER",
+		"EXECUTE", "FILE", "RELOAD", "SHUTDOWN", "CREATE ROUTINE",
+		"ALTER ROUTINE", "CREATE USER",
+		"CREATE TABLESPACE", "DELETE HISTORY", "REFERENCES",
 	}

+	detectedPrivileges := make(map[string]bool)
+
 	for rows.Next() {
 		var grant string
 		if err := rows.Scan(&grant); err != nil {
-			return false, fmt.Errorf("failed to scan grant: %w", err)
+			return false, nil, fmt.Errorf("failed to scan grant: %w", err)
 		}

 		for _, priv := range writePrivileges {
 			if regexp.MustCompile(`(?i)\b` + priv + `\b`).MatchString(grant) {
-				return false, nil
+				detectedPrivileges[priv] = true
 			}
 		}
 	}

 	if err := rows.Err(); err != nil {
-		return false, fmt.Errorf("error iterating grants: %w", err)
+		return false, nil, fmt.Errorf("error iterating grants: %w", err)
 	}

-	return true, nil
+	privileges := make([]string, 0, len(detectedPrivileges))
+	for priv := range detectedPrivileges {
+		privileges = append(privileges, priv)
+	}
+
+	isReadOnly := len(privileges) == 0
+	return isReadOnly, privileges, nil
 }

 func (m *MariadbDatabase) CreateReadOnlyUser(
@@ -261,7 +319,7 @@ func (m *MariadbDatabase) CreateReadOnlyUser(
 	for attempt := range maxRetries {
 		// MariaDB 5.5 has a 16-character username limit, use shorter prefix
 		newUsername := fmt.Sprintf("pgs-%s", uuid.New().String()[:8])
-		newPassword := uuid.New().String()
+		newPassword := encryption.GenerateComplexPassword()

 		tx, err := db.BeginTx(ctx, nil)
 		if err != nil {
@@ -326,10 +384,31 @@ func (m *MariadbDatabase) CreateReadOnlyUser(
 	return "", "", errors.New("failed to generate unique username after 3 attempts")
 }

+func (m *MariadbDatabase) HasPrivilege(priv string) bool {
+	return HasPrivilege(m.Privileges, priv)
+}
+
+func HasPrivilege(privileges, priv string) bool {
+	for _, p := range strings.Split(privileges, ",") {
+		if strings.TrimSpace(p) == priv {
+			return true
+		}
+	}
+	return false
+}
+
 func (m *MariadbDatabase) buildDSN(password string, database string) string {
 	tlsConfig := "false"
+
 	if m.IsHttps {
-		tlsConfig = "true"
+		err := mysql.RegisterTLSConfig("mariadb-skip-verify", &tls.Config{
+			InsecureSkipVerify: true,
+		})
+		if err != nil {
+			// Config might already be registered, which is fine
+			_ = err
+		}
+		tlsConfig = "mariadb-skip-verify"
 	}

 	return fmt.Sprintf(
@@ -420,6 +499,104 @@ func mapMariadb11xVersion(minor string) (tools.MariadbVersion, error) {
 	}
 }

+// detectPrivileges detects backup-related privileges and returns them as comma-separated string
+func detectPrivileges(ctx context.Context, db *sql.DB, database string) (string, error) {
+	rows, err := db.QueryContext(ctx, "SHOW GRANTS FOR CURRENT_USER()")
+	if err != nil {
+		return "", fmt.Errorf("failed to check grants: %w", err)
+	}
+	defer func() { _ = rows.Close() }()
+
+	backupPrivileges := []string{
+		"SELECT", "SHOW VIEW", "LOCK TABLES", "TRIGGER", "EVENT",
+	}
+
+	detectedPrivileges := make(map[string]bool)
+	hasProcess := false
+	hasAllPrivileges := false
+
+	dbPatternStr := fmt.Sprintf(
+		`(?i)ON\s+[\x60'"]?%s[\x60'"]?\s*\.\s*\*`,
+		regexp.QuoteMeta(database),
+	)
+	dbPattern := regexp.MustCompile(dbPatternStr)
+	globalPattern := regexp.MustCompile(`(?i)ON\s+\*\s*\.\s*\*`)
+	allPrivilegesPattern := regexp.MustCompile(`(?i)\bALL\s+PRIVILEGES\b`)
+
+	for rows.Next() {
+		var grant string
+		if err := rows.Scan(&grant); err != nil {
+			return "", fmt.Errorf("failed to scan grant: %w", err)
+		}
+
+		isRelevantGrant := globalPattern.MatchString(grant) || dbPattern.MatchString(grant)
+
+		if allPrivilegesPattern.MatchString(grant) && isRelevantGrant {
+			hasAllPrivileges = true
+		}
+
+		if isRelevantGrant {
+			for _, priv := range backupPrivileges {
+				privPattern := regexp.MustCompile(`(?i)\b` + regexp.QuoteMeta(priv) + `\b`)
+				if privPattern.MatchString(grant) {
+					detectedPrivileges[priv] = true
+				}
+			}
+		}
+
+		if globalPattern.MatchString(grant) {
+			processPattern := regexp.MustCompile(`(?i)\bPROCESS\b`)
+			if processPattern.MatchString(grant) {
+				hasProcess = true
+			}
+		}
+	}
+
+	if err := rows.Err(); err != nil {
+		return "", fmt.Errorf("error iterating grants: %w", err)
+	}
+
+	if hasAllPrivileges {
+		for _, priv := range backupPrivileges {
+			detectedPrivileges[priv] = true
+		}
+		hasProcess = true
+	}
+
+	privileges := make([]string, 0, len(detectedPrivileges)+1)
+	for priv := range detectedPrivileges {
+		privileges = append(privileges, priv)
+	}
+	if hasProcess {
+		privileges = append(privileges, "PROCESS")
+	}
+
+	sort.Strings(privileges)
+	return strings.Join(privileges, ","), nil
+}
+
+// checkBackupPermissions verifies the user has sufficient privileges for mariadb-dump backup.
+// Required: SELECT, SHOW VIEW
+func checkBackupPermissions(privileges string) error {
+	requiredPrivileges := []string{"SELECT", "SHOW VIEW"}
+
+	var missingPrivileges []string
+	for _, priv := range requiredPrivileges {
+		if !HasPrivilege(privileges, priv) {
+			missingPrivileges = append(missingPrivileges, priv)
+		}
+	}
+
+	if len(missingPrivileges) > 0 {
+		return fmt.Errorf(
+			"insufficient permissions for backup. Missing: %s. Required: SELECT, SHOW VIEW",
+			strings.Join(missingPrivileges, ", "),
+		)
+	}
+
+	return nil
+}
+
 func decryptPasswordIfNeeded(
 	password string,
 	encryptor encryption.FieldEncryptor,
--- a/backend/internal/features/databases/databases/mariadb/model_test.go
+++ b/backend/internal/features/databases/databases/mariadb/model_test.go
@@ -0,0 +1,757 @@
+package mariadb
+
+import (
+	"context"
+	"fmt"
+	"log/slog"
+	"os"
+	"strconv"
+	"strings"
+	"testing"
+
+	_ "github.com/go-sql-driver/mysql"
+	"github.com/google/uuid"
+	"github.com/jmoiron/sqlx"
+	"github.com/stretchr/testify/assert"
+
+	"databasus-backend/internal/config"
+	"databasus-backend/internal/util/tools"
+)
+
+func Test_TestConnection_InsufficientPermissions_ReturnsError(t *testing.T) {
+	env := config.GetEnv()
+	cases := []struct {
+		name    string
+		version tools.MariadbVersion
+		port    string
+	}{
+		{"MariaDB 5.5", tools.MariadbVersion55, env.TestMariadb55Port},
+		{"MariaDB 10.1", tools.MariadbVersion101, env.TestMariadb101Port},
+		{"MariaDB 10.2", tools.MariadbVersion102, env.TestMariadb102Port},
+		{"MariaDB 10.3", tools.MariadbVersion103, env.TestMariadb103Port},
+		{"MariaDB 10.4", tools.MariadbVersion104, env.TestMariadb104Port},
+		{"MariaDB 10.5", tools.MariadbVersion105, env.TestMariadb105Port},
+		{"MariaDB 10.6", tools.MariadbVersion106, env.TestMariadb106Port},
+		{"MariaDB 10.11", tools.MariadbVersion1011, env.TestMariadb1011Port},
+		{"MariaDB 11.4", tools.MariadbVersion114, env.TestMariadb114Port},
+		{"MariaDB 11.8", tools.MariadbVersion118, env.TestMariadb118Port},
+		{"MariaDB 12.0", tools.MariadbVersion120, env.TestMariadb120Port},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			container := connectToMariadbContainer(t, tc.port, tc.version)
+			defer container.DB.Close()
+
+			_, err := container.DB.Exec(`DROP TABLE IF EXISTS permission_test`)
+			assert.NoError(t, err)
+
+			_, err = container.DB.Exec(`CREATE TABLE permission_test (
+				id INT AUTO_INCREMENT PRIMARY KEY,
+				data VARCHAR(255) NOT NULL
+			)`)
+			assert.NoError(t, err)
+
+			_, err = container.DB.Exec(`INSERT INTO permission_test (data) VALUES ('test1')`)
+			assert.NoError(t, err)
+
+			limitedUsername := fmt.Sprintf("limited_%s", uuid.New().String()[:8])
+			limitedPassword := "limitedpassword123"
+
+			_, err = container.DB.Exec(fmt.Sprintf(
+				"CREATE USER '%s'@'%%' IDENTIFIED BY '%s'",
+				limitedUsername,
+				limitedPassword,
+			))
+			assert.NoError(t, err)
+
+			_, err = container.DB.Exec(fmt.Sprintf(
+				"GRANT SELECT ON `%s`.* TO '%s'@'%%'",
+				container.Database,
+				limitedUsername,
+			))
+			assert.NoError(t, err)
+
+			_, err = container.DB.Exec("FLUSH PRIVILEGES")
+			assert.NoError(t, err)
+
+			defer dropUserSafe(container.DB, limitedUsername)
+
+			mariadbModel := &MariadbDatabase{
+				Version:  tc.version,
+				Host:     container.Host,
+				Port:     container.Port,
+				Username: limitedUsername,
+				Password: limitedPassword,
+				Database: &container.Database,
+				IsHttps:  false,
+			}
+
+			logger := slog.New(slog.NewTextHandler(os.Stdout, nil))
+
+			err = mariadbModel.TestConnection(logger, nil, uuid.New())
+			assert.Error(t, err)
+			assert.Contains(t, err.Error(), "insufficient permissions")
+		})
+	}
+}
+
+func Test_TestConnection_SufficientPermissions_Success(t *testing.T) {
+	env := config.GetEnv()
+	cases := []struct {
+		name    string
+		version tools.MariadbVersion
+		port    string
+	}{
+		{"MariaDB 5.5", tools.MariadbVersion55, env.TestMariadb55Port},
+		{"MariaDB 10.1", tools.MariadbVersion101, env.TestMariadb101Port},
+		{"MariaDB 10.2", tools.MariadbVersion102, env.TestMariadb102Port},
+		{"MariaDB 10.3", tools.MariadbVersion103, env.TestMariadb103Port},
+		{"MariaDB 10.4", tools.MariadbVersion104, env.TestMariadb104Port},
+		{"MariaDB 10.5", tools.MariadbVersion105, env.TestMariadb105Port},
+		{"MariaDB 10.6", tools.MariadbVersion106, env.TestMariadb106Port},
+		{"MariaDB 10.11", tools.MariadbVersion1011, env.TestMariadb1011Port},
+		{"MariaDB 11.4", tools.MariadbVersion114, env.TestMariadb114Port},
+		{"MariaDB 11.8", tools.MariadbVersion118, env.TestMariadb118Port},
+		{"MariaDB 12.0", tools.MariadbVersion120, env.TestMariadb120Port},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			container := connectToMariadbContainer(t, tc.port, tc.version)
+			defer container.DB.Close()
+
+			_, err := container.DB.Exec(`DROP TABLE IF EXISTS backup_test`)
+			assert.NoError(t, err)
+
+			_, err = container.DB.Exec(`CREATE TABLE backup_test (
+				id INT AUTO_INCREMENT PRIMARY KEY,
+				data VARCHAR(255) NOT NULL
+			)`)
+			assert.NoError(t, err)
+
+			_, err = container.DB.Exec(`INSERT INTO backup_test (data) VALUES ('test1')`)
+			assert.NoError(t, err)
+
+			backupUsername := fmt.Sprintf("backup_%s", uuid.New().String()[:8])
+			backupPassword := "backuppassword123"
+
+			_, err = container.DB.Exec(fmt.Sprintf(
+				"CREATE USER '%s'@'%%' IDENTIFIED BY '%s'",
+				backupUsername,
+				backupPassword,
+			))
+			assert.NoError(t, err)
+
+			_, err = container.DB.Exec(fmt.Sprintf(
+				"GRANT SELECT, SHOW VIEW, LOCK TABLES, TRIGGER, EVENT ON `%s`.* TO '%s'@'%%'",
+				container.Database,
+				backupUsername,
+			))
+			assert.NoError(t, err)
+
+			_, err = container.DB.Exec(fmt.Sprintf(
+				"GRANT PROCESS ON *.* TO '%s'@'%%'",
+				backupUsername,
+			))
+			assert.NoError(t, err)
+
+			_, err = container.DB.Exec("FLUSH PRIVILEGES")
+			assert.NoError(t, err)
+
+			defer dropUserSafe(container.DB, backupUsername)
+
+			mariadbModel := &MariadbDatabase{
+				Version:  tc.version,
+				Host:     container.Host,
+				Port:     container.Port,
+				Username: backupUsername,
+				Password: backupPassword,
+				Database: &container.Database,
+				IsHttps:  false,
+			}
+
+			logger := slog.New(slog.NewTextHandler(os.Stdout, nil))
+
+			err = mariadbModel.TestConnection(logger, nil, uuid.New())
+			assert.NoError(t, err)
+		})
+	}
+}
+
+func Test_IsUserReadOnly_AdminUser_ReturnsFalse(t *testing.T) {
+	env := config.GetEnv()
+	cases := []struct {
+		name    string
+		version tools.MariadbVersion
+		port    string
+	}{
+		{"MariaDB 5.5", tools.MariadbVersion55, env.TestMariadb55Port},
+		{"MariaDB 10.1", tools.MariadbVersion101, env.TestMariadb101Port},
+		{"MariaDB 10.2", tools.MariadbVersion102, env.TestMariadb102Port},
+		{"MariaDB 10.3", tools.MariadbVersion103, env.TestMariadb103Port},
+		{"MariaDB 10.4", tools.MariadbVersion104, env.TestMariadb104Port},
+		{"MariaDB 10.5", tools.MariadbVersion105, env.TestMariadb105Port},
+		{"MariaDB 10.6", tools.MariadbVersion106, env.TestMariadb106Port},
+		{"MariaDB 10.11", tools.MariadbVersion1011, env.TestMariadb1011Port},
+		{"MariaDB 11.4", tools.MariadbVersion114, env.TestMariadb114Port},
+		{"MariaDB 11.8", tools.MariadbVersion118, env.TestMariadb118Port},
+		{"MariaDB 12.0", tools.MariadbVersion120, env.TestMariadb120Port},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			container := connectToMariadbContainer(t, tc.port, tc.version)
+			defer container.DB.Close()
+
+			mariadbModel := createMariadbModel(container)
+			logger := slog.New(slog.NewTextHandler(os.Stdout, nil))
+			ctx := context.Background()
+
+			isReadOnly, privileges, err := mariadbModel.IsUserReadOnly(ctx, logger, nil, uuid.New())
+			assert.NoError(t, err)
+			assert.False(t, isReadOnly, "Root user should not be read-only")
+			assert.NotEmpty(t, privileges, "Root user should have privileges")
+		})
+	}
+}
+
+func Test_IsUserReadOnly_ReadOnlyUser_ReturnsTrue(t *testing.T) {
+	env := config.GetEnv()
+	container := connectToMariadbContainer(t, env.TestMariadb1011Port, tools.MariadbVersion1011)
+	defer container.DB.Close()
+
+	_, err := container.DB.Exec(`DROP TABLE IF EXISTS readonly_check_test`)
+	assert.NoError(t, err)
+
+	_, err = container.DB.Exec(`CREATE TABLE readonly_check_test (
+			id INT AUTO_INCREMENT PRIMARY KEY,
+			data VARCHAR(255) NOT NULL
+		)`)
+	assert.NoError(t, err)
+
+	_, err = container.DB.Exec(`INSERT INTO readonly_check_test (data) VALUES ('test1')`)
+	assert.NoError(t, err)
+
+	mariadbModel := createMariadbModel(container)
+	logger := slog.New(slog.NewTextHandler(os.Stdout, nil))
+	ctx := context.Background()
+
+	username, password, err := mariadbModel.CreateReadOnlyUser(ctx, logger, nil, uuid.New())
+	assert.NoError(t, err)
+
+	readOnlyModel := &MariadbDatabase{
+		Version:  mariadbModel.Version,
+		Host:     mariadbModel.Host,
+		Port:     mariadbModel.Port,
+		Username: username,
+		Password: password,
+		Database: mariadbModel.Database,
+		IsHttps:  false,
+	}
+
+	isReadOnly, privileges, err := readOnlyModel.IsUserReadOnly(ctx, logger, nil, uuid.New())
+	assert.NoError(t, err)
+	assert.True(t, isReadOnly, "Read-only user should be read-only")
+	assert.Empty(t, privileges, "Read-only user should have no write privileges")
+
+	dropUserSafe(container.DB, username)
+}
+
+func Test_CreateReadOnlyUser_UserCanReadButNotWrite(t *testing.T) {
+	env := config.GetEnv()
+	cases := []struct {
+		name    string
+		version tools.MariadbVersion
+		port    string
+	}{
+		{"MariaDB 5.5", tools.MariadbVersion55, env.TestMariadb55Port},
+		{"MariaDB 10.1", tools.MariadbVersion101, env.TestMariadb101Port},
+		{"MariaDB 10.2", tools.MariadbVersion102, env.TestMariadb102Port},
+		{"MariaDB 10.3", tools.MariadbVersion103, env.TestMariadb103Port},
+		{"MariaDB 10.4", tools.MariadbVersion104, env.TestMariadb104Port},
+		{"MariaDB 10.5", tools.MariadbVersion105, env.TestMariadb105Port},
+		{"MariaDB 10.6", tools.MariadbVersion106, env.TestMariadb106Port},
+		{"MariaDB 10.11", tools.MariadbVersion1011, env.TestMariadb1011Port},
+		{"MariaDB 11.4", tools.MariadbVersion114, env.TestMariadb114Port},
+		{"MariaDB 11.8", tools.MariadbVersion118, env.TestMariadb118Port},
+		{"MariaDB 12.0", tools.MariadbVersion120, env.TestMariadb120Port},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			container := connectToMariadbContainer(t, tc.port, tc.version)
+			defer container.DB.Close()
+
+			_, err := container.DB.Exec(`DROP TABLE IF EXISTS readonly_test`)
+			assert.NoError(t, err)
+			_, err = container.DB.Exec(`DROP TABLE IF EXISTS hack_table`)
+			assert.NoError(t, err)
+			_, err = container.DB.Exec(`DROP TABLE IF EXISTS future_table`)
+			assert.NoError(t, err)
+
+			_, err = container.DB.Exec(`
+				CREATE TABLE readonly_test (
+					id INT AUTO_INCREMENT PRIMARY KEY,
+					data VARCHAR(255) NOT NULL
+				)
+			`)
+			assert.NoError(t, err)
+
+			_, err = container.DB.Exec(
+				`INSERT INTO readonly_test (data) VALUES ('test1'), ('test2')`,
+			)
+			assert.NoError(t, err)
+
+			mariadbModel := createMariadbModel(container)
+			logger := slog.New(slog.NewTextHandler(os.Stdout, nil))
+			ctx := context.Background()
+
+			username, password, err := mariadbModel.CreateReadOnlyUser(ctx, logger, nil, uuid.New())
+			assert.NoError(t, err)
+			assert.NotEmpty(t, username)
+			assert.NotEmpty(t, password)
+			assert.True(t, strings.HasPrefix(username, "pgs-"))
+
+			if err != nil {
+				return
+			}
+
+			readOnlyModel := &MariadbDatabase{
+				Version:  mariadbModel.Version,
+				Host:     mariadbModel.Host,
+				Port:     mariadbModel.Port,
+				Username: username,
+				Password: password,
+				Database: mariadbModel.Database,
+				IsHttps:  false,
+			}
+
+			isReadOnly, privileges, err := readOnlyModel.IsUserReadOnly(
+				ctx,
+				logger,
+				nil,
+				uuid.New(),
+			)
+			assert.NoError(t, err)
+			assert.True(t, isReadOnly, "Created user should be read-only")
+			assert.Empty(t, privileges, "Read-only user should have no write privileges")
+
+			readOnlyDSN := fmt.Sprintf(
+				"%s:%s@tcp(%s:%d)/%s?parseTime=true",
+				username,
+				password,
+				container.Host,
+				container.Port,
+				container.Database,
+			)
+			readOnlyConn, err := sqlx.Connect("mysql", readOnlyDSN)
+			assert.NoError(t, err)
+			defer readOnlyConn.Close()
+
+			var count int
+			err = readOnlyConn.Get(&count, "SELECT COUNT(*) FROM readonly_test")
+			assert.NoError(t, err)
+			assert.Equal(t, 2, count)
+
+			_, err = readOnlyConn.Exec("INSERT INTO readonly_test (data) VALUES ('should-fail')")
+			assert.Error(t, err)
+			assert.Contains(t, strings.ToLower(err.Error()), "denied")
+
+			_, err = readOnlyConn.Exec("UPDATE readonly_test SET data = 'hacked' WHERE id = 1")
+			assert.Error(t, err)
+			assert.Contains(t, strings.ToLower(err.Error()), "denied")
+
+			_, err = readOnlyConn.Exec("DELETE FROM readonly_test WHERE id = 1")
+			assert.Error(t, err)
+			assert.Contains(t, strings.ToLower(err.Error()), "denied")
+
+			_, err = readOnlyConn.Exec("CREATE TABLE hack_table (id INT)")
+			assert.Error(t, err)
+			assert.Contains(t, strings.ToLower(err.Error()), "denied")
+
+			dropUserSafe(container.DB, username)
+		})
+	}
+}
+
+func Test_ReadOnlyUser_FutureTables_NoSelectPermission(t *testing.T) {
+	env := config.GetEnv()
+	container := connectToMariadbContainer(t, env.TestMariadb1011Port, tools.MariadbVersion1011)
+	defer container.DB.Close()
+
+	mariadbModel := createMariadbModel(container)
+	logger := slog.New(slog.NewTextHandler(os.Stdout, nil))
+	ctx := context.Background()
+
+	username, password, err := mariadbModel.CreateReadOnlyUser(ctx, logger, nil, uuid.New())
+	assert.NoError(t, err)
+
+	_, err = container.DB.Exec(`DROP TABLE IF EXISTS future_table`)
+	assert.NoError(t, err)
+	_, err = container.DB.Exec(`
+		CREATE TABLE future_table (
+			id INT AUTO_INCREMENT PRIMARY KEY,
+			data VARCHAR(255) NOT NULL
+		)
+	`)
+	assert.NoError(t, err)
+	_, err = container.DB.Exec(`INSERT INTO future_table (data) VALUES ('future_data')`)
+	assert.NoError(t, err)
+
+	readOnlyDSN := fmt.Sprintf("%s:%s@tcp(%s:%d)/%s?parseTime=true",
+		username, password, container.Host, container.Port, container.Database)
+	readOnlyConn, err := sqlx.Connect("mysql", readOnlyDSN)
+	assert.NoError(t, err)
+	defer readOnlyConn.Close()
+
+	var data string
+	err = readOnlyConn.Get(&data, "SELECT data FROM future_table LIMIT 1")
+	assert.NoError(t, err)
+	assert.Equal(t, "future_data", data)
+
+	dropUserSafe(container.DB, username)
+}
+
+func Test_CreateReadOnlyUser_DatabaseNameWithDash_Success(t *testing.T) {
+	env := config.GetEnv()
+	container := connectToMariadbContainer(t, env.TestMariadb1011Port, tools.MariadbVersion1011)
+	defer container.DB.Close()
+
+	dashDbName := "test-db-with-dash"
+
+	_, err := container.DB.Exec(fmt.Sprintf("DROP DATABASE IF EXISTS `%s`", dashDbName))
+	assert.NoError(t, err)
+
+	_, err = container.DB.Exec(fmt.Sprintf("CREATE DATABASE `%s`", dashDbName))
+	assert.NoError(t, err)
+
+	defer func() {
+		_, _ = container.DB.Exec(fmt.Sprintf("DROP DATABASE IF EXISTS `%s`", dashDbName))
+	}()
+
+	dashDSN := fmt.Sprintf("%s:%s@tcp(%s:%d)/%s?parseTime=true",
+		container.Username, container.Password, container.Host, container.Port, dashDbName)
+	dashDB, err := sqlx.Connect("mysql", dashDSN)
+	assert.NoError(t, err)
+	defer dashDB.Close()
+
+	_, err = dashDB.Exec(`
+		CREATE TABLE dash_test (
+			id INT AUTO_INCREMENT PRIMARY KEY,
+			data VARCHAR(255) NOT NULL
+		)
+	`)
+	assert.NoError(t, err)
+
+	_, err = dashDB.Exec(`INSERT INTO dash_test (data) VALUES ('test1'), ('test2')`)
+	assert.NoError(t, err)
+
+	mariadbModel := &MariadbDatabase{
+		Version:  tools.MariadbVersion1011,
+		Host:     container.Host,
+		Port:     container.Port,
+		Username: container.Username,
+		Password: container.Password,
+		Database: &dashDbName,
+		IsHttps:  false,
+	}
+
+	logger := slog.New(slog.NewTextHandler(os.Stdout, nil))
+	ctx := context.Background()
+
+	username, password, err := mariadbModel.CreateReadOnlyUser(ctx, logger, nil, uuid.New())
+	assert.NoError(t, err)
+	assert.NotEmpty(t, username)
+	assert.NotEmpty(t, password)
+	assert.True(t, strings.HasPrefix(username, "pgs-"))
+
+	readOnlyDSN := fmt.Sprintf("%s:%s@tcp(%s:%d)/%s?parseTime=true",
+		username, password, container.Host, container.Port, dashDbName)
+	readOnlyConn, err := sqlx.Connect("mysql", readOnlyDSN)
+	assert.NoError(t, err)
+	defer readOnlyConn.Close()
+
+	var count int
+	err = readOnlyConn.Get(&count, "SELECT COUNT(*) FROM dash_test")
+	assert.NoError(t, err)
+	assert.Equal(t, 2, count)
+
+	_, err = readOnlyConn.Exec("INSERT INTO dash_test (data) VALUES ('should-fail')")
+	assert.Error(t, err)
+	assert.Contains(t, strings.ToLower(err.Error()), "denied")
+
+	dropUserSafe(dashDB, username)
+}
+
+func Test_ReadOnlyUser_CannotDropOrAlterTables(t *testing.T) {
+	env := config.GetEnv()
+	container := connectToMariadbContainer(t, env.TestMariadb1011Port, tools.MariadbVersion1011)
+	defer container.DB.Close()
+
+	_, err := container.DB.Exec(`DROP TABLE IF EXISTS drop_test`)
+	assert.NoError(t, err)
+	_, err = container.DB.Exec(`
+		CREATE TABLE drop_test (
+			id INT AUTO_INCREMENT PRIMARY KEY,
+			data VARCHAR(255) NOT NULL
+		)
+	`)
+	assert.NoError(t, err)
+	_, err = container.DB.Exec(`INSERT INTO drop_test (data) VALUES ('test1')`)
+	assert.NoError(t, err)
+
+	mariadbModel := createMariadbModel(container)
+	logger := slog.New(slog.NewTextHandler(os.Stdout, nil))
+	ctx := context.Background()
+
+	username, password, err := mariadbModel.CreateReadOnlyUser(ctx, logger, nil, uuid.New())
+	assert.NoError(t, err)
+
+	readOnlyDSN := fmt.Sprintf("%s:%s@tcp(%s:%d)/%s?parseTime=true",
+		username, password, container.Host, container.Port, container.Database)
+	readOnlyConn, err := sqlx.Connect("mysql", readOnlyDSN)
+	assert.NoError(t, err)
+	defer readOnlyConn.Close()
+
+	_, err = readOnlyConn.Exec("DROP TABLE drop_test")
+	assert.Error(t, err)
+	assert.Contains(t, strings.ToLower(err.Error()), "denied")
+
+	_, err = readOnlyConn.Exec("ALTER TABLE drop_test ADD COLUMN new_col VARCHAR(100)")
+	assert.Error(t, err)
+	assert.Contains(t, strings.ToLower(err.Error()), "denied")
+
+	_, err = readOnlyConn.Exec("TRUNCATE TABLE drop_test")
+	assert.Error(t, err)
+	assert.Contains(t, strings.ToLower(err.Error()), "denied")
+
+	dropUserSafe(container.DB, username)
+}
+
+func Test_TestConnection_DatabaseSpecificPrivilegesWithGlobalProcess_Success(t *testing.T) {
+	env := config.GetEnv()
+	cases := []struct {
+		name    string
+		version tools.MariadbVersion
+		port    string
+	}{
+		{"MariaDB 5.5", tools.MariadbVersion55, env.TestMariadb55Port},
+		{"MariaDB 10.1", tools.MariadbVersion101, env.TestMariadb101Port},
+		{"MariaDB 10.2", tools.MariadbVersion102, env.TestMariadb102Port},
+		{"MariaDB 10.3", tools.MariadbVersion103, env.TestMariadb103Port},
+		{"MariaDB 10.4", tools.MariadbVersion104, env.TestMariadb104Port},
+		{"MariaDB 10.5", tools.MariadbVersion105, env.TestMariadb105Port},
+		{"MariaDB 10.6", tools.MariadbVersion106, env.TestMariadb106Port},
+		{"MariaDB 10.11", tools.MariadbVersion1011, env.TestMariadb1011Port},
+		{"MariaDB 11.4", tools.MariadbVersion114, env.TestMariadb114Port},
+		{"MariaDB 11.8", tools.MariadbVersion118, env.TestMariadb118Port},
+		{"MariaDB 12.0", tools.MariadbVersion120, env.TestMariadb120Port},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			container := connectToMariadbContainer(t, tc.port, tc.version)
+			defer container.DB.Close()
+
+			_, err := container.DB.Exec(`DROP TABLE IF EXISTS privilege_test`)
+			assert.NoError(t, err)
+
+			_, err = container.DB.Exec(`CREATE TABLE privilege_test (
+				id INT AUTO_INCREMENT PRIMARY KEY,
+				data VARCHAR(255) NOT NULL
+			)`)
+			assert.NoError(t, err)
+
+			_, err = container.DB.Exec(`INSERT INTO privilege_test (data) VALUES ('test1')`)
+			assert.NoError(t, err)
+
+			specificUsername := fmt.Sprintf("spec_%s", uuid.New().String()[:8])
+			specificPassword := "specificpass123"
+
+			_, err = container.DB.Exec(fmt.Sprintf(
+				"CREATE USER '%s'@'%%' IDENTIFIED BY '%s'",
+				specificUsername,
+				specificPassword,
+			))
+			assert.NoError(t, err)
+
+			_, err = container.DB.Exec(fmt.Sprintf(
+				"GRANT SELECT, SHOW VIEW ON %s.* TO '%s'@'%%'",
+				container.Database,
+				specificUsername,
+			))
+			assert.NoError(t, err)
+
+			_, err = container.DB.Exec(fmt.Sprintf(
+				"GRANT PROCESS ON *.* TO '%s'@'%%'",
+				specificUsername,
+			))
+			assert.NoError(t, err)
+
+			_, err = container.DB.Exec("FLUSH PRIVILEGES")
+			assert.NoError(t, err)
+
+			defer dropUserSafe(container.DB, specificUsername)
+
+			mariadbModel := &MariadbDatabase{
+				Version:  tc.version,
+				Host:     container.Host,
+				Port:     container.Port,
+				Username: specificUsername,
+				Password: specificPassword,
+				Database: &container.Database,
+				IsHttps:  false,
+			}
+
+			logger := slog.New(slog.NewTextHandler(os.Stdout, nil))
+
+			err = mariadbModel.TestConnection(logger, nil, uuid.New())
+			assert.NoError(t, err)
+		})
+	}
+}
+
+func Test_TestConnection_DatabaseWithUnderscores_Success(t *testing.T) {
+	env := config.GetEnv()
+	container := connectToMariadbContainer(t, env.TestMariadb1011Port, tools.MariadbVersion1011)
+	defer container.DB.Close()
+
+	underscoreDbName := "test_db_name"
+
+	_, err := container.DB.Exec(fmt.Sprintf("DROP DATABASE IF EXISTS `%s`", underscoreDbName))
+	assert.NoError(t, err)
+
+	_, err = container.DB.Exec(fmt.Sprintf("CREATE DATABASE `%s`", underscoreDbName))
+	assert.NoError(t, err)
+
+	defer func() {
+		_, _ = container.DB.Exec(fmt.Sprintf("DROP DATABASE IF EXISTS `%s`", underscoreDbName))
+	}()
+
+	underscoreDSN := fmt.Sprintf("%s:%s@tcp(%s:%d)/%s?parseTime=true",
+		container.Username, container.Password, container.Host, container.Port, underscoreDbName)
+	underscoreDB, err := sqlx.Connect("mysql", underscoreDSN)
+	assert.NoError(t, err)
+	defer underscoreDB.Close()
+
+	_, err = underscoreDB.Exec(`
+		CREATE TABLE underscore_test (
+			id INT AUTO_INCREMENT PRIMARY KEY,
+			data VARCHAR(255) NOT NULL
+		)
+	`)
+	assert.NoError(t, err)
+
+	_, err = underscoreDB.Exec(`INSERT INTO underscore_test (data) VALUES ('test1')`)
+	assert.NoError(t, err)
+
+	underscoreUsername := fmt.Sprintf("under%s", uuid.New().String()[:8])
+	underscorePassword := "underscorepass123"
+
+	_, err = underscoreDB.Exec(fmt.Sprintf(
+		"CREATE USER '%s'@'%%' IDENTIFIED BY '%s'",
+		underscoreUsername,
+		underscorePassword,
+	))
+	assert.NoError(t, err)
+
+	_, err = underscoreDB.Exec(fmt.Sprintf(
+		"GRANT SELECT, SHOW VIEW ON `%s`.* TO '%s'@'%%'",
+		underscoreDbName,
+		underscoreUsername,
+	))
+	assert.NoError(t, err)
+
+	_, err = underscoreDB.Exec("FLUSH PRIVILEGES")
+	assert.NoError(t, err)
+
+	defer dropUserSafe(underscoreDB, underscoreUsername)
+
+	mariadbModel := &MariadbDatabase{
+		Version:  tools.MariadbVersion1011,
+		Host:     container.Host,
+		Port:     container.Port,
+		Username: underscoreUsername,
+		Password: underscorePassword,
+		Database: &underscoreDbName,
+		IsHttps:  false,
+	}
+
+	logger := slog.New(slog.NewTextHandler(os.Stdout, nil))
+
+	err = mariadbModel.TestConnection(logger, nil, uuid.New())
+	assert.NoError(t, err)
+}
+
+type MariadbContainer struct {
+	Host     string
+	Port     int
+	Username string
+	Password string
+	Database string
+	Version  tools.MariadbVersion
+	DB       *sqlx.DB
+}
+
+func connectToMariadbContainer(
+	t *testing.T,
+	port string,
+	version tools.MariadbVersion,
+) *MariadbContainer {
+	if port == "" {
+		t.Skipf("MariaDB port not configured for version %s", version)
+	}
+
+	dbName := "testdb"
+	host := "127.0.0.1"
+	username := "root"
+	password := "rootpassword"
+
+	portInt, err := strconv.Atoi(port)
+	assert.NoError(t, err)
+
+	dsn := fmt.Sprintf("%s:%s@tcp(%s:%d)/%s?parseTime=true",
+		username, password, host, portInt, dbName)
+
+	db, err := sqlx.Connect("mysql", dsn)
+	if err != nil {
+		t.Skipf("Failed to connect to MariaDB %s: %v", version, err)
+	}
+
+	return &MariadbContainer{
+		Host:     host,
+		Port:     portInt,
+		Username: username,
+		Password: password,
+		Database: dbName,
+		Version:  version,
+		DB:       db,
+	}
+}
+
+func createMariadbModel(container *MariadbContainer) *MariadbDatabase {
+	return &MariadbDatabase{
+		Version:  container.Version,
+		Host:     container.Host,
+		Port:     container.Port,
+		Username: container.Username,
+		Password: container.Password,
+		Database: &container.Database,
+		IsHttps:  false,
+	}
+}
+
+func dropUserSafe(db *sqlx.DB, username string) {
+	_, _ = db.Exec(fmt.Sprintf("DROP USER '%s'@'%%'", username))
+}
--- a/backend/internal/features/databases/databases/mariadb/readonly_user_test.go
+++ b/backend/internal/features/databases/databases/mariadb/readonly_user_test.go
@@ -1,387 +0,0 @@
-package mariadb
-
-import (
-	"context"
-	"fmt"
-	"log/slog"
-	"os"
-	"strconv"
-	"strings"
-	"testing"
-
-	_ "github.com/go-sql-driver/mysql"
-	"github.com/google/uuid"
-	"github.com/jmoiron/sqlx"
-	"github.com/stretchr/testify/assert"
-
-	"databasus-backend/internal/config"
-	"databasus-backend/internal/util/tools"
-)
-
-func Test_IsUserReadOnly_AdminUser_ReturnsFalse(t *testing.T) {
-	env := config.GetEnv()
-	cases := []struct {
-		name    string
-		version tools.MariadbVersion
-		port    string
-	}{
-		{"MariaDB 5.5", tools.MariadbVersion55, env.TestMariadb55Port},
-		{"MariaDB 10.1", tools.MariadbVersion101, env.TestMariadb101Port},
-		{"MariaDB 10.2", tools.MariadbVersion102, env.TestMariadb102Port},
-		{"MariaDB 10.3", tools.MariadbVersion103, env.TestMariadb103Port},
-		{"MariaDB 10.4", tools.MariadbVersion104, env.TestMariadb104Port},
-		{"MariaDB 10.5", tools.MariadbVersion105, env.TestMariadb105Port},
-		{"MariaDB 10.6", tools.MariadbVersion106, env.TestMariadb106Port},
-		{"MariaDB 10.11", tools.MariadbVersion1011, env.TestMariadb1011Port},
-		{"MariaDB 11.4", tools.MariadbVersion114, env.TestMariadb114Port},
-		{"MariaDB 11.8", tools.MariadbVersion118, env.TestMariadb118Port},
-		{"MariaDB 12.0", tools.MariadbVersion120, env.TestMariadb120Port},
-	}
-
-	for _, tc := range cases {
-		t.Run(tc.name, func(t *testing.T) {
-			t.Parallel()
-
-			container := connectToMariadbContainer(t, tc.port, tc.version)
-			defer container.DB.Close()
-
-			mariadbModel := createMariadbModel(container)
-			logger := slog.New(slog.NewTextHandler(os.Stdout, nil))
-			ctx := context.Background()
-
-			isReadOnly, err := mariadbModel.IsUserReadOnly(ctx, logger, nil, uuid.New())
-			assert.NoError(t, err)
-			assert.False(t, isReadOnly, "Root user should not be read-only")
-		})
-	}
-}
-
-func Test_CreateReadOnlyUser_UserCanReadButNotWrite(t *testing.T) {
-	env := config.GetEnv()
-	cases := []struct {
-		name    string
-		version tools.MariadbVersion
-		port    string
-	}{
-		{"MariaDB 5.5", tools.MariadbVersion55, env.TestMariadb55Port},
-		{"MariaDB 10.1", tools.MariadbVersion101, env.TestMariadb101Port},
-		{"MariaDB 10.2", tools.MariadbVersion102, env.TestMariadb102Port},
-		{"MariaDB 10.3", tools.MariadbVersion103, env.TestMariadb103Port},
-		{"MariaDB 10.4", tools.MariadbVersion104, env.TestMariadb104Port},
-		{"MariaDB 10.5", tools.MariadbVersion105, env.TestMariadb105Port},
-		{"MariaDB 10.6", tools.MariadbVersion106, env.TestMariadb106Port},
-		{"MariaDB 10.11", tools.MariadbVersion1011, env.TestMariadb1011Port},
-		{"MariaDB 11.4", tools.MariadbVersion114, env.TestMariadb114Port},
-		{"MariaDB 11.8", tools.MariadbVersion118, env.TestMariadb118Port},
-		{"MariaDB 12.0", tools.MariadbVersion120, env.TestMariadb120Port},
-	}
-
-	for _, tc := range cases {
-		t.Run(tc.name, func(t *testing.T) {
-			t.Parallel()
-
-			container := connectToMariadbContainer(t, tc.port, tc.version)
-			defer container.DB.Close()
-
-			_, err := container.DB.Exec(`DROP TABLE IF EXISTS readonly_test`)
-			assert.NoError(t, err)
-			_, err = container.DB.Exec(`DROP TABLE IF EXISTS hack_table`)
-			assert.NoError(t, err)
-			_, err = container.DB.Exec(`DROP TABLE IF EXISTS future_table`)
-			assert.NoError(t, err)
-
-			_, err = container.DB.Exec(`
-				CREATE TABLE readonly_test (
-					id INT AUTO_INCREMENT PRIMARY KEY,
-					data VARCHAR(255) NOT NULL
-				)
-			`)
-			assert.NoError(t, err)
-
-			_, err = container.DB.Exec(
-				`INSERT INTO readonly_test (data) VALUES ('test1'), ('test2')`,
-			)
-			assert.NoError(t, err)
-
-			mariadbModel := createMariadbModel(container)
-			logger := slog.New(slog.NewTextHandler(os.Stdout, nil))
-			ctx := context.Background()
-
-			username, password, err := mariadbModel.CreateReadOnlyUser(ctx, logger, nil, uuid.New())
-			assert.NoError(t, err)
-			assert.NotEmpty(t, username)
-			assert.NotEmpty(t, password)
-			assert.True(t, strings.HasPrefix(username, "pgs-"))
-
-			if err != nil {
-				return
-			}
-
-			readOnlyModel := &MariadbDatabase{
-				Version:  mariadbModel.Version,
-				Host:     mariadbModel.Host,
-				Port:     mariadbModel.Port,
-				Username: username,
-				Password: password,
-				Database: mariadbModel.Database,
-				IsHttps:  false,
-			}
-
-			isReadOnly, err := readOnlyModel.IsUserReadOnly(ctx, logger, nil, uuid.New())
-			assert.NoError(t, err)
-			assert.True(t, isReadOnly, "Created user should be read-only")
-
-			readOnlyDSN := fmt.Sprintf(
-				"%s:%s@tcp(%s:%d)/%s?parseTime=true",
-				username,
-				password,
-				container.Host,
-				container.Port,
-				container.Database,
-			)
-			readOnlyConn, err := sqlx.Connect("mysql", readOnlyDSN)
-			assert.NoError(t, err)
-			defer readOnlyConn.Close()
-
-			var count int
-			err = readOnlyConn.Get(&count, "SELECT COUNT(*) FROM readonly_test")
-			assert.NoError(t, err)
-			assert.Equal(t, 2, count)
-
-			_, err = readOnlyConn.Exec("INSERT INTO readonly_test (data) VALUES ('should-fail')")
-			assert.Error(t, err)
-			assert.Contains(t, strings.ToLower(err.Error()), "denied")
-
-			_, err = readOnlyConn.Exec("UPDATE readonly_test SET data = 'hacked' WHERE id = 1")
-			assert.Error(t, err)
-			assert.Contains(t, strings.ToLower(err.Error()), "denied")
-
-			_, err = readOnlyConn.Exec("DELETE FROM readonly_test WHERE id = 1")
-			assert.Error(t, err)
-			assert.Contains(t, strings.ToLower(err.Error()), "denied")
-
-			_, err = readOnlyConn.Exec("CREATE TABLE hack_table (id INT)")
-			assert.Error(t, err)
-			assert.Contains(t, strings.ToLower(err.Error()), "denied")
-
-			dropUserSafe(container.DB, username)
-		})
-	}
-}
-
-func Test_ReadOnlyUser_FutureTables_NoSelectPermission(t *testing.T) {
-	env := config.GetEnv()
-	container := connectToMariadbContainer(t, env.TestMariadb1011Port, tools.MariadbVersion1011)
-	defer container.DB.Close()
-
-	mariadbModel := createMariadbModel(container)
-	logger := slog.New(slog.NewTextHandler(os.Stdout, nil))
-	ctx := context.Background()
-
-	username, password, err := mariadbModel.CreateReadOnlyUser(ctx, logger, nil, uuid.New())
-	assert.NoError(t, err)
-
-	_, err = container.DB.Exec(`DROP TABLE IF EXISTS future_table`)
-	assert.NoError(t, err)
-	_, err = container.DB.Exec(`
-		CREATE TABLE future_table (
-			id INT AUTO_INCREMENT PRIMARY KEY,
-			data VARCHAR(255) NOT NULL
-		)
-	`)
-	assert.NoError(t, err)
-	_, err = container.DB.Exec(`INSERT INTO future_table (data) VALUES ('future_data')`)
-	assert.NoError(t, err)
-
-	readOnlyDSN := fmt.Sprintf("%s:%s@tcp(%s:%d)/%s?parseTime=true",
-		username, password, container.Host, container.Port, container.Database)
-	readOnlyConn, err := sqlx.Connect("mysql", readOnlyDSN)
-	assert.NoError(t, err)
-	defer readOnlyConn.Close()
-
-	var data string
-	err = readOnlyConn.Get(&data, "SELECT data FROM future_table LIMIT 1")
-	assert.NoError(t, err)
-	assert.Equal(t, "future_data", data)
-
-	dropUserSafe(container.DB, username)
-}
-
-func Test_CreateReadOnlyUser_DatabaseNameWithDash_Success(t *testing.T) {
-	env := config.GetEnv()
-	container := connectToMariadbContainer(t, env.TestMariadb1011Port, tools.MariadbVersion1011)
-	defer container.DB.Close()
-
-	dashDbName := "test-db-with-dash"
-
-	_, err := container.DB.Exec(fmt.Sprintf("DROP DATABASE IF EXISTS `%s`", dashDbName))
-	assert.NoError(t, err)
-
-	_, err = container.DB.Exec(fmt.Sprintf("CREATE DATABASE `%s`", dashDbName))
-	assert.NoError(t, err)
-
-	defer func() {
-		_, _ = container.DB.Exec(fmt.Sprintf("DROP DATABASE IF EXISTS `%s`", dashDbName))
-	}()
-
-	dashDSN := fmt.Sprintf("%s:%s@tcp(%s:%d)/%s?parseTime=true",
-		container.Username, container.Password, container.Host, container.Port, dashDbName)
-	dashDB, err := sqlx.Connect("mysql", dashDSN)
-	assert.NoError(t, err)
-	defer dashDB.Close()
-
-	_, err = dashDB.Exec(`
-		CREATE TABLE dash_test (
-			id INT AUTO_INCREMENT PRIMARY KEY,
-			data VARCHAR(255) NOT NULL
-		)
-	`)
-	assert.NoError(t, err)
-
-	_, err = dashDB.Exec(`INSERT INTO dash_test (data) VALUES ('test1'), ('test2')`)
-	assert.NoError(t, err)
-
-	mariadbModel := &MariadbDatabase{
-		Version:  tools.MariadbVersion1011,
-		Host:     container.Host,
-		Port:     container.Port,
-		Username: container.Username,
-		Password: container.Password,
-		Database: &dashDbName,
-		IsHttps:  false,
-	}
-
-	logger := slog.New(slog.NewTextHandler(os.Stdout, nil))
-	ctx := context.Background()
-
-	username, password, err := mariadbModel.CreateReadOnlyUser(ctx, logger, nil, uuid.New())
-	assert.NoError(t, err)
-	assert.NotEmpty(t, username)
-	assert.NotEmpty(t, password)
-	assert.True(t, strings.HasPrefix(username, "pgs-"))
-
-	readOnlyDSN := fmt.Sprintf("%s:%s@tcp(%s:%d)/%s?parseTime=true",
-		username, password, container.Host, container.Port, dashDbName)
-	readOnlyConn, err := sqlx.Connect("mysql", readOnlyDSN)
-	assert.NoError(t, err)
-	defer readOnlyConn.Close()
-
-	var count int
-	err = readOnlyConn.Get(&count, "SELECT COUNT(*) FROM dash_test")
-	assert.NoError(t, err)
-	assert.Equal(t, 2, count)
-
-	_, err = readOnlyConn.Exec("INSERT INTO dash_test (data) VALUES ('should-fail')")
-	assert.Error(t, err)
-	assert.Contains(t, strings.ToLower(err.Error()), "denied")
-
-	dropUserSafe(dashDB, username)
-}
-
-func Test_ReadOnlyUser_CannotDropOrAlterTables(t *testing.T) {
-	env := config.GetEnv()
-	container := connectToMariadbContainer(t, env.TestMariadb1011Port, tools.MariadbVersion1011)
-	defer container.DB.Close()
-
-	_, err := container.DB.Exec(`DROP TABLE IF EXISTS drop_test`)
-	assert.NoError(t, err)
-	_, err = container.DB.Exec(`
-		CREATE TABLE drop_test (
-			id INT AUTO_INCREMENT PRIMARY KEY,
-			data VARCHAR(255) NOT NULL
-		)
-	`)
-	assert.NoError(t, err)
-	_, err = container.DB.Exec(`INSERT INTO drop_test (data) VALUES ('test1')`)
-	assert.NoError(t, err)
-
-	mariadbModel := createMariadbModel(container)
-	logger := slog.New(slog.NewTextHandler(os.Stdout, nil))
-	ctx := context.Background()
-
-	username, password, err := mariadbModel.CreateReadOnlyUser(ctx, logger, nil, uuid.New())
-	assert.NoError(t, err)
-
-	readOnlyDSN := fmt.Sprintf("%s:%s@tcp(%s:%d)/%s?parseTime=true",
-		username, password, container.Host, container.Port, container.Database)
-	readOnlyConn, err := sqlx.Connect("mysql", readOnlyDSN)
-	assert.NoError(t, err)
-	defer readOnlyConn.Close()
-
-	_, err = readOnlyConn.Exec("DROP TABLE drop_test")
-	assert.Error(t, err)
-	assert.Contains(t, strings.ToLower(err.Error()), "denied")
-
-	_, err = readOnlyConn.Exec("ALTER TABLE drop_test ADD COLUMN new_col VARCHAR(100)")
-	assert.Error(t, err)
-	assert.Contains(t, strings.ToLower(err.Error()), "denied")
-
-	_, err = readOnlyConn.Exec("TRUNCATE TABLE drop_test")
-	assert.Error(t, err)
-	assert.Contains(t, strings.ToLower(err.Error()), "denied")
-
-	dropUserSafe(container.DB, username)
-}
-
-type MariadbContainer struct {
-	Host     string
-	Port     int
-	Username string
-	Password string
-	Database string
-	Version  tools.MariadbVersion
-	DB       *sqlx.DB
-}
-
-func connectToMariadbContainer(
-	t *testing.T,
-	port string,
-	version tools.MariadbVersion,
-) *MariadbContainer {
-	if port == "" {
-		t.Skipf("MariaDB port not configured for version %s", version)
-	}
-
-	dbName := "testdb"
-	host := "127.0.0.1"
-	username := "root"
-	password := "rootpassword"
-
-	portInt, err := strconv.Atoi(port)
-	assert.NoError(t, err)
-
-	dsn := fmt.Sprintf("%s:%s@tcp(%s:%d)/%s?parseTime=true",
-		username, password, host, portInt, dbName)
-
-	db, err := sqlx.Connect("mysql", dsn)
-	if err != nil {
-		t.Skipf("Failed to connect to MariaDB %s: %v", version, err)
-	}
-
-	return &MariadbContainer{
-		Host:     host,
-		Port:     portInt,
-		Username: username,
-		Password: password,
-		Database: dbName,
-		Version:  version,
-		DB:       db,
-	}
-}
-
-func createMariadbModel(container *MariadbContainer) *MariadbDatabase {
-	return &MariadbDatabase{
-		Version:  container.Version,
-		Host:     container.Host,
-		Port:     container.Port,
-		Username: container.Username,
-		Password: container.Password,
-		Database: &container.Database,
-		IsHttps:  false,
-	}
-}
-
-func dropUserSafe(db *sqlx.DB, username string) {
-	// MariaDB 5.5 doesn't support DROP USER IF EXISTS, so we ignore errors
-	_, _ = db.Exec(fmt.Sprintf("DROP USER '%s'@'%%'", username))
-}
--- a/backend/internal/features/databases/databases/mongodb/model.go
+++ b/backend/internal/features/databases/databases/mongodb/model.go
@@ -5,7 +5,9 @@ import (
 	"errors"
 	"fmt"
 	"log/slog"
+	"net/url"
 	"regexp"
+	"strings"
 	"time"

 	"databasus-backend/internal/util/encryption"
@@ -95,6 +97,16 @@ func (m *MongodbDatabase) TestConnection(
 	}
 	m.Version = detectedVersion

+	if err := checkBackupPermissions(
+		ctx,
+		client,
+		m.Username,
+		m.Database,
+		m.AuthDatabase,
+	); err != nil {
+		return err
+	}
+
 	return nil
 }

@@ -134,14 +146,11 @@ func (m *MongodbDatabase) EncryptSensitiveFields(
 	return nil
 }

-func (m *MongodbDatabase) PopulateVersionIfEmpty(
+func (m *MongodbDatabase) PopulateDbData(
 	logger *slog.Logger,
 	encryptor encryption.FieldEncryptor,
 	databaseID uuid.UUID,
 ) error {
-	if m.Version != "" {
-		return nil
-	}
 	return m.PopulateVersion(logger, encryptor, databaseID)
 }

@@ -185,10 +194,10 @@ func (m *MongodbDatabase) IsUserReadOnly(
 	logger *slog.Logger,
 	encryptor encryption.FieldEncryptor,
 	databaseID uuid.UUID,
-) (bool, error) {
+) (bool, []string, error) {
 	password, err := decryptPasswordIfNeeded(m.Password, encryptor, databaseID)
 	if err != nil {
-		return false, fmt.Errorf("failed to decrypt password: %w", err)
+		return false, nil, fmt.Errorf("failed to decrypt password: %w", err)
 	}

 	uri := m.buildConnectionURI(password)
@@ -196,7 +205,7 @@ func (m *MongodbDatabase) IsUserReadOnly(
 	clientOptions := options.Client().ApplyURI(uri)
 	client, err := mongo.Connect(ctx, clientOptions)
 	if err != nil {
-		return false, fmt.Errorf("failed to connect to database: %w", err)
+		return false, nil, fmt.Errorf("failed to connect to database: %w", err)
 	}
 	defer func() {
 		if disconnectErr := client.Disconnect(ctx); disconnectErr != nil {
@@ -218,44 +227,153 @@ func (m *MongodbDatabase) IsUserReadOnly(
 		}},
 	}).Decode(&result)
 	if err != nil {
-		return false, fmt.Errorf("failed to get user info: %w", err)
+		return false, nil, fmt.Errorf("failed to get user info: %w", err)
 	}

-	writeRoles := []string{
-		"readWrite", "readWriteAnyDatabase", "dbAdmin", "dbAdminAnyDatabase",
-		"userAdmin", "userAdminAnyDatabase", "clusterAdmin", "root",
-		"dbOwner", "backup", "restore",
+	writeRoles := map[string]bool{
+		"readWrite":            true,
+		"readWriteAnyDatabase": true,
+		"dbAdmin":              true,
+		"dbAdminAnyDatabase":   true,
+		"userAdmin":            true,
+		"userAdminAnyDatabase": true,
+		"clusterAdmin":         true,
+		"clusterManager":       true,
+		"hostManager":          true,
+		"root":                 true,
+		"dbOwner":              true,
+		"restore":              true,
+		"__system":             true,
 	}

+	// Roles that are read-only for our backup purposes
+	// The "backup" role has insert/update on mms.backup collection but is needed for mongodump
+	readOnlyRoles := map[string]bool{
+		"read":   true,
+		"backup": true,
+	}
+
+	writeActions := map[string]bool{
+		"insert":             true,
+		"update":             true,
+		"remove":             true,
+		"createCollection":   true,
+		"dropCollection":     true,
+		"createIndex":        true,
+		"dropIndex":          true,
+		"convertToCapped":    true,
+		"dropDatabase":       true,
+		"renameCollection":   true,
+		"createUser":         true,
+		"dropUser":           true,
+		"updateUser":         true,
+		"grantRole":          true,
+		"revokeRole":         true,
+		"dropRole":           true,
+		"createRole":         true,
+		"updateRole":         true,
+		"enableSharding":     true,
+		"shardCollection":    true,
+		"addShard":           true,
+		"removeShard":        true,
+		"shutdown":           true,
+		"replSetReconfig":    true,
+		"replSetStateChange": true,
+	}
+
+	var detectedRoles []string
+
 	users, ok := result["users"].(bson.A)
 	if !ok || len(users) == 0 {
-		return true, nil
+		return true, detectedRoles, nil
 	}

 	user, ok := users[0].(bson.M)
 	if !ok {
-		return true, nil
+		return true, detectedRoles, nil
 	}

 	roles, ok := user["roles"].(bson.A)
 	if !ok {
-		return true, nil
+		return true, detectedRoles, nil
 	}

+	// Collect all role names and check for write roles
 	for _, roleDoc := range roles {
 		role, ok := roleDoc.(bson.M)
 		if !ok {
 			continue
 		}
 		roleName, _ := role["role"].(string)
-		for _, writeRole := range writeRoles {
-			if roleName == writeRole {
-				return false, nil
+		if roleName != "" {
+			detectedRoles = append(detectedRoles, roleName)
+		}
+	}
+
+	// Check if any detected role is a write role
+	for _, roleName := range detectedRoles {
+		if writeRoles[roleName] {
+			return false, detectedRoles, nil
+		}
+	}
+
+	// If all roles are known read-only roles (read, backup), skip inherited privilege check
+	allRolesReadOnly := true
+	for _, roleName := range detectedRoles {
+		if !readOnlyRoles[roleName] {
+			allRolesReadOnly = false
+			break
+		}
+	}
+	if allRolesReadOnly && len(detectedRoles) > 0 {
+		return true, detectedRoles, nil
+	}
+
+	// Check inherited privileges for custom roles
+	var privResult bson.M
+	err = adminDB.RunCommand(ctx, bson.D{
+		{Key: "usersInfo", Value: bson.D{
+			{Key: "user", Value: m.Username},
+			{Key: "db", Value: authDB},
+		}},
+		{Key: "showPrivileges", Value: true},
+	}).Decode(&privResult)
+	if err != nil {
+		return false, nil, fmt.Errorf("failed to get user privileges: %w", err)
+	}
+
+	privUsers, ok := privResult["users"].(bson.A)
+	if !ok || len(privUsers) == 0 {
+		return true, detectedRoles, nil
+	}
+
+	privUser, ok := privUsers[0].(bson.M)
+	if !ok {
+		return true, detectedRoles, nil
+	}
+
+	// Check inheritedPrivileges for write actions
+	inheritedPrivileges, ok := privUser["inheritedPrivileges"].(bson.A)
+	if ok {
+		for _, privDoc := range inheritedPrivileges {
+			priv, ok := privDoc.(bson.M)
+			if !ok {
+				continue
+			}
+			actions, ok := priv["actions"].(bson.A)
+			if !ok {
+				continue
+			}
+			for _, action := range actions {
+				actionStr, ok := action.(string)
+				if ok && writeActions[actionStr] {
+					return false, detectedRoles, nil
+				}
 			}
 		}
 	}

-	return true, nil
+	return true, detectedRoles, nil
 }

 func (m *MongodbDatabase) CreateReadOnlyUser(
@@ -290,7 +408,7 @@ func (m *MongodbDatabase) CreateReadOnlyUser(
 	maxRetries := 3
 	for attempt := range maxRetries {
 		newUsername := fmt.Sprintf("databasus-%s", uuid.New().String()[:8])
-		newPassword := uuid.New().String()
+		newPassword := encryption.GenerateComplexPassword()

 		adminDB := client.Database(authDB)
 		err = adminDB.RunCommand(ctx, bson.D{
@@ -332,20 +450,20 @@ func (m *MongodbDatabase) buildConnectionURI(password string) string {
 		authDB = "admin"
 	}

-	tlsOption := "false"
+	tlsParams := ""
 	if m.IsHttps {
-		tlsOption = "true"
+		tlsParams = "&tls=true&tlsInsecure=true"
 	}

 	return fmt.Sprintf(
-		"mongodb://%s:%s@%s:%d/%s?authSource=%s&tls=%s&connectTimeoutMS=15000",
-		m.Username,
-		password,
+		"mongodb://%s:%s@%s:%d/%s?authSource=%s&connectTimeoutMS=15000%s",
+		url.QueryEscape(m.Username),
+		url.QueryEscape(password),
 		m.Host,
 		m.Port,
 		m.Database,
 		authDB,
-		tlsOption,
+		tlsParams,
 	)
 }

@@ -356,19 +474,19 @@ func (m *MongodbDatabase) BuildMongodumpURI(password string) string {
 		authDB = "admin"
 	}

-	tlsOption := "false"
+	tlsParams := ""
 	if m.IsHttps {
-		tlsOption = "true"
+		tlsParams = "&tls=true&tlsInsecure=true"
 	}

 	return fmt.Sprintf(
-		"mongodb://%s:%s@%s:%d/?authSource=%s&tls=%s&connectTimeoutMS=15000",
-		m.Username,
-		password,
+		"mongodb://%s:%s@%s:%d/?authSource=%s&connectTimeoutMS=15000%s",
+		url.QueryEscape(m.Username),
+		url.QueryEscape(password),
 		m.Host,
 		m.Port,
 		authDB,
-		tlsOption,
+		tlsParams,
 	)
 }

@@ -413,6 +531,128 @@ func detectMongodbVersion(ctx context.Context, client *mongo.Client) (tools.Mong
 	}
 }

+// checkBackupPermissions verifies the user has sufficient privileges for mongodump backup.
+// Required: 'read' role on target database OR 'backup' role on admin OR 'readAnyDatabase' role.
+func checkBackupPermissions(
+	ctx context.Context,
+	client *mongo.Client,
+	username, database, authDatabase string,
+) error {
+	authDB := authDatabase
+	if authDB == "" {
+		authDB = "admin"
+	}
+
+	adminDB := client.Database(authDB)
+	var result bson.M
+	err := adminDB.RunCommand(ctx, bson.D{
+		{Key: "usersInfo", Value: bson.D{
+			{Key: "user", Value: username},
+			{Key: "db", Value: authDB},
+		}},
+		{Key: "showPrivileges", Value: true},
+	}).Decode(&result)
+	if err != nil {
+		return fmt.Errorf("failed to get user info: %w", err)
+	}
+
+	users, ok := result["users"].(bson.A)
+	if !ok || len(users) == 0 {
+		return errors.New("insufficient permissions for backup. User not found")
+	}
+
+	user, ok := users[0].(bson.M)
+	if !ok {
+		return errors.New("insufficient permissions for backup. Could not parse user info")
+	}
+
+	// Check roles for backup permissions
+	roles, ok := user["roles"].(bson.A)
+	if !ok {
+		return errors.New("insufficient permissions for backup. No roles assigned")
+	}
+
+	backupRoles := map[string]bool{
+		"backup":               true,
+		"root":                 true,
+		"readAnyDatabase":      true,
+		"dbOwner":              true,
+		"__system":             true,
+		"clusterAdmin":         true,
+		"readWriteAnyDatabase": true,
+	}
+
+	var userRoles []string
+	hasBackupRole := false
+	hasReadOnTargetDB := false
+
+	for _, roleDoc := range roles {
+		role, ok := roleDoc.(bson.M)
+		if !ok {
+			continue
+		}
+		roleName, _ := role["role"].(string)
+		roleDB, _ := role["db"].(string)
+
+		if roleName != "" {
+			userRoles = append(userRoles, roleName)
+		}
+
+		if backupRoles[roleName] {
+			hasBackupRole = true
+		}
+
+		if roleName == "read" && (roleDB == database || roleDB == "") {
+			hasReadOnTargetDB = true
+		}
+		if roleName == "readWrite" && (roleDB == database || roleDB == "") {
+			hasReadOnTargetDB = true
+		}
+	}
+
+	if hasBackupRole || hasReadOnTargetDB {
+		return nil
+	}
+
+	// Check inherited privileges for 'find' action on target database
+	inheritedPrivileges, ok := user["inheritedPrivileges"].(bson.A)
+	if ok {
+		for _, privDoc := range inheritedPrivileges {
+			priv, ok := privDoc.(bson.M)
+			if !ok {
+				continue
+			}
+			resource, ok := priv["resource"].(bson.M)
+			if !ok {
+				continue
+			}
+
+			resourceDB, _ := resource["db"].(string)
+			resourceCluster, _ := resource["cluster"].(bool)
+
+			isTargetDB := resourceDB == database || resourceDB == "" || resourceCluster
+
+			actions, ok := priv["actions"].(bson.A)
+			if !ok {
+				continue
+			}
+
+			for _, action := range actions {
+				actionStr, ok := action.(string)
+				if ok && actionStr == "find" && isTargetDB {
+					return nil
+				}
+			}
+		}
+	}
+
+	return fmt.Errorf(
+		"insufficient permissions for backup. Current roles: %s. Required: 'read' role on database '%s' OR 'backup' role on admin OR 'readAnyDatabase' role",
+		strings.Join(userRoles, ", "),
+		database,
+	)
+}
+
 func decryptPasswordIfNeeded(
 	password string,
 	encryptor encryption.FieldEncryptor,
--- a/backend/internal/features/databases/databases/mongodb/readonly_user_test.go
+++ b/backend/internal/features/databases/databases/mongodb/readonly_user_test.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"fmt"
 	"log/slog"
+	"net/url"
 	"os"
 	"strconv"
 	"strings"
@@ -19,6 +20,138 @@ import (
 	"databasus-backend/internal/util/tools"
 )

+func Test_TestConnection_InsufficientPermissions_ReturnsError(t *testing.T) {
+	env := config.GetEnv()
+	cases := []struct {
+		name    string
+		version tools.MongodbVersion
+		port    string
+	}{
+		{"MongoDB 4.0", tools.MongodbVersion4, env.TestMongodb40Port},
+		{"MongoDB 4.2", tools.MongodbVersion4, env.TestMongodb42Port},
+		{"MongoDB 4.4", tools.MongodbVersion4, env.TestMongodb44Port},
+		{"MongoDB 5.0", tools.MongodbVersion5, env.TestMongodb50Port},
+		{"MongoDB 6.0", tools.MongodbVersion6, env.TestMongodb60Port},
+		{"MongoDB 7.0", tools.MongodbVersion7, env.TestMongodb70Port},
+		{"MongoDB 8.2", tools.MongodbVersion8, env.TestMongodb82Port},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			container := connectToMongodbContainer(t, tc.port, tc.version)
+			defer container.Client.Disconnect(context.Background())
+
+			ctx := context.Background()
+			db := container.Client.Database(container.Database)
+
+			_ = db.Collection("permission_test").Drop(ctx)
+			_, err := db.Collection("permission_test").InsertOne(ctx, bson.M{"data": "test1"})
+			assert.NoError(t, err)
+
+			limitedUsername := fmt.Sprintf("limited_%s", uuid.New().String()[:8])
+			limitedPassword := "limitedpassword123"
+
+			adminDB := container.Client.Database(container.AuthDatabase)
+			err = adminDB.RunCommand(ctx, bson.D{
+				{Key: "createUser", Value: limitedUsername},
+				{Key: "pwd", Value: limitedPassword},
+				{Key: "roles", Value: bson.A{}},
+			}).Err()
+			assert.NoError(t, err)
+
+			defer dropUserSafe(container.Client, limitedUsername, container.AuthDatabase)
+
+			mongodbModel := &MongodbDatabase{
+				Version:      tc.version,
+				Host:         container.Host,
+				Port:         container.Port,
+				Username:     limitedUsername,
+				Password:     limitedPassword,
+				Database:     container.Database,
+				AuthDatabase: container.AuthDatabase,
+				IsHttps:      false,
+				CpuCount:     1,
+			}
+
+			logger := slog.New(slog.NewTextHandler(os.Stdout, nil))
+
+			err = mongodbModel.TestConnection(logger, nil, uuid.New())
+			assert.Error(t, err)
+			assert.Contains(t, err.Error(), "insufficient permissions")
+		})
+	}
+}
+
+func Test_TestConnection_SufficientPermissions_Success(t *testing.T) {
+	env := config.GetEnv()
+	cases := []struct {
+		name    string
+		version tools.MongodbVersion
+		port    string
+	}{
+		{"MongoDB 4.0", tools.MongodbVersion4, env.TestMongodb40Port},
+		{"MongoDB 4.2", tools.MongodbVersion4, env.TestMongodb42Port},
+		{"MongoDB 4.4", tools.MongodbVersion4, env.TestMongodb44Port},
+		{"MongoDB 5.0", tools.MongodbVersion5, env.TestMongodb50Port},
+		{"MongoDB 6.0", tools.MongodbVersion6, env.TestMongodb60Port},
+		{"MongoDB 7.0", tools.MongodbVersion7, env.TestMongodb70Port},
+		{"MongoDB 8.2", tools.MongodbVersion8, env.TestMongodb82Port},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			container := connectToMongodbContainer(t, tc.port, tc.version)
+			defer container.Client.Disconnect(context.Background())
+
+			ctx := context.Background()
+			db := container.Client.Database(container.Database)
+
+			_ = db.Collection("backup_test").Drop(ctx)
+			_, err := db.Collection("backup_test").InsertOne(ctx, bson.M{"data": "test1"})
+			assert.NoError(t, err)
+
+			backupUsername := fmt.Sprintf("backup_%s", uuid.New().String()[:8])
+			backupPassword := "backuppassword123"
+
+			adminDB := container.Client.Database(container.AuthDatabase)
+			err = adminDB.RunCommand(ctx, bson.D{
+				{Key: "createUser", Value: backupUsername},
+				{Key: "pwd", Value: backupPassword},
+				{Key: "roles", Value: bson.A{
+					bson.D{
+						{Key: "role", Value: "read"},
+						{Key: "db", Value: container.Database},
+					},
+				}},
+			}).Err()
+			assert.NoError(t, err)
+
+			defer dropUserSafe(container.Client, backupUsername, container.AuthDatabase)
+
+			mongodbModel := &MongodbDatabase{
+				Version:      tc.version,
+				Host:         container.Host,
+				Port:         container.Port,
+				Username:     backupUsername,
+				Password:     backupPassword,
+				Database:     container.Database,
+				AuthDatabase: container.AuthDatabase,
+				IsHttps:      false,
+				CpuCount:     1,
+			}
+
+			logger := slog.New(slog.NewTextHandler(os.Stdout, nil))
+
+			err = mongodbModel.TestConnection(logger, nil, uuid.New())
+			assert.NoError(t, err)
+		})
+	}
+}
+
 func Test_IsUserReadOnly_AdminUser_ReturnsFalse(t *testing.T) {
 	env := config.GetEnv()
 	cases := []struct {
@@ -46,13 +179,52 @@ func Test_IsUserReadOnly_AdminUser_ReturnsFalse(t *testing.T) {
 			logger := slog.New(slog.NewTextHandler(os.Stdout, nil))
 			ctx := context.Background()

-			isReadOnly, err := mongodbModel.IsUserReadOnly(ctx, logger, nil, uuid.New())
+			isReadOnly, roles, err := mongodbModel.IsUserReadOnly(ctx, logger, nil, uuid.New())
 			assert.NoError(t, err)
 			assert.False(t, isReadOnly, "Root user should not be read-only")
+			assert.NotEmpty(t, roles, "Root user should have roles")
 		})
 	}
 }

+func Test_IsUserReadOnly_ReadOnlyUser_ReturnsTrue(t *testing.T) {
+	env := config.GetEnv()
+	container := connectToMongodbContainer(t, env.TestMongodb70Port, tools.MongodbVersion7)
+	defer container.Client.Disconnect(context.Background())
+
+	ctx := context.Background()
+	db := container.Client.Database(container.Database)
+
+	_ = db.Collection("readonly_check_test").Drop(ctx)
+	_, err := db.Collection("readonly_check_test").InsertOne(ctx, bson.M{"data": "test1"})
+	assert.NoError(t, err)
+
+	mongodbModel := createMongodbModel(container)
+	logger := slog.New(slog.NewTextHandler(os.Stdout, nil))
+
+	username, password, err := mongodbModel.CreateReadOnlyUser(ctx, logger, nil, uuid.New())
+	assert.NoError(t, err)
+
+	readOnlyModel := &MongodbDatabase{
+		Version:      mongodbModel.Version,
+		Host:         mongodbModel.Host,
+		Port:         mongodbModel.Port,
+		Username:     username,
+		Password:     password,
+		Database:     mongodbModel.Database,
+		AuthDatabase: mongodbModel.AuthDatabase,
+		IsHttps:      false,
+		CpuCount:     1,
+	}
+
+	isReadOnly, roles, err := readOnlyModel.IsUserReadOnly(ctx, logger, nil, uuid.New())
+	assert.NoError(t, err)
+	assert.True(t, isReadOnly, "Read-only user should be read-only")
+	assert.NotEmpty(t, roles, "Read-only user should have roles (read, backup)")
+
+	dropUserSafe(container.Client, username, container.AuthDatabase)
+}
+
 func Test_CreateReadOnlyUser_UserCanReadButNotWrite(t *testing.T) {
 	env := config.GetEnv()
 	cases := []struct {
@@ -271,6 +443,7 @@ func createMongodbModel(container *MongodbContainer) *MongodbDatabase {
 		Database:     container.Database,
 		AuthDatabase: container.AuthDatabase,
 		IsHttps:      false,
+		CpuCount:     1,
 	}
 }

@@ -281,7 +454,8 @@ func connectWithCredentials(
 ) *mongo.Client {
 	uri := fmt.Sprintf(
 		"mongodb://%s:%s@%s:%d/%s?authSource=%s",
-		username, password, container.Host, container.Port,
+		url.QueryEscape(username), url.QueryEscape(password),
+		container.Host, container.Port,
 		container.Database, container.AuthDatabase,
 	)

--- a/backend/internal/features/databases/databases/mysql/model.go
+++ b/backend/internal/features/databases/databases/mysql/model.go
@@ -2,17 +2,20 @@ package mysql

 import (
 	"context"
+	"crypto/tls"
 	"database/sql"
 	"errors"
 	"fmt"
 	"log/slog"
 	"regexp"
+	"sort"
+	"strings"
 	"time"

 	"databasus-backend/internal/util/encryption"
 	"databasus-backend/internal/util/tools"

-	_ "github.com/go-sql-driver/mysql"
+	"github.com/go-sql-driver/mysql"
 	"github.com/google/uuid"
 )

@@ -22,12 +25,13 @@ type MysqlDatabase struct {

 	Version tools.MysqlVersion `json:"version" gorm:"type:text;not null"`

-	Host     string  `json:"host"     gorm:"type:text;not null"`
-	Port     int     `json:"port"     gorm:"type:int;not null"`
-	Username string  `json:"username" gorm:"type:text;not null"`
-	Password string  `json:"password" gorm:"type:text;not null"`
-	Database *string `json:"database" gorm:"type:text"`
-	IsHttps  bool    `json:"isHttps"  gorm:"type:boolean;default:false"`
+	Host       string  `json:"host"       gorm:"type:text;not null"`
+	Port       int     `json:"port"       gorm:"type:int;not null"`
+	Username   string  `json:"username"   gorm:"type:text;not null"`
+	Password   string  `json:"password"   gorm:"type:text;not null"`
+	Database   *string `json:"database"   gorm:"type:text"`
+	IsHttps    bool    `json:"isHttps"    gorm:"type:boolean;default:false"`
+	Privileges string  `json:"privileges" gorm:"column:privileges;type:text;not null;default:''"`
 }

 func (m *MysqlDatabase) TableName() string {
@@ -93,6 +97,16 @@ func (m *MysqlDatabase) TestConnection(
 	}
 	m.Version = detectedVersion

+	privileges, err := detectPrivileges(ctx, db, *m.Database)
+	if err != nil {
+		return err
+	}
+	m.Privileges = privileges
+
+	if err := checkBackupPermissions(m.Privileges); err != nil {
+		return err
+	}
+
 	return nil
 }

@@ -110,6 +124,7 @@ func (m *MysqlDatabase) Update(incoming *MysqlDatabase) {
 	m.Username = incoming.Username
 	m.Database = incoming.Database
 	m.IsHttps = incoming.IsHttps
+	m.Privileges = incoming.Privileges

 	if incoming.Password != "" {
 		m.Password = incoming.Password
@@ -130,15 +145,48 @@ func (m *MysqlDatabase) EncryptSensitiveFields(
 	return nil
 }

-func (m *MysqlDatabase) PopulateVersionIfEmpty(
+func (m *MysqlDatabase) PopulateDbData(
 	logger *slog.Logger,
 	encryptor encryption.FieldEncryptor,
 	databaseID uuid.UUID,
 ) error {
-	if m.Version != "" {
+	if m.Database == nil || *m.Database == "" {
 		return nil
 	}
-	return m.PopulateVersion(logger, encryptor, databaseID)
+
+	ctx, cancel := context.WithTimeout(context.Background(), 15*time.Second)
+	defer cancel()
+
+	password, err := decryptPasswordIfNeeded(m.Password, encryptor, databaseID)
+	if err != nil {
+		return fmt.Errorf("failed to decrypt password: %w", err)
+	}
+
+	dsn := m.buildDSN(password, *m.Database)
+
+	db, err := sql.Open("mysql", dsn)
+	if err != nil {
+		return fmt.Errorf("failed to connect to database: %w", err)
+	}
+	defer func() {
+		if closeErr := db.Close(); closeErr != nil {
+			logger.Error("Failed to close connection", "error", closeErr)
+		}
+	}()
+
+	detectedVersion, err := detectMysqlVersion(ctx, db)
+	if err != nil {
+		return err
+	}
+	m.Version = detectedVersion
+
+	privileges, err := detectPrivileges(ctx, db, *m.Database)
+	if err != nil {
+		return err
+	}
+	m.Privileges = privileges
+
+	return nil
 }

 func (m *MysqlDatabase) PopulateVersion(
@@ -174,8 +222,8 @@ func (m *MysqlDatabase) PopulateVersion(
 	if err != nil {
 		return err
 	}
-
 	m.Version = detectedVersion
+
 	return nil
 }

@@ -184,17 +232,17 @@ func (m *MysqlDatabase) IsUserReadOnly(
 	logger *slog.Logger,
 	encryptor encryption.FieldEncryptor,
 	databaseID uuid.UUID,
-) (bool, error) {
+) (bool, []string, error) {
 	password, err := decryptPasswordIfNeeded(m.Password, encryptor, databaseID)
 	if err != nil {
-		return false, fmt.Errorf("failed to decrypt password: %w", err)
+		return false, nil, fmt.Errorf("failed to decrypt password: %w", err)
 	}

 	dsn := m.buildDSN(password, *m.Database)

 	db, err := sql.Open("mysql", dsn)
 	if err != nil {
-		return false, fmt.Errorf("failed to connect to database: %w", err)
+		return false, nil, fmt.Errorf("failed to connect to database: %w", err)
 	}
 	defer func() {
 		if closeErr := db.Close(); closeErr != nil {
@@ -204,33 +252,45 @@ func (m *MysqlDatabase) IsUserReadOnly(

 	rows, err := db.QueryContext(ctx, "SHOW GRANTS FOR CURRENT_USER()")
 	if err != nil {
-		return false, fmt.Errorf("failed to check grants: %w", err)
+		return false, nil, fmt.Errorf("failed to check grants: %w", err)
 	}
 	defer func() { _ = rows.Close() }()

 	writePrivileges := []string{
 		"INSERT", "UPDATE", "DELETE", "CREATE", "DROP", "ALTER",
 		"INDEX", "GRANT OPTION", "ALL PRIVILEGES", "SUPER",
+		"EXECUTE", "FILE", "RELOAD", "SHUTDOWN", "CREATE ROUTINE",
+		"ALTER ROUTINE", "CREATE USER",
+		"CREATE TABLESPACE", "REFERENCES",
 	}

+	detectedPrivileges := make(map[string]bool)
+
 	for rows.Next() {
 		var grant string
 		if err := rows.Scan(&grant); err != nil {
-			return false, fmt.Errorf("failed to scan grant: %w", err)
+			return false, nil, fmt.Errorf("failed to scan grant: %w", err)
 		}

 		for _, priv := range writePrivileges {
 			if regexp.MustCompile(`(?i)\b` + priv + `\b`).MatchString(grant) {
-				return false, nil
+				detectedPrivileges[priv] = true
 			}
 		}
 	}

 	if err := rows.Err(); err != nil {
-		return false, fmt.Errorf("error iterating grants: %w", err)
+		return false, nil, fmt.Errorf("error iterating grants: %w", err)
 	}

-	return true, nil
+	privileges := make([]string, 0, len(detectedPrivileges))
+	for priv := range detectedPrivileges {
+		privileges = append(privileges, priv)
+	}
+
+	isReadOnly := len(privileges) == 0
+
+	return isReadOnly, privileges, nil
 }

 func (m *MysqlDatabase) CreateReadOnlyUser(
@@ -259,7 +319,7 @@ func (m *MysqlDatabase) CreateReadOnlyUser(
 	maxRetries := 3
 	for attempt := range maxRetries {
 		newUsername := fmt.Sprintf("databasus-%s", uuid.New().String()[:8])
-		newPassword := uuid.New().String()
+		newPassword := encryption.GenerateComplexPassword()

 		tx, err := db.BeginTx(ctx, nil)
 		if err != nil {
@@ -325,10 +385,32 @@ func (m *MysqlDatabase) CreateReadOnlyUser(
 	return "", "", errors.New("failed to generate unique username after 3 attempts")
 }

+func (m *MysqlDatabase) HasPrivilege(priv string) bool {
+	return HasPrivilege(m.Privileges, priv)
+}
+
+func HasPrivilege(privileges, priv string) bool {
+	for p := range strings.SplitSeq(privileges, ",") {
+		if strings.TrimSpace(p) == priv {
+			return true
+		}
+	}
+	return false
+}
+
 func (m *MysqlDatabase) buildDSN(password string, database string) string {
 	tlsConfig := "false"
+
 	if m.IsHttps {
-		tlsConfig = "true"
+		err := mysql.RegisterTLSConfig("mysql-skip-verify", &tls.Config{
+			InsecureSkipVerify: true,
+		})
+		if err != nil {
+			// Config might already be registered, which is fine
+			_ = err
+		}
+
+		tlsConfig = "mysql-skip-verify"
 	}

 	return fmt.Sprintf(
@@ -388,6 +470,104 @@ func mapMysql8xVersion(minor string) tools.MysqlVersion {
 	}
 }

+// detectPrivileges detects backup-related privileges and returns them as comma-separated string
+func detectPrivileges(ctx context.Context, db *sql.DB, database string) (string, error) {
+	rows, err := db.QueryContext(ctx, "SHOW GRANTS FOR CURRENT_USER()")
+	if err != nil {
+		return "", fmt.Errorf("failed to check grants: %w", err)
+	}
+	defer func() { _ = rows.Close() }()
+
+	backupPrivileges := []string{
+		"SELECT", "SHOW VIEW", "LOCK TABLES", "TRIGGER", "EVENT",
+	}
+
+	detectedPrivileges := make(map[string]bool)
+	hasProcess := false
+	hasAllPrivileges := false
+
+	dbPatternStr := fmt.Sprintf(
+		`(?i)ON\s+[\x60'"]?%s[\x60'"]?\s*\.\s*\*`,
+		regexp.QuoteMeta(database),
+	)
+	dbPattern := regexp.MustCompile(dbPatternStr)
+	globalPattern := regexp.MustCompile(`(?i)ON\s+\*\s*\.\s*\*`)
+	allPrivilegesPattern := regexp.MustCompile(`(?i)\bALL\s+PRIVILEGES\b`)
+
+	for rows.Next() {
+		var grant string
+		if err := rows.Scan(&grant); err != nil {
+			return "", fmt.Errorf("failed to scan grant: %w", err)
+		}
+
+		isRelevantGrant := globalPattern.MatchString(grant) || dbPattern.MatchString(grant)
+
+		if allPrivilegesPattern.MatchString(grant) && isRelevantGrant {
+			hasAllPrivileges = true
+		}
+
+		if isRelevantGrant {
+			for _, priv := range backupPrivileges {
+				privPattern := regexp.MustCompile(`(?i)\b` + regexp.QuoteMeta(priv) + `\b`)
+				if privPattern.MatchString(grant) {
+					detectedPrivileges[priv] = true
+				}
+			}
+		}
+
+		if globalPattern.MatchString(grant) {
+			processPattern := regexp.MustCompile(`(?i)\bPROCESS\b`)
+			if processPattern.MatchString(grant) {
+				hasProcess = true
+			}
+		}
+	}
+
+	if err := rows.Err(); err != nil {
+		return "", fmt.Errorf("error iterating grants: %w", err)
+	}
+
+	if hasAllPrivileges {
+		for _, priv := range backupPrivileges {
+			detectedPrivileges[priv] = true
+		}
+		hasProcess = true
+	}
+
+	privileges := make([]string, 0, len(detectedPrivileges)+1)
+	for priv := range detectedPrivileges {
+		privileges = append(privileges, priv)
+	}
+	if hasProcess {
+		privileges = append(privileges, "PROCESS")
+	}
+
+	sort.Strings(privileges)
+	return strings.Join(privileges, ","), nil
+}
+
+// checkBackupPermissions verifies the user has sufficient privileges for mysqldump backup.
+// Required: SELECT, SHOW VIEW
+func checkBackupPermissions(privileges string) error {
+	requiredPrivileges := []string{"SELECT", "SHOW VIEW"}
+
+	var missingPrivileges []string
+	for _, priv := range requiredPrivileges {
+		if !HasPrivilege(privileges, priv) {
+			missingPrivileges = append(missingPrivileges, priv)
+		}
+	}
+
+	if len(missingPrivileges) > 0 {
+		return fmt.Errorf(
+			"insufficient permissions for backup. Missing: %s. Required: SELECT, SHOW VIEW",
+			strings.Join(missingPrivileges, ", "),
+		)
+	}
+
+	return nil
+}
+
 func decryptPasswordIfNeeded(
 	password string,
 	encryptor encryption.FieldEncryptor,
--- a/backend/internal/features/databases/databases/mysql/readonly_user_test.go
+++ b/backend/internal/features/databases/databases/mysql/readonly_user_test.go
@@ -18,6 +18,165 @@ import (
 	"databasus-backend/internal/util/tools"
 )

+func Test_TestConnection_InsufficientPermissions_ReturnsError(t *testing.T) {
+	env := config.GetEnv()
+	cases := []struct {
+		name    string
+		version tools.MysqlVersion
+		port    string
+	}{
+		{"MySQL 5.7", tools.MysqlVersion57, env.TestMysql57Port},
+		{"MySQL 8.0", tools.MysqlVersion80, env.TestMysql80Port},
+		{"MySQL 8.4", tools.MysqlVersion84, env.TestMysql84Port},
+		{"MySQL 9", tools.MysqlVersion9, env.TestMysql90Port},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			container := connectToMysqlContainer(t, tc.port, tc.version)
+			defer container.DB.Close()
+
+			_, err := container.DB.Exec(`DROP TABLE IF EXISTS permission_test`)
+			assert.NoError(t, err)
+
+			_, err = container.DB.Exec(`CREATE TABLE permission_test (
+				id INT AUTO_INCREMENT PRIMARY KEY,
+				data VARCHAR(255) NOT NULL
+			)`)
+			assert.NoError(t, err)
+
+			_, err = container.DB.Exec(`INSERT INTO permission_test (data) VALUES ('test1')`)
+			assert.NoError(t, err)
+
+			limitedUsername := fmt.Sprintf("limited_%s", uuid.New().String()[:8])
+			limitedPassword := "limitedpassword123"
+
+			_, err = container.DB.Exec(fmt.Sprintf(
+				"CREATE USER '%s'@'%%' IDENTIFIED BY '%s'",
+				limitedUsername,
+				limitedPassword,
+			))
+			assert.NoError(t, err)
+
+			_, err = container.DB.Exec(fmt.Sprintf(
+				"GRANT SELECT ON `%s`.* TO '%s'@'%%'",
+				container.Database,
+				limitedUsername,
+			))
+			assert.NoError(t, err)
+
+			_, err = container.DB.Exec("FLUSH PRIVILEGES")
+			assert.NoError(t, err)
+
+			defer func() {
+				_, _ = container.DB.Exec(
+					fmt.Sprintf("DROP USER IF EXISTS '%s'@'%%'", limitedUsername),
+				)
+			}()
+
+			mysqlModel := &MysqlDatabase{
+				Version:  tc.version,
+				Host:     container.Host,
+				Port:     container.Port,
+				Username: limitedUsername,
+				Password: limitedPassword,
+				Database: &container.Database,
+				IsHttps:  false,
+			}
+
+			logger := slog.New(slog.NewTextHandler(os.Stdout, nil))
+
+			err = mysqlModel.TestConnection(logger, nil, uuid.New())
+			assert.Error(t, err)
+			assert.Contains(t, err.Error(), "insufficient permissions")
+		})
+	}
+}
+
+func Test_TestConnection_SufficientPermissions_Success(t *testing.T) {
+	env := config.GetEnv()
+	cases := []struct {
+		name    string
+		version tools.MysqlVersion
+		port    string
+	}{
+		{"MySQL 5.7", tools.MysqlVersion57, env.TestMysql57Port},
+		{"MySQL 8.0", tools.MysqlVersion80, env.TestMysql80Port},
+		{"MySQL 8.4", tools.MysqlVersion84, env.TestMysql84Port},
+		{"MySQL 9", tools.MysqlVersion9, env.TestMysql90Port},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			container := connectToMysqlContainer(t, tc.port, tc.version)
+			defer container.DB.Close()
+
+			_, err := container.DB.Exec(`DROP TABLE IF EXISTS backup_test`)
+			assert.NoError(t, err)
+
+			_, err = container.DB.Exec(`CREATE TABLE backup_test (
+				id INT AUTO_INCREMENT PRIMARY KEY,
+				data VARCHAR(255) NOT NULL
+			)`)
+			assert.NoError(t, err)
+
+			_, err = container.DB.Exec(`INSERT INTO backup_test (data) VALUES ('test1')`)
+			assert.NoError(t, err)
+
+			backupUsername := fmt.Sprintf("backup_%s", uuid.New().String()[:8])
+			backupPassword := "backuppassword123"
+
+			_, err = container.DB.Exec(fmt.Sprintf(
+				"CREATE USER '%s'@'%%' IDENTIFIED BY '%s'",
+				backupUsername,
+				backupPassword,
+			))
+			assert.NoError(t, err)
+
+			_, err = container.DB.Exec(fmt.Sprintf(
+				"GRANT SELECT, SHOW VIEW, LOCK TABLES, TRIGGER, EVENT ON `%s`.* TO '%s'@'%%'",
+				container.Database,
+				backupUsername,
+			))
+			assert.NoError(t, err)
+
+			_, err = container.DB.Exec(fmt.Sprintf(
+				"GRANT PROCESS ON *.* TO '%s'@'%%'",
+				backupUsername,
+			))
+			assert.NoError(t, err)
+
+			_, err = container.DB.Exec("FLUSH PRIVILEGES")
+			assert.NoError(t, err)
+
+			defer func() {
+				_, _ = container.DB.Exec(
+					fmt.Sprintf("DROP USER IF EXISTS '%s'@'%%'", backupUsername),
+				)
+			}()
+
+			mysqlModel := &MysqlDatabase{
+				Version:  tc.version,
+				Host:     container.Host,
+				Port:     container.Port,
+				Username: backupUsername,
+				Password: backupPassword,
+				Database: &container.Database,
+				IsHttps:  false,
+			}
+
+			logger := slog.New(slog.NewTextHandler(os.Stdout, nil))
+
+			err = mysqlModel.TestConnection(logger, nil, uuid.New())
+			assert.NoError(t, err)
+		})
+	}
+}
+
 func Test_IsUserReadOnly_AdminUser_ReturnsFalse(t *testing.T) {
 	env := config.GetEnv()
 	cases := []struct {
@@ -42,13 +201,57 @@ func Test_IsUserReadOnly_AdminUser_ReturnsFalse(t *testing.T) {
 			logger := slog.New(slog.NewTextHandler(os.Stdout, nil))
 			ctx := context.Background()

-			isReadOnly, err := mysqlModel.IsUserReadOnly(ctx, logger, nil, uuid.New())
+			isReadOnly, privileges, err := mysqlModel.IsUserReadOnly(ctx, logger, nil, uuid.New())
 			assert.NoError(t, err)
 			assert.False(t, isReadOnly, "Root user should not be read-only")
+			assert.NotEmpty(t, privileges, "Root user should have privileges")
 		})
 	}
 }

+func Test_IsUserReadOnly_ReadOnlyUser_ReturnsTrue(t *testing.T) {
+	env := config.GetEnv()
+	container := connectToMysqlContainer(t, env.TestMysql80Port, tools.MysqlVersion80)
+	defer container.DB.Close()
+
+	_, err := container.DB.Exec(`DROP TABLE IF EXISTS readonly_check_test`)
+	assert.NoError(t, err)
+
+	_, err = container.DB.Exec(`CREATE TABLE readonly_check_test (
+			id INT AUTO_INCREMENT PRIMARY KEY,
+			data VARCHAR(255) NOT NULL
+		)`)
+	assert.NoError(t, err)
+
+	_, err = container.DB.Exec(`INSERT INTO readonly_check_test (data) VALUES ('test1')`)
+	assert.NoError(t, err)
+
+	mysqlModel := createMysqlModel(container)
+	logger := slog.New(slog.NewTextHandler(os.Stdout, nil))
+	ctx := context.Background()
+
+	username, password, err := mysqlModel.CreateReadOnlyUser(ctx, logger, nil, uuid.New())
+	assert.NoError(t, err)
+
+	readOnlyModel := &MysqlDatabase{
+		Version:  mysqlModel.Version,
+		Host:     mysqlModel.Host,
+		Port:     mysqlModel.Port,
+		Username: username,
+		Password: password,
+		Database: mysqlModel.Database,
+		IsHttps:  false,
+	}
+
+	isReadOnly, privileges, err := readOnlyModel.IsUserReadOnly(ctx, logger, nil, uuid.New())
+	assert.NoError(t, err)
+	assert.True(t, isReadOnly, "Read-only user should be read-only")
+	assert.Empty(t, privileges, "Read-only user should have no write privileges")
+
+	_, err = container.DB.Exec(fmt.Sprintf("DROP USER IF EXISTS '%s'@'%%'", username))
+	assert.NoError(t, err)
+}
+
 func Test_CreateReadOnlyUser_UserCanReadButNotWrite(t *testing.T) {
 	env := config.GetEnv()
 	cases := []struct {
@@ -109,9 +312,15 @@ func Test_CreateReadOnlyUser_UserCanReadButNotWrite(t *testing.T) {
 				IsHttps:  false,
 			}

-			isReadOnly, err := readOnlyModel.IsUserReadOnly(ctx, logger, nil, uuid.New())
+			isReadOnly, privileges, err := readOnlyModel.IsUserReadOnly(
+				ctx,
+				logger,
+				nil,
+				uuid.New(),
+			)
 			assert.NoError(t, err)
 			assert.True(t, isReadOnly, "Created user should be read-only")
+			assert.Empty(t, privileges, "Read-only user should have no write privileges")

 			readOnlyDSN := fmt.Sprintf(
 				"%s:%s@tcp(%s:%d)/%s?parseTime=true",
@@ -309,6 +518,162 @@ func Test_ReadOnlyUser_CannotDropOrAlterTables(t *testing.T) {
 	assert.NoError(t, err)
 }

+func Test_TestConnection_DatabaseSpecificPrivilegesWithGlobalProcess_Success(t *testing.T) {
+	env := config.GetEnv()
+	cases := []struct {
+		name    string
+		version tools.MysqlVersion
+		port    string
+	}{
+		{"MySQL 5.7", tools.MysqlVersion57, env.TestMysql57Port},
+		{"MySQL 8.0", tools.MysqlVersion80, env.TestMysql80Port},
+		{"MySQL 8.4", tools.MysqlVersion84, env.TestMysql84Port},
+		{"MySQL 9", tools.MysqlVersion9, env.TestMysql90Port},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			container := connectToMysqlContainer(t, tc.port, tc.version)
+			defer container.DB.Close()
+
+			_, err := container.DB.Exec(`DROP TABLE IF EXISTS privilege_test`)
+			assert.NoError(t, err)
+
+			_, err = container.DB.Exec(`CREATE TABLE privilege_test (
+				id INT AUTO_INCREMENT PRIMARY KEY,
+				data VARCHAR(255) NOT NULL
+			)`)
+			assert.NoError(t, err)
+
+			_, err = container.DB.Exec(`INSERT INTO privilege_test (data) VALUES ('test1')`)
+			assert.NoError(t, err)
+
+			specificUsername := fmt.Sprintf("specific_%s", uuid.New().String()[:8])
+			specificPassword := "specificpass123"
+
+			_, err = container.DB.Exec(fmt.Sprintf(
+				"CREATE USER '%s'@'%%' IDENTIFIED BY '%s'",
+				specificUsername,
+				specificPassword,
+			))
+			assert.NoError(t, err)
+
+			_, err = container.DB.Exec(fmt.Sprintf(
+				"GRANT SELECT, SHOW VIEW ON %s.* TO '%s'@'%%'",
+				container.Database,
+				specificUsername,
+			))
+			assert.NoError(t, err)
+
+			_, err = container.DB.Exec(fmt.Sprintf(
+				"GRANT PROCESS ON *.* TO '%s'@'%%'",
+				specificUsername,
+			))
+			assert.NoError(t, err)
+
+			_, err = container.DB.Exec("FLUSH PRIVILEGES")
+			assert.NoError(t, err)
+
+			defer func() {
+				_, _ = container.DB.Exec(
+					fmt.Sprintf("DROP USER IF EXISTS '%s'@'%%'", specificUsername),
+				)
+			}()
+
+			mysqlModel := &MysqlDatabase{
+				Version:  tc.version,
+				Host:     container.Host,
+				Port:     container.Port,
+				Username: specificUsername,
+				Password: specificPassword,
+				Database: &container.Database,
+				IsHttps:  false,
+			}
+
+			logger := slog.New(slog.NewTextHandler(os.Stdout, nil))
+
+			err = mysqlModel.TestConnection(logger, nil, uuid.New())
+			assert.NoError(t, err)
+		})
+	}
+}
+
+func Test_TestConnection_DatabaseWithUnderscores_Success(t *testing.T) {
+	env := config.GetEnv()
+	container := connectToMysqlContainer(t, env.TestMysql80Port, tools.MysqlVersion80)
+	defer container.DB.Close()
+
+	underscoreDbName := "test_db_name"
+
+	_, err := container.DB.Exec(fmt.Sprintf("DROP DATABASE IF EXISTS `%s`", underscoreDbName))
+	assert.NoError(t, err)
+
+	_, err = container.DB.Exec(fmt.Sprintf("CREATE DATABASE `%s`", underscoreDbName))
+	assert.NoError(t, err)
+
+	defer func() {
+		_, _ = container.DB.Exec(fmt.Sprintf("DROP DATABASE IF EXISTS `%s`", underscoreDbName))
+	}()
+
+	underscoreDSN := fmt.Sprintf("%s:%s@tcp(%s:%d)/%s?parseTime=true",
+		container.Username, container.Password, container.Host, container.Port, underscoreDbName)
+	underscoreDB, err := sqlx.Connect("mysql", underscoreDSN)
+	assert.NoError(t, err)
+	defer underscoreDB.Close()
+
+	_, err = underscoreDB.Exec(`
+		CREATE TABLE underscore_test (
+			id INT AUTO_INCREMENT PRIMARY KEY,
+			data VARCHAR(255) NOT NULL
+		)
+	`)
+	assert.NoError(t, err)
+
+	_, err = underscoreDB.Exec(`INSERT INTO underscore_test (data) VALUES ('test1')`)
+	assert.NoError(t, err)
+
+	underscoreUsername := fmt.Sprintf("under_%s", uuid.New().String()[:8])
+	underscorePassword := "underscorepass123"
+
+	_, err = underscoreDB.Exec(fmt.Sprintf(
+		"CREATE USER '%s'@'%%' IDENTIFIED BY '%s'",
+		underscoreUsername,
+		underscorePassword,
+	))
+	assert.NoError(t, err)
+
+	_, err = underscoreDB.Exec(fmt.Sprintf(
+		"GRANT SELECT, SHOW VIEW ON `%s`.* TO '%s'@'%%'",
+		underscoreDbName,
+		underscoreUsername,
+	))
+	assert.NoError(t, err)
+
+	_, err = underscoreDB.Exec("FLUSH PRIVILEGES")
+	assert.NoError(t, err)
+
+	defer func() {
+		_, _ = underscoreDB.Exec(fmt.Sprintf("DROP USER IF EXISTS '%s'@'%%'", underscoreUsername))
+	}()
+
+	mysqlModel := &MysqlDatabase{
+		Version:  tools.MysqlVersion80,
+		Host:     container.Host,
+		Port:     container.Port,
+		Username: underscoreUsername,
+		Password: underscorePassword,
+		Database: &underscoreDbName,
+		IsHttps:  false,
+	}
+
+	logger := slog.New(slog.NewTextHandler(os.Stdout, nil))
+
+	err = mysqlModel.TestConnection(logger, nil, uuid.New())
+	assert.NoError(t, err)
+}
+
 type MysqlContainer struct {
 	Host     string
 	Port     int
--- a/backend/internal/features/databases/databases/postgresql/model.go
+++ b/backend/internal/features/databases/databases/postgresql/model.go
@@ -137,16 +137,13 @@ func (p *PostgresqlDatabase) EncryptSensitiveFields(
 	return nil
 }

-// PopulateVersionIfEmpty detects and sets the PostgreSQL version if not already set.
+// PopulateDbData detects and sets the PostgreSQL version.
 // This should be called before encrypting sensitive fields.
-func (p *PostgresqlDatabase) PopulateVersionIfEmpty(
+func (p *PostgresqlDatabase) PopulateDbData(
 	logger *slog.Logger,
 	encryptor encryption.FieldEncryptor,
 	databaseID uuid.UUID,
 ) error {
-	if p.Version != "" {
-		return nil
-	}
 	return p.PopulateVersion(logger, encryptor, databaseID)
 }

@@ -192,29 +189,33 @@ func (p *PostgresqlDatabase) PopulateVersion(
 // IsUserReadOnly checks if the database user has read-only privileges.
 //
 // This method performs a comprehensive security check by examining:
-// - Role-level attributes (superuser, createrole, createdb)
+// - Role-level attributes (superuser, createrole, createdb, bypassrls, replication)
 // - Database-level privileges (CREATE, TEMP)
+// - Schema-level privileges (CREATE on any non-system schema)
 // - Table-level write permissions (INSERT, UPDATE, DELETE, TRUNCATE, REFERENCES, TRIGGER)
+// - Function-level privileges (EXECUTE on SECURITY DEFINER functions)
 //
 // A user is considered read-only only if they have ZERO write privileges
-// across all three levels. This ensures the database user follows the
+// across all levels. This ensures the database user follows the
 // principle of least privilege for backup operations.
+//
+// Returns: (isReadOnly, detectedPrivileges, error)
 func (p *PostgresqlDatabase) IsUserReadOnly(
 	ctx context.Context,
 	logger *slog.Logger,
 	encryptor encryption.FieldEncryptor,
 	databaseID uuid.UUID,
-) (bool, error) {
+) (bool, []string, error) {
 	password, err := decryptPasswordIfNeeded(p.Password, encryptor, databaseID)
 	if err != nil {
-		return false, fmt.Errorf("failed to decrypt password: %w", err)
+		return false, nil, fmt.Errorf("failed to decrypt password: %w", err)
 	}

 	connStr := buildConnectionStringForDB(p, *p.Database, password)

 	conn, err := pgx.Connect(ctx, connStr)
 	if err != nil {
-		return false, fmt.Errorf("failed to connect to database: %w", err)
+		return false, nil, fmt.Errorf("failed to connect to database: %w", err)
 	}
 	defer func() {
 		if closeErr := conn.Close(ctx); closeErr != nil {
@@ -222,22 +223,38 @@ func (p *PostgresqlDatabase) IsUserReadOnly(
 		}
 	}()

+	var privileges []string
+
 	// LEVEL 1: Check role-level attributes
-	var isSuperuser, canCreateRole, canCreateDB bool
+	var isSuperuser, canCreateRole, canCreateDB, canBypassRLS, canReplication bool
 	err = conn.QueryRow(ctx, `
 		SELECT
 			rolsuper,
 			rolcreaterole,
-			rolcreatedb
+			rolcreatedb,
+			rolbypassrls,
+			rolreplication
 		FROM pg_roles
 		WHERE rolname = current_user
-	`).Scan(&isSuperuser, &canCreateRole, &canCreateDB)
+	`).Scan(&isSuperuser, &canCreateRole, &canCreateDB, &canBypassRLS, &canReplication)
 	if err != nil {
-		return false, fmt.Errorf("failed to check role attributes: %w", err)
+		return false, nil, fmt.Errorf("failed to check role attributes: %w", err)
 	}

-	if isSuperuser || canCreateRole || canCreateDB {
-		return false, nil
+	if isSuperuser {
+		privileges = append(privileges, "SUPERUSER")
+	}
+	if canCreateRole {
+		privileges = append(privileges, "CREATEROLE")
+	}
+	if canCreateDB {
+		privileges = append(privileges, "CREATEDB")
+	}
+	if canBypassRLS {
+		privileges = append(privileges, "BYPASSRLS")
+	}
+	if canReplication {
+		privileges = append(privileges, "REPLICATION")
 	}

 	// LEVEL 2: Check database-level privileges
@@ -248,46 +265,34 @@ func (p *PostgresqlDatabase) IsUserReadOnly(
 			has_database_privilege(current_user, current_database(), 'TEMP') as can_temp
 	`).Scan(&canCreate, &canTemp)
 	if err != nil {
-		return false, fmt.Errorf("failed to check database privileges: %w", err)
+		return false, nil, fmt.Errorf("failed to check database privileges: %w", err)
 	}

-	if canCreate || canTemp {
-		return false, nil
+	if canCreate {
+		privileges = append(privileges, "CREATE (database)")
+	}
+	if canTemp {
+		privileges = append(privileges, "TEMP")
 	}

 	// LEVEL 2.5: Check schema-level CREATE privileges
-	schemaRows, err := conn.Query(ctx, `
-		SELECT DISTINCT nspname
-		FROM pg_namespace n
-		WHERE has_schema_privilege(current_user, n.nspname, 'CREATE')
-		AND nspname NOT IN ('pg_catalog', 'information_schema', 'pg_toast')
-	`)
+	var hasSchemaCreate bool
+	err = conn.QueryRow(ctx, `
+		SELECT EXISTS(
+			SELECT 1
+			FROM pg_namespace n
+			WHERE has_schema_privilege(current_user, n.nspname, 'CREATE')
+			AND nspname NOT IN ('pg_catalog', 'information_schema', 'pg_toast')
+		)
+	`).Scan(&hasSchemaCreate)
 	if err != nil {
-		return false, fmt.Errorf("failed to check schema privileges: %w", err)
+		return false, nil, fmt.Errorf("failed to check schema privileges: %w", err)
 	}
-	defer schemaRows.Close()
-
-	// If user has CREATE privilege on any schema, they're not read-only
-	if schemaRows.Next() {
-		return false, nil
-	}
-
-	if err := schemaRows.Err(); err != nil {
-		return false, fmt.Errorf("error iterating schema privileges: %w", err)
+	if hasSchemaCreate {
+		privileges = append(privileges, "CREATE (schema)")
 	}

 	// LEVEL 3: Check table-level write permissions
-	rows, err := conn.Query(ctx, `
-		SELECT DISTINCT privilege_type
-		FROM information_schema.role_table_grants
-		WHERE grantee = current_user
-		AND table_schema NOT IN ('pg_catalog', 'information_schema')
-	`)
-	if err != nil {
-		return false, fmt.Errorf("failed to check table privileges: %w", err)
-	}
-	defer rows.Close()
-
 	writePrivileges := map[string]bool{
 		"INSERT":     true,
 		"UPDATE":     true,
@@ -297,22 +302,56 @@ func (p *PostgresqlDatabase) IsUserReadOnly(
 		"TRIGGER":    true,
 	}

+	var tablePrivileges []string
+	rows, err := conn.Query(ctx, `
+		SELECT DISTINCT privilege_type
+		FROM information_schema.role_table_grants
+		WHERE grantee = current_user
+		AND table_schema NOT IN ('pg_catalog', 'information_schema')
+	`)
+	if err != nil {
+		return false, nil, fmt.Errorf("failed to check table privileges: %w", err)
+	}
+
 	for rows.Next() {
 		var privilege string
 		if err := rows.Scan(&privilege); err != nil {
-			return false, fmt.Errorf("failed to scan privilege: %w", err)
-		}
-
-		if writePrivileges[privilege] {
-			return false, nil
+			rows.Close()
+			return false, nil, fmt.Errorf("failed to scan privilege: %w", err)
 		}
+		tablePrivileges = append(tablePrivileges, privilege)
 	}
+	rows.Close()

 	if err := rows.Err(); err != nil {
-		return false, fmt.Errorf("error iterating privileges: %w", err)
+		return false, nil, fmt.Errorf("error iterating privileges: %w", err)
 	}

-	return true, nil
+	for _, privilege := range tablePrivileges {
+		if writePrivileges[privilege] {
+			privileges = append(privileges, privilege)
+		}
+	}
+
+	// LEVEL 4: Check for EXECUTE privilege on functions that are SECURITY DEFINER
+	var funcCount int
+	err = conn.QueryRow(ctx, `
+		SELECT COUNT(*)
+		FROM pg_proc p
+		JOIN pg_namespace n ON p.pronamespace = n.oid
+		WHERE n.nspname NOT IN ('pg_catalog', 'information_schema')
+		AND p.prosecdef = true
+		AND has_function_privilege(current_user, p.oid, 'EXECUTE')
+	`).Scan(&funcCount)
+	if err != nil {
+		return false, nil, fmt.Errorf("failed to check function privileges: %w", err)
+	}
+	if funcCount > 0 {
+		privileges = append(privileges, "EXECUTE (SECURITY DEFINER)")
+	}
+
+	isReadOnly := len(privileges) == 0
+	return isReadOnly, privileges, nil
 }

 // CreateReadOnlyUser creates a new PostgreSQL user with read-only privileges.
@@ -383,7 +422,7 @@ func (p *PostgresqlDatabase) CreateReadOnlyUser(
 			}
 		}

-		newPassword := uuid.New().String()
+		newPassword := encryption.GenerateComplexPassword()

 		tx, err := conn.Begin(ctx)
 		if err != nil {
@@ -631,13 +670,9 @@ func testSingleDatabaseConnection(
 	}
 	postgresDb.Version = detectedVersion

-	// Test if we can perform basic operations (like pg_dump would need)
-	if err := testBasicOperations(ctx, conn, *postgresDb.Database); err != nil {
-		return fmt.Errorf(
-			"basic operations test failed for database '%s': %w",
-			*postgresDb.Database,
-			err,
-		)
+	// Verify user has sufficient permissions for backup operations
+	if err := checkBackupPermissions(ctx, conn, postgresDb.IncludeSchemas); err != nil {
+		return err
 	}

 	return nil
@@ -670,18 +705,128 @@ func detectDatabaseVersion(ctx context.Context, conn *pgx.Conn) (tools.Postgresq
 	}
 }

-// testBasicOperations tests basic operations that backup tools need
-func testBasicOperations(ctx context.Context, conn *pgx.Conn, dbName string) error {
-	var hasCreatePriv bool
+// checkBackupPermissions verifies the user has sufficient privileges for pg_dump backup.
+// Required privileges: CONNECT on database, USAGE on schemas, SELECT on tables.
+// If includeSchemas is specified, only checks permissions on those schemas.
+func checkBackupPermissions(
+	ctx context.Context,
+	conn *pgx.Conn,
+	includeSchemas []string,
+) error {
+	var missingPrivileges []string

+	// Check CONNECT privilege on database
+	var hasConnect bool
 	err := conn.QueryRow(ctx, "SELECT has_database_privilege(current_user, current_database(), 'CONNECT')").
-		Scan(&hasCreatePriv)
+		Scan(&hasConnect)
 	if err != nil {
 		return fmt.Errorf("cannot check database privileges: %w", err)
 	}
+	if !hasConnect {
+		missingPrivileges = append(missingPrivileges, "CONNECT on database")
+	}

-	if !hasCreatePriv {
-		return fmt.Errorf("user does not have CONNECT privilege on database '%s'", dbName)
+	// Check USAGE privilege on at least one non-system schema
+	var schemaCount int
+	if len(includeSchemas) > 0 {
+		// Check only the specified schemas
+		err = conn.QueryRow(ctx, `
+			SELECT COUNT(*)
+			FROM pg_namespace n
+			WHERE has_schema_privilege(current_user, n.nspname, 'USAGE')
+			AND n.nspname NOT IN ('pg_catalog', 'information_schema', 'pg_toast')
+			AND n.nspname NOT LIKE 'pg_temp_%'
+			AND n.nspname NOT LIKE 'pg_toast_temp_%'
+			AND n.nspname = ANY($1::text[])
+		`, includeSchemas).Scan(&schemaCount)
+	} else {
+		// Check all non-system schemas
+		err = conn.QueryRow(ctx, `
+			SELECT COUNT(*)
+			FROM pg_namespace n
+			WHERE has_schema_privilege(current_user, n.nspname, 'USAGE')
+			AND n.nspname NOT IN ('pg_catalog', 'information_schema', 'pg_toast')
+			AND n.nspname NOT LIKE 'pg_temp_%'
+			AND n.nspname NOT LIKE 'pg_toast_temp_%'
+		`).Scan(&schemaCount)
+	}
+
+	if err != nil {
+		return fmt.Errorf("cannot check schema privileges: %w", err)
+	}
+	if schemaCount == 0 {
+		missingPrivileges = append(missingPrivileges, "USAGE on at least one schema")
+	}
+
+	// Check SELECT privilege on at least one table (if tables exist)
+	// Use pg_tables from pg_catalog which shows all tables regardless of user privileges
+	var tableCount int
+
+	if len(includeSchemas) > 0 {
+		// Check only tables in the specified schemas
+		err = conn.QueryRow(ctx, `
+			SELECT COUNT(*)
+			FROM pg_catalog.pg_tables t
+			WHERE t.schemaname NOT IN ('pg_catalog', 'information_schema')
+			AND t.schemaname NOT LIKE 'pg_temp_%'
+			AND t.schemaname NOT LIKE 'pg_toast_temp_%'
+			AND t.schemaname = ANY($1::text[])
+		`, includeSchemas).Scan(&tableCount)
+	} else {
+		// Check all tables in non-system schemas
+		err = conn.QueryRow(ctx, `
+			SELECT COUNT(*)
+			FROM pg_catalog.pg_tables t
+			WHERE t.schemaname NOT IN ('pg_catalog', 'information_schema')
+			AND t.schemaname NOT LIKE 'pg_temp_%'
+			AND t.schemaname NOT LIKE 'pg_toast_temp_%'
+		`).Scan(&tableCount)
+	}
+
+	if err != nil {
+		return fmt.Errorf("cannot check table count: %w", err)
+	}
+
+	if tableCount > 0 {
+		// Check if user has SELECT on at least one of these tables
+		var selectableTableCount int
+
+		if len(includeSchemas) > 0 {
+			// Check only tables in the specified schemas
+			err = conn.QueryRow(ctx, `
+				SELECT COUNT(*)
+				FROM pg_catalog.pg_tables t
+				WHERE t.schemaname NOT IN ('pg_catalog', 'information_schema')
+				AND t.schemaname NOT LIKE 'pg_temp_%'
+				AND t.schemaname NOT LIKE 'pg_toast_temp_%'
+				AND t.schemaname = ANY($1::text[])
+				AND has_table_privilege(current_user, quote_ident(t.schemaname) || '.' || quote_ident(t.tablename), 'SELECT')
+			`, includeSchemas).Scan(&selectableTableCount)
+		} else {
+			// Check all tables in non-system schemas
+			err = conn.QueryRow(ctx, `
+				SELECT COUNT(*)
+				FROM pg_catalog.pg_tables t
+				WHERE t.schemaname NOT IN ('pg_catalog', 'information_schema')
+				AND t.schemaname NOT LIKE 'pg_temp_%'
+				AND t.schemaname NOT LIKE 'pg_toast_temp_%'
+				AND has_table_privilege(current_user, quote_ident(t.schemaname) || '.' || quote_ident(t.tablename), 'SELECT')
+			`).Scan(&selectableTableCount)
+		}
+
+		if err != nil {
+			return fmt.Errorf("cannot check SELECT privileges: %w", err)
+		}
+		if selectableTableCount == 0 {
+			missingPrivileges = append(missingPrivileges, "SELECT on tables")
+		}
+	}
+
+	if len(missingPrivileges) > 0 {
+		return fmt.Errorf(
+			"insufficient permissions for backup. Missing: %s. Required: CONNECT on database, USAGE on schemas, SELECT on tables",
+			strings.Join(missingPrivileges, ", "),
+		)
 	}

 	return nil
@@ -695,16 +840,22 @@ func buildConnectionStringForDB(p *PostgresqlDatabase, dbName string, password s
 	}

 	return fmt.Sprintf(
-		"host=%s port=%d user=%s password=%s dbname=%s sslmode=%s default_query_exec_mode=simple_protocol standard_conforming_strings=on client_encoding=UTF8",
+		"host=%s port=%d user=%s password='%s' dbname=%s sslmode=%s default_query_exec_mode=simple_protocol standard_conforming_strings=on client_encoding=UTF8",
 		p.Host,
 		p.Port,
 		p.Username,
-		password,
+		escapeConnectionStringValue(password),
 		dbName,
 		sslMode,
 	)
 }

+func escapeConnectionStringValue(value string) string {
+	value = strings.ReplaceAll(value, `\`, `\\`)
+	value = strings.ReplaceAll(value, `'`, `\'`)
+	return value
+}
+
 func decryptPasswordIfNeeded(
 	password string,
 	encryptor encryption.FieldEncryptor,
--- a/backend/internal/features/databases/databases/postgresql/readonly_user_test.go
+++ b/backend/internal/features/databases/databases/postgresql/readonly_user_test.go
@@ -13,11 +13,236 @@ import (
 	"github.com/jmoiron/sqlx"
 	_ "github.com/lib/pq"
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"

 	"databasus-backend/internal/config"
 	"databasus-backend/internal/util/tools"
 )

+func Test_TestConnection_PasswordContainingSpaces_TestedSuccessfully(t *testing.T) {
+	env := config.GetEnv()
+	container := connectToPostgresContainer(t, env.TestPostgres16Port)
+	defer container.DB.Close()
+
+	passwordWithSpaces := "test password with spaces"
+	usernameWithSpaces := fmt.Sprintf("testuser_spaces_%s", uuid.New().String()[:8])
+
+	_, err := container.DB.Exec(`
+		DROP TABLE IF EXISTS password_test CASCADE;
+		CREATE TABLE password_test (
+			id SERIAL PRIMARY KEY,
+			data TEXT NOT NULL
+		);
+		INSERT INTO password_test (data) VALUES ('test1');
+	`)
+	assert.NoError(t, err)
+
+	_, err = container.DB.Exec(fmt.Sprintf(
+		`CREATE USER "%s" WITH PASSWORD '%s' LOGIN`,
+		usernameWithSpaces,
+		passwordWithSpaces,
+	))
+	assert.NoError(t, err)
+
+	_, err = container.DB.Exec(fmt.Sprintf(
+		`GRANT CONNECT ON DATABASE "%s" TO "%s"`,
+		container.Database,
+		usernameWithSpaces,
+	))
+	assert.NoError(t, err)
+
+	_, err = container.DB.Exec(fmt.Sprintf(
+		`GRANT USAGE ON SCHEMA public TO "%s"`,
+		usernameWithSpaces,
+	))
+	assert.NoError(t, err)
+
+	_, err = container.DB.Exec(fmt.Sprintf(
+		`GRANT SELECT ON ALL TABLES IN SCHEMA public TO "%s"`,
+		usernameWithSpaces,
+	))
+	assert.NoError(t, err)
+
+	defer func() {
+		_, _ = container.DB.Exec(fmt.Sprintf(`DROP USER IF EXISTS "%s"`, usernameWithSpaces))
+	}()
+
+	pgModel := &PostgresqlDatabase{
+		Version:  tools.GetPostgresqlVersionEnum("16"),
+		Host:     container.Host,
+		Port:     container.Port,
+		Username: usernameWithSpaces,
+		Password: passwordWithSpaces,
+		Database: &container.Database,
+		IsHttps:  false,
+		CpuCount: 1,
+	}
+
+	logger := slog.New(slog.NewTextHandler(os.Stdout, nil))
+
+	err = pgModel.TestConnection(logger, nil, uuid.New())
+	assert.NoError(t, err)
+}
+
+func Test_TestConnection_InsufficientPermissions_ReturnsError(t *testing.T) {
+	env := config.GetEnv()
+	cases := []struct {
+		name    string
+		version string
+		port    string
+	}{
+		{"PostgreSQL 12", "12", env.TestPostgres12Port},
+		{"PostgreSQL 13", "13", env.TestPostgres13Port},
+		{"PostgreSQL 14", "14", env.TestPostgres14Port},
+		{"PostgreSQL 15", "15", env.TestPostgres15Port},
+		{"PostgreSQL 16", "16", env.TestPostgres16Port},
+		{"PostgreSQL 17", "17", env.TestPostgres17Port},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			container := connectToPostgresContainer(t, tc.port)
+			defer container.DB.Close()
+
+			_, err := container.DB.Exec(`
+				DROP TABLE IF EXISTS permission_test CASCADE;
+				CREATE TABLE permission_test (
+					id SERIAL PRIMARY KEY,
+					data TEXT NOT NULL
+				);
+				INSERT INTO permission_test (data) VALUES ('test1');
+			`)
+			assert.NoError(t, err)
+
+			limitedUsername := fmt.Sprintf("limited_user_%s", uuid.New().String()[:8])
+			limitedPassword := "limitedpassword123"
+
+			_, err = container.DB.Exec(fmt.Sprintf(
+				`CREATE USER "%s" WITH PASSWORD '%s' LOGIN`,
+				limitedUsername,
+				limitedPassword,
+			))
+			assert.NoError(t, err)
+
+			_, err = container.DB.Exec(fmt.Sprintf(
+				`GRANT CONNECT ON DATABASE "%s" TO "%s"`,
+				container.Database,
+				limitedUsername,
+			))
+			assert.NoError(t, err)
+
+			defer func() {
+				_, _ = container.DB.Exec(fmt.Sprintf(`DROP USER IF EXISTS "%s"`, limitedUsername))
+			}()
+
+			pgModel := &PostgresqlDatabase{
+				Version:  tools.GetPostgresqlVersionEnum(tc.version),
+				Host:     container.Host,
+				Port:     container.Port,
+				Username: limitedUsername,
+				Password: limitedPassword,
+				Database: &container.Database,
+				IsHttps:  false,
+				CpuCount: 1,
+			}
+
+			logger := slog.New(slog.NewTextHandler(os.Stdout, nil))
+
+			err = pgModel.TestConnection(logger, nil, uuid.New())
+			assert.Error(t, err)
+			if err != nil {
+				assert.Contains(t, err.Error(), "insufficient permissions")
+			}
+		})
+	}
+}
+
+func Test_TestConnection_SufficientPermissions_Success(t *testing.T) {
+	env := config.GetEnv()
+	cases := []struct {
+		name    string
+		version string
+		port    string
+	}{
+		{"PostgreSQL 12", "12", env.TestPostgres12Port},
+		{"PostgreSQL 13", "13", env.TestPostgres13Port},
+		{"PostgreSQL 14", "14", env.TestPostgres14Port},
+		{"PostgreSQL 15", "15", env.TestPostgres15Port},
+		{"PostgreSQL 16", "16", env.TestPostgres16Port},
+		{"PostgreSQL 17", "17", env.TestPostgres17Port},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			container := connectToPostgresContainer(t, tc.port)
+			defer container.DB.Close()
+
+			_, err := container.DB.Exec(`
+				DROP TABLE IF EXISTS backup_test CASCADE;
+				CREATE TABLE backup_test (
+					id SERIAL PRIMARY KEY,
+					data TEXT NOT NULL
+				);
+				INSERT INTO backup_test (data) VALUES ('test1');
+			`)
+			assert.NoError(t, err)
+
+			backupUsername := fmt.Sprintf("backup_user_%s", uuid.New().String()[:8])
+			backupPassword := "backuppassword123"
+
+			_, err = container.DB.Exec(fmt.Sprintf(
+				`CREATE USER "%s" WITH PASSWORD '%s' LOGIN`,
+				backupUsername,
+				backupPassword,
+			))
+			assert.NoError(t, err)
+
+			_, err = container.DB.Exec(fmt.Sprintf(
+				`GRANT CONNECT ON DATABASE "%s" TO "%s"`,
+				container.Database,
+				backupUsername,
+			))
+			assert.NoError(t, err)
+
+			_, err = container.DB.Exec(fmt.Sprintf(
+				`GRANT USAGE ON SCHEMA public TO "%s"`,
+				backupUsername,
+			))
+			assert.NoError(t, err)
+
+			_, err = container.DB.Exec(fmt.Sprintf(
+				`GRANT SELECT ON ALL TABLES IN SCHEMA public TO "%s"`,
+				backupUsername,
+			))
+			assert.NoError(t, err)
+
+			defer func() {
+				_, _ = container.DB.Exec(fmt.Sprintf(`DROP USER IF EXISTS "%s"`, backupUsername))
+			}()
+
+			pgModel := &PostgresqlDatabase{
+				Version:  tools.GetPostgresqlVersionEnum(tc.version),
+				Host:     container.Host,
+				Port:     container.Port,
+				Username: backupUsername,
+				Password: backupPassword,
+				Database: &container.Database,
+				IsHttps:  false,
+				CpuCount: 1,
+			}
+
+			logger := slog.New(slog.NewTextHandler(os.Stdout, nil))
+
+			err = pgModel.TestConnection(logger, nil, uuid.New())
+			assert.NoError(t, err)
+		})
+	}
+}
+
 func Test_IsUserReadOnly_AdminUser_ReturnsFalse(t *testing.T) {
 	env := config.GetEnv()
 	cases := []struct {
@@ -44,13 +269,60 @@ func Test_IsUserReadOnly_AdminUser_ReturnsFalse(t *testing.T) {
 			logger := slog.New(slog.NewTextHandler(os.Stdout, nil))
 			ctx := context.Background()

-			isReadOnly, err := pgModel.IsUserReadOnly(ctx, logger, nil, uuid.New())
+			isReadOnly, privileges, err := pgModel.IsUserReadOnly(ctx, logger, nil, uuid.New())
 			assert.NoError(t, err)
 			assert.False(t, isReadOnly, "Admin user should not be read-only")
+			assert.NotEmpty(t, privileges, "Admin user should have privileges")
 		})
 	}
 }

+func Test_IsUserReadOnly_ReadOnlyUser_ReturnsTrue(t *testing.T) {
+	env := config.GetEnv()
+	container := connectToPostgresContainer(t, env.TestPostgres16Port)
+	defer container.DB.Close()
+
+	_, err := container.DB.Exec(`
+		DROP TABLE IF EXISTS readonly_check_test CASCADE;
+		CREATE TABLE readonly_check_test (
+			id SERIAL PRIMARY KEY,
+			data TEXT NOT NULL
+		);
+		INSERT INTO readonly_check_test (data) VALUES ('test1');
+	`)
+	assert.NoError(t, err)
+
+	pgModel := createPostgresModel(container)
+	logger := slog.New(slog.NewTextHandler(os.Stdout, nil))
+	ctx := context.Background()
+
+	username, password, err := pgModel.CreateReadOnlyUser(ctx, logger, nil, uuid.New())
+	assert.NoError(t, err)
+
+	readOnlyModel := &PostgresqlDatabase{
+		Version:  pgModel.Version,
+		Host:     pgModel.Host,
+		Port:     pgModel.Port,
+		Username: username,
+		Password: password,
+		Database: pgModel.Database,
+		IsHttps:  false,
+		CpuCount: 1,
+	}
+
+	isReadOnly, privileges, err := readOnlyModel.IsUserReadOnly(ctx, logger, nil, uuid.New())
+	assert.NoError(t, err)
+	assert.True(t, isReadOnly, "Read-only user should be read-only")
+	assert.Empty(t, privileges, "Read-only user should have no write privileges")
+
+	_, err = container.DB.Exec(fmt.Sprintf(`DROP OWNED BY "%s" CASCADE`, username))
+	if err != nil {
+		t.Logf("Warning: Failed to drop owned objects: %v", err)
+	}
+	_, err = container.DB.Exec(fmt.Sprintf(`DROP USER IF EXISTS "%s"`, username))
+	assert.NoError(t, err)
+}
+
 func Test_CreateReadOnlyUser_UserCanReadButNotWrite(t *testing.T) {
 	env := config.GetEnv()
 	cases := []struct {
@@ -105,9 +377,15 @@ func Test_CreateReadOnlyUser_UserCanReadButNotWrite(t *testing.T) {
 				IsHttps:  false,
 			}

-			isReadOnly, err := readOnlyModel.IsUserReadOnly(ctx, logger, nil, uuid.New())
+			isReadOnly, privileges, err := readOnlyModel.IsUserReadOnly(
+				ctx,
+				logger,
+				nil,
+				uuid.New(),
+			)
 			assert.NoError(t, err)
 			assert.True(t, isReadOnly, "Created user should be read-only")
+			assert.Empty(t, privileges, "Read-only user should have no write privileges")

 			readOnlyDSN := fmt.Sprintf(
 				"host=%s port=%d user=%s password=%s dbname=%s sslmode=disable",
@@ -142,7 +420,6 @@ func Test_CreateReadOnlyUser_UserCanReadButNotWrite(t *testing.T) {
 			assert.Error(t, err)
 			assert.Contains(t, err.Error(), "permission denied")

-			// Clean up: Drop user with CASCADE to handle default privilege dependencies
 			_, err = container.DB.Exec(fmt.Sprintf(`DROP OWNED BY "%s" CASCADE`, username))
 			if err != nil {
 				t.Logf("Warning: Failed to drop owned objects: %v", err)
@@ -186,7 +463,6 @@ func Test_ReadOnlyUser_FutureTables_HaveSelectPermission(t *testing.T) {
 	assert.NoError(t, err)
 	assert.Equal(t, "future_data", data)

-	// Clean up: Drop user with CASCADE to handle default privilege dependencies
 	_, err = container.DB.Exec(fmt.Sprintf(`DROP OWNED BY "%s" CASCADE`, username))
 	if err != nil {
 		t.Logf("Warning: Failed to drop owned objects: %v", err)
@@ -202,8 +478,10 @@ func Test_ReadOnlyUser_MultipleSchemas_AllAccessible(t *testing.T) {
 	defer container.DB.Close()

 	_, err := container.DB.Exec(`
-		CREATE SCHEMA IF NOT EXISTS schema_a;
-		CREATE SCHEMA IF NOT EXISTS schema_b;
+		DROP SCHEMA IF EXISTS schema_a CASCADE;
+		DROP SCHEMA IF EXISTS schema_b CASCADE;
+		CREATE SCHEMA schema_a;
+		CREATE SCHEMA schema_b;
 		CREATE TABLE schema_a.table_a (id INT, data TEXT);
 		CREATE TABLE schema_b.table_b (id INT, data TEXT);
 		INSERT INTO schema_a.table_a VALUES (1, 'data_a');
@@ -234,7 +512,6 @@ func Test_ReadOnlyUser_MultipleSchemas_AllAccessible(t *testing.T) {
 	assert.NoError(t, err)
 	assert.Equal(t, "data_b", dataB)

-	// Clean up: Drop user with CASCADE to handle default privilege dependencies
 	_, err = container.DB.Exec(fmt.Sprintf(`DROP OWNED BY "%s" CASCADE`, username))
 	if err != nil {
 		t.Logf("Warning: Failed to drop owned objects: %v", err)
@@ -341,7 +618,7 @@ func Test_CreateReadOnlyUser_Supabase_UserCanReadButNotWrite(t *testing.T) {
 	)

 	adminDB, err := sqlx.Connect("postgres", dsn)
-	assert.NoError(t, err)
+	require.NoError(t, err)
 	defer adminDB.Close()

 	tableName := fmt.Sprintf(
@@ -483,6 +760,7 @@ func createPostgresModel(container *PostgresContainer) *PostgresqlDatabase {
 		Password: container.Password,
 		Database: &container.Database,
 		IsHttps:  false,
+		CpuCount: 1,
 	}
 }

--- a/backend/internal/features/databases/di.go
+++ b/backend/internal/features/databases/di.go
@@ -39,4 +39,5 @@ func GetDatabaseController() *DatabaseController {

 func SetupDependencies() {
 	workspaces_services.GetWorkspaceService().AddWorkspaceDeletionListener(databaseService)
+	notifiers.GetNotifierService().SetNotifierDatabaseCounter(databaseService)
 }
--- a/backend/internal/features/databases/dto.go
+++ b/backend/internal/features/databases/dto.go
@@ -6,5 +6,6 @@ type CreateReadOnlyUserResponse struct {
 }

 type IsReadOnlyResponse struct {
-	IsReadOnly bool `json:"isReadOnly"`
+	IsReadOnly bool     `json:"isReadOnly"`
+	Privileges []string `json:"privileges"`
 }
--- a/backend/internal/features/databases/model.go
+++ b/backend/internal/features/databases/model.go
@@ -104,21 +104,21 @@ func (d *Database) EncryptSensitiveFields(encryptor encryption.FieldEncryptor) e
 	return nil
 }

-func (d *Database) PopulateVersionIfEmpty(
+func (d *Database) PopulateDbData(
 	logger *slog.Logger,
 	encryptor encryption.FieldEncryptor,
 ) error {
 	if d.Postgresql != nil {
-		return d.Postgresql.PopulateVersionIfEmpty(logger, encryptor, d.ID)
+		return d.Postgresql.PopulateDbData(logger, encryptor, d.ID)
 	}
 	if d.Mysql != nil {
-		return d.Mysql.PopulateVersionIfEmpty(logger, encryptor, d.ID)
+		return d.Mysql.PopulateDbData(logger, encryptor, d.ID)
 	}
 	if d.Mariadb != nil {
-		return d.Mariadb.PopulateVersionIfEmpty(logger, encryptor, d.ID)
+		return d.Mariadb.PopulateDbData(logger, encryptor, d.ID)
 	}
 	if d.Mongodb != nil {
-		return d.Mongodb.PopulateVersionIfEmpty(logger, encryptor, d.ID)
+		return d.Mongodb.PopulateDbData(logger, encryptor, d.ID)
 	}
 	return nil
 }
--- a/backend/internal/features/databases/repository.go
+++ b/backend/internal/features/databases/repository.go
@@ -243,3 +243,19 @@ func (r *DatabaseRepository) GetAllDatabases() ([]*Database, error) {

 	return databases, nil
 }
+
+func (r *DatabaseRepository) GetDatabasesIDsByNotifierID(
+	notifierID uuid.UUID,
+) ([]uuid.UUID, error) {
+	var databasesIDs []uuid.UUID
+
+	if err := storage.
+		GetDb().
+		Table("database_notifiers").
+		Where("notifier_id = ?", notifierID).
+		Pluck("database_id", &databasesIDs).Error; err != nil {
+		return nil, err
+	}
+
+	return databasesIDs, nil
+}
--- a/backend/internal/features/databases/service.go
+++ b/backend/internal/features/databases/service.go
@@ -52,6 +52,17 @@ func (s *DatabaseService) AddDbCopyListener(
 	s.dbCopyListener = append(s.dbCopyListener, dbCopyListener)
 }

+func (s *DatabaseService) GetNotifierAttachedDatabasesIDs(
+	notifierID uuid.UUID,
+) ([]uuid.UUID, error) {
+	databasesIDs, err := s.dbRepository.GetDatabasesIDsByNotifierID(notifierID)
+	if err != nil {
+		return nil, err
+	}
+
+	return databasesIDs, nil
+}
+
 func (s *DatabaseService) CreateDatabase(
 	user *users_models.User,
 	workspaceID uuid.UUID,
@@ -71,8 +82,8 @@ func (s *DatabaseService) CreateDatabase(
 		return nil, err
 	}

-	if err := database.PopulateVersionIfEmpty(s.logger, s.fieldEncryptor); err != nil {
-		return nil, fmt.Errorf("failed to auto-detect database version: %w", err)
+	if err := database.PopulateDbData(s.logger, s.fieldEncryptor); err != nil {
+		return nil, fmt.Errorf("failed to auto-detect database data: %w", err)
 	}

 	if err := database.EncryptSensitiveFields(s.fieldEncryptor); err != nil {
@@ -126,14 +137,20 @@ func (s *DatabaseService) UpdateDatabase(
 		return err
 	}

+	for _, notifier := range database.Notifiers {
+		if notifier.WorkspaceID != *existingDatabase.WorkspaceID {
+			return errors.New("notifier does not belong to this workspace")
+		}
+	}
+
 	existingDatabase.Update(database)

 	if err := existingDatabase.Validate(); err != nil {
 		return err
 	}

-	if err := existingDatabase.PopulateVersionIfEmpty(s.logger, s.fieldEncryptor); err != nil {
-		return fmt.Errorf("failed to auto-detect database version: %w", err)
+	if err := existingDatabase.PopulateDbData(s.logger, s.fieldEncryptor); err != nil {
+		return fmt.Errorf("failed to auto-detect database data: %w", err)
 	}

 	if err := existingDatabase.EncryptSensitiveFields(s.fieldEncryptor); err != nil {
@@ -251,6 +268,23 @@ func (s *DatabaseService) IsNotifierUsing(
 	return s.dbRepository.IsNotifierUsing(notifierID)
 }

+func (s *DatabaseService) CountDatabasesByNotifier(
+	user *users_models.User,
+	notifierID uuid.UUID,
+) (int, error) {
+	_, err := s.notifierService.GetNotifier(user, notifierID)
+	if err != nil {
+		return 0, err
+	}
+
+	databaseIDs, err := s.dbRepository.GetDatabasesIDsByNotifierID(notifierID)
+	if err != nil {
+		return 0, err
+	}
+
+	return len(databaseIDs), nil
+}
+
 func (s *DatabaseService) TestDatabaseConnection(
 	user *users_models.User,
 	databaseID uuid.UUID,
@@ -481,6 +515,48 @@ func (s *DatabaseService) CopyDatabase(
 	return copiedDatabase, nil
 }

+func (s *DatabaseService) TransferDatabaseToWorkspace(
+	databaseID uuid.UUID,
+	targetWorkspaceID uuid.UUID,
+) error {
+	database, err := s.dbRepository.FindByID(databaseID)
+	if err != nil {
+		return err
+	}
+
+	sourceWorkspaceID := database.WorkspaceID
+	database.WorkspaceID = &targetWorkspaceID
+
+	_, err = s.dbRepository.Save(database)
+	if err != nil {
+		return err
+	}
+
+	s.auditLogService.WriteAuditLog(
+		fmt.Sprintf("Database transferred: %s from workspace %s to workspace %s",
+			database.Name, sourceWorkspaceID, targetWorkspaceID),
+		nil,
+		&targetWorkspaceID,
+	)
+
+	return nil
+}
+
+func (s *DatabaseService) UpdateDatabaseNotifiers(
+	databaseID uuid.UUID,
+	newNotifiers []notifiers.Notifier,
+) error {
+	database, err := s.dbRepository.FindByID(databaseID)
+	if err != nil {
+		return err
+	}
+
+	database.Notifiers = newNotifiers
+
+	_, err = s.dbRepository.Save(database)
+	return err
+}
+
 func (s *DatabaseService) SetHealthStatus(
 	databaseID uuid.UUID,
 	healthStatus *HealthStatus,
@@ -518,17 +594,17 @@ func (s *DatabaseService) OnBeforeWorkspaceDeletion(workspaceID uuid.UUID) error
 func (s *DatabaseService) IsUserReadOnly(
 	user *users_models.User,
 	database *Database,
-) (bool, error) {
+) (bool, []string, error) {
 	var usingDatabase *Database

 	if database.ID != uuid.Nil {
 		existingDatabase, err := s.dbRepository.FindByID(database.ID)
 		if err != nil {
-			return false, err
+			return false, nil, err
 		}

 		if existingDatabase.WorkspaceID == nil {
-			return false, errors.New("cannot check user for database without workspace")
+			return false, nil, errors.New("cannot check user for database without workspace")
 		}

 		canAccess, _, err := s.workspaceService.CanUserAccessWorkspace(
@@ -536,31 +612,34 @@ func (s *DatabaseService) IsUserReadOnly(
 			user,
 		)
 		if err != nil {
-			return false, err
+			return false, nil, err
 		}
 		if !canAccess {
-			return false, errors.New("insufficient permissions to access this database")
+			return false, nil, errors.New("insufficient permissions to access this database")
 		}

 		if database.WorkspaceID != nil && *existingDatabase.WorkspaceID != *database.WorkspaceID {
-			return false, errors.New("database does not belong to this workspace")
+			return false, nil, errors.New("database does not belong to this workspace")
 		}

 		existingDatabase.Update(database)

 		if err := existingDatabase.Validate(); err != nil {
-			return false, err
+			return false, nil, err
 		}

 		usingDatabase = existingDatabase
 	} else {
 		if database.WorkspaceID != nil {
-			canAccess, _, err := s.workspaceService.CanUserAccessWorkspace(*database.WorkspaceID, user)
+			canAccess, _, err := s.workspaceService.CanUserAccessWorkspace(
+				*database.WorkspaceID,
+				user,
+			)
 			if err != nil {
-				return false, err
+				return false, nil, err
 			}
 			if !canAccess {
-				return false, errors.New("insufficient permissions to access this workspace")
+				return false, nil, errors.New("insufficient permissions to access this workspace")
 			}
 		}

@@ -600,7 +679,7 @@ func (s *DatabaseService) IsUserReadOnly(
 			usingDatabase.ID,
 		)
 	default:
-		return false, errors.New("read-only check not supported for this database type")
+		return false, nil, errors.New("read-only check not supported for this database type")
 	}
 }

--- a/backend/internal/features/databases/testing.go
+++ b/backend/internal/features/databases/testing.go
@@ -1,6 +1,12 @@
 package databases

 import (
+	"fmt"
+	"strconv"
+
+	"databasus-backend/internal/config"
+	"databasus-backend/internal/features/databases/databases/mariadb"
+	"databasus-backend/internal/features/databases/databases/mongodb"
 	"databasus-backend/internal/features/databases/databases/postgresql"
 	"databasus-backend/internal/features/notifiers"
 	"databasus-backend/internal/features/storages"
@@ -9,6 +15,71 @@ import (
 	"github.com/google/uuid"
 )

+func GetTestPostgresConfig() *postgresql.PostgresqlDatabase {
+	env := config.GetEnv()
+	port, err := strconv.Atoi(env.TestPostgres16Port)
+	if err != nil {
+		panic(fmt.Sprintf("Failed to parse TEST_POSTGRES_16_PORT: %v", err))
+	}
+
+	testDbName := "testdb"
+	return &postgresql.PostgresqlDatabase{
+		Version:  tools.PostgresqlVersion16,
+		Host:     "localhost",
+		Port:     port,
+		Username: "testuser",
+		Password: "testpassword",
+		Database: &testDbName,
+		CpuCount: 1,
+	}
+}
+
+func GetTestMariadbConfig() *mariadb.MariadbDatabase {
+	env := config.GetEnv()
+	portStr := env.TestMariadb1011Port
+	if portStr == "" {
+		portStr = "33111"
+	}
+	port, err := strconv.Atoi(portStr)
+	if err != nil {
+		panic(fmt.Sprintf("Failed to parse TEST_MARIADB_1011_PORT: %v", err))
+	}
+
+	testDbName := "testdb"
+	return &mariadb.MariadbDatabase{
+		Version:  tools.MariadbVersion1011,
+		Host:     "localhost",
+		Port:     port,
+		Username: "testuser",
+		Password: "testpassword",
+		Database: &testDbName,
+	}
+}
+
+func GetTestMongodbConfig() *mongodb.MongodbDatabase {
+	env := config.GetEnv()
+	portStr := env.TestMongodb70Port
+	if portStr == "" {
+		portStr = "27070"
+	}
+	port, err := strconv.Atoi(portStr)
+	if err != nil {
+		panic(fmt.Sprintf("Failed to parse TEST_MONGODB_70_PORT: %v", err))
+	}
+
+	return &mongodb.MongodbDatabase{
+		Version:      tools.MongodbVersion7,
+		Host:         "localhost",
+		Port:         port,
+		Username:     "root",
+		Password:     "rootpassword",
+		Database:     "testdb",
+		AuthDatabase: "admin",
+		IsHttps:      false,
+		CpuCount:     1,
+	}
+}
+
 func CreateTestDatabase(
 	workspaceID uuid.UUID,
 	storage *storages.Storage,
@@ -18,16 +89,7 @@ func CreateTestDatabase(
 		WorkspaceID: &workspaceID,
 		Name:        "test " + uuid.New().String(),
 		Type:        DatabaseTypePostgres,
-
-		Postgresql: &postgresql.PostgresqlDatabase{
-			Version:  tools.PostgresqlVersion16,
-			Host:     "localhost",
-			Port:     5432,
-			Username: "postgres",
-			Password: "postgres",
-			CpuCount: 1,
-		},
-
+		Postgresql:  GetTestPostgresConfig(),
 		Notifiers: []notifiers.Notifier{
 			*notifier,
 		},
--- a/backend/internal/features/disk/service.go
+++ b/backend/internal/features/disk/service.go
@@ -1,7 +1,9 @@
 package disk

 import (
+	"databasus-backend/internal/config"
 	"fmt"
+	"path/filepath"
 	"runtime"

 	"github.com/shirou/gopsutil/v4/disk"
@@ -12,10 +14,14 @@ type DiskService struct{}
 func (s *DiskService) GetDiskUsage() (*DiskUsage, error) {
 	platform := s.detectPlatform()

-	// Set path based on platform
-	path := "/"
+	var path string
+
 	if platform == PlatformWindows {
 		path = "C:\\"
+	} else {
+		// Use databasus-data folder location for Linux (Docker)
+		cfg := config.GetEnv()
+		path = filepath.Dir(cfg.DataFolder) // Gets /databasus-data from /databasus-data/backups
 	}

 	diskUsage, err := disk.Usage(path)
--- a/backend/internal/features/healthcheck/attempt/background_service.go
+++ b/backend/internal/features/healthcheck/attempt/background_service.go
@@ -1,7 +1,7 @@
 package healthcheck_attempt

 import (
-	"databasus-backend/internal/config"
+	"context"
 	healthcheck_config "databasus-backend/internal/features/healthcheck/config"
 	"log/slog"
 	"time"
@@ -13,18 +13,19 @@ type HealthcheckAttemptBackgroundService struct {
 	logger                     *slog.Logger
 }

-func (s *HealthcheckAttemptBackgroundService) Run() {
+func (s *HealthcheckAttemptBackgroundService) Run(ctx context.Context) {
 	// first healthcheck immediately
 	s.checkDatabases()

 	ticker := time.NewTicker(time.Minute)
 	defer ticker.Stop()
-	for range ticker.C {
-		if config.IsShouldShutdown() {
-			break
+	for {
+		select {
+		case <-ctx.Done():
+			return
+		case <-ticker.C:
+			s.checkDatabases()
 		}
-
-		s.checkDatabases()
 	}
 }

--- a/backend/internal/features/healthcheck/attempt/controller_test.go
+++ b/backend/internal/features/healthcheck/attempt/controller_test.go
@@ -12,13 +12,11 @@ import (
 	"github.com/stretchr/testify/assert"

 	"databasus-backend/internal/features/databases"
-	"databasus-backend/internal/features/databases/databases/postgresql"
 	users_enums "databasus-backend/internal/features/users/enums"
 	users_testing "databasus-backend/internal/features/users/testing"
 	workspaces_controllers "databasus-backend/internal/features/workspaces/controllers"
 	workspaces_testing "databasus-backend/internal/features/workspaces/testing"
 	test_utils "databasus-backend/internal/util/testing"
-	"databasus-backend/internal/util/tools"
 )

 func createTestRouter() *gin.Engine {
@@ -111,7 +109,13 @@ func Test_GetAttemptsByDatabase_PermissionsEnforced(t *testing.T) {
 				testUserToken = owner.Token
 			} else if tt.workspaceRole != nil {
 				member := users_testing.CreateTestUser(users_enums.UserRoleMember)
-				workspaces_testing.AddMemberToWorkspace(workspace, member, *tt.workspaceRole, owner.Token, router)
+				workspaces_testing.AddMemberToWorkspace(
+					workspace,
+					member,
+					*tt.workspaceRole,
+					owner.Token,
+					router,
+				)
 				testUserToken = member.Token
 			} else {
 				nonMember := users_testing.CreateTestUser(users_enums.UserRoleMember)
@@ -205,20 +209,11 @@ func createTestDatabaseViaAPI(
 	token string,
 	router *gin.Engine,
 ) *databases.Database {
-	testDbName := "test_db"
 	request := databases.Database{
 		WorkspaceID: &workspaceID,
 		Name:        name,
 		Type:        databases.DatabaseTypePostgres,
-		Postgresql: &postgresql.PostgresqlDatabase{
-			Version:  tools.PostgresqlVersion16,
-			Host:     "localhost",
-			Port:     5432,
-			Username: "postgres",
-			Password: "postgres",
-			Database: &testDbName,
-			CpuCount: 1,
-		},
+		Postgresql:  databases.GetTestPostgresConfig(),
 	}

 	w := workspaces_testing.MakeAPIRequest(
--- a/backend/internal/features/healthcheck/config/controller_test.go
+++ b/backend/internal/features/healthcheck/config/controller_test.go
@@ -10,13 +10,11 @@ import (
 	"github.com/stretchr/testify/assert"

 	"databasus-backend/internal/features/databases"
-	"databasus-backend/internal/features/databases/databases/postgresql"
 	users_enums "databasus-backend/internal/features/users/enums"
 	users_testing "databasus-backend/internal/features/users/testing"
 	workspaces_controllers "databasus-backend/internal/features/workspaces/controllers"
 	workspaces_testing "databasus-backend/internal/features/workspaces/testing"
 	test_utils "databasus-backend/internal/util/testing"
-	"databasus-backend/internal/util/tools"
 )

 func createTestRouter() *gin.Engine {
@@ -90,7 +88,13 @@ func Test_SaveHealthcheckConfig_PermissionsEnforced(t *testing.T) {
 				testUserToken = owner.Token
 			} else if tt.workspaceRole != nil {
 				member := users_testing.CreateTestUser(users_enums.UserRoleMember)
-				workspaces_testing.AddMemberToWorkspace(workspace, member, *tt.workspaceRole, owner.Token, router)
+				workspaces_testing.AddMemberToWorkspace(
+					workspace,
+					member,
+					*tt.workspaceRole,
+					owner.Token,
+					router,
+				)
 				testUserToken = member.Token
 			}

@@ -228,7 +232,13 @@ func Test_GetHealthcheckConfig_PermissionsEnforced(t *testing.T) {
 				testUserToken = owner.Token
 			} else if tt.workspaceRole != nil {
 				member := users_testing.CreateTestUser(users_enums.UserRoleMember)
-				workspaces_testing.AddMemberToWorkspace(workspace, member, *tt.workspaceRole, owner.Token, router)
+				workspaces_testing.AddMemberToWorkspace(
+					workspace,
+					member,
+					*tt.workspaceRole,
+					owner.Token,
+					router,
+				)
 				testUserToken = member.Token
 			} else {
 				nonMember := users_testing.CreateTestUser(users_enums.UserRoleMember)
@@ -293,20 +303,11 @@ func createTestDatabaseViaAPI(
 	token string,
 	router *gin.Engine,
 ) *databases.Database {
-	testDbName := "test_db"
 	request := databases.Database{
 		WorkspaceID: &workspaceID,
 		Name:        name,
 		Type:        databases.DatabaseTypePostgres,
-		Postgresql: &postgresql.PostgresqlDatabase{
-			Version:  tools.PostgresqlVersion16,
-			Host:     "localhost",
-			Port:     5432,
-			Username: "postgres",
-			Password: "postgres",
-			Database: &testDbName,
-			CpuCount: 1,
-		},
+		Postgresql:  databases.GetTestPostgresConfig(),
 	}

 	w := workspaces_testing.MakeAPIRequest(
--- a/backend/internal/features/notifiers/controller.go
+++ b/backend/internal/features/notifiers/controller.go
@@ -1,6 +1,8 @@
 package notifiers

 import (
+	"errors"
+
 	users_middleware "databasus-backend/internal/features/users/middleware"
 	workspaces_services "databasus-backend/internal/features/workspaces/services"
 	"net/http"
@@ -20,6 +22,7 @@ func (c *NotifierController) RegisterRoutes(router *gin.RouterGroup) {
 	router.GET("/notifiers/:id", c.GetNotifier)
 	router.DELETE("/notifiers/:id", c.DeleteNotifier)
 	router.POST("/notifiers/:id/test", c.SendTestNotification)
+	router.POST("/notifiers/:id/transfer", c.TransferNotifierToWorkspace)
 	router.POST("/notifiers/direct-test", c.SendTestNotificationDirect)
 }

@@ -55,7 +58,7 @@ func (c *NotifierController) SaveNotifier(ctx *gin.Context) {
 	}

 	if err := c.notifierService.SaveNotifier(user, request.WorkspaceID, &request); err != nil {
-		if err.Error() == "insufficient permissions to manage notifier in this workspace" {
+		if errors.Is(err, ErrInsufficientPermissionsToManageNotifier) {
 			ctx.JSON(http.StatusForbidden, gin.H{"error": err.Error()})
 			return
 		}
@@ -93,7 +96,7 @@ func (c *NotifierController) GetNotifier(ctx *gin.Context) {

 	notifier, err := c.notifierService.GetNotifier(user, id)
 	if err != nil {
-		if err.Error() == "insufficient permissions to view notifier in this workspace" {
+		if errors.Is(err, ErrInsufficientPermissionsToViewNotifier) {
 			ctx.JSON(http.StatusForbidden, gin.H{"error": err.Error()})
 			return
 		}
@@ -137,7 +140,7 @@ func (c *NotifierController) GetNotifiers(ctx *gin.Context) {

 	notifiers, err := c.notifierService.GetNotifiers(user, workspaceID)
 	if err != nil {
-		if err.Error() == "insufficient permissions to view notifiers in this workspace" {
+		if errors.Is(err, ErrInsufficientPermissionsToViewNotifiers) {
 			ctx.JSON(http.StatusForbidden, gin.H{"error": err.Error()})
 			return
 		}
@@ -174,7 +177,7 @@ func (c *NotifierController) DeleteNotifier(ctx *gin.Context) {
 	}

 	if err := c.notifierService.DeleteNotifier(user, id); err != nil {
-		if err.Error() == "insufficient permissions to manage notifier in this workspace" {
+		if errors.Is(err, ErrInsufficientPermissionsToManageNotifier) {
 			ctx.JSON(http.StatusForbidden, gin.H{"error": err.Error()})
 			return
 		}
@@ -211,7 +214,7 @@ func (c *NotifierController) SendTestNotification(ctx *gin.Context) {
 	}

 	if err := c.notifierService.SendTestNotification(user, id); err != nil {
-		if err.Error() == "insufficient permissions to test notifier in this workspace" {
+		if errors.Is(err, ErrInsufficientPermissionsToTestNotifier) {
 			ctx.JSON(http.StatusForbidden, gin.H{"error": err.Error()})
 			return
 		}
@@ -222,6 +225,62 @@ func (c *NotifierController) SendTestNotification(ctx *gin.Context) {
 	ctx.JSON(http.StatusOK, gin.H{"message": "test notification sent successfully"})
 }

+// TransferNotifierToWorkspace
+// @Summary Transfer notifier to another workspace
+// @Description Transfer a notifier from one workspace to another
+// @Tags notifiers
+// @Accept json
+// @Produce json
+// @Param Authorization header string true "JWT token"
+// @Param id path string true "Notifier ID"
+// @Param request body TransferNotifierRequest true "Target workspace ID"
+// @Success 200
+// @Failure 400
+// @Failure 401
+// @Failure 403
+// @Router /notifiers/{id}/transfer [post]
+func (c *NotifierController) TransferNotifierToWorkspace(ctx *gin.Context) {
+	user, ok := users_middleware.GetUserFromContext(ctx)
+	if !ok {
+		ctx.JSON(http.StatusUnauthorized, gin.H{"error": "User not authenticated"})
+		return
+	}
+
+	id, err := uuid.Parse(ctx.Param("id"))
+	if err != nil {
+		ctx.JSON(http.StatusBadRequest, gin.H{"error": "invalid notifier ID"})
+		return
+	}
+
+	var request TransferNotifierRequest
+	if err := ctx.ShouldBindJSON(&request); err != nil {
+		ctx.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
+		return
+	}
+
+	if request.TargetWorkspaceID == uuid.Nil {
+		ctx.JSON(http.StatusBadRequest, gin.H{"error": "targetWorkspaceId is required"})
+		return
+	}
+
+	if err := c.notifierService.TransferNotifierToWorkspace(
+		user,
+		id,
+		request.TargetWorkspaceID,
+		nil,
+	); err != nil {
+		if errors.Is(err, ErrInsufficientPermissionsInSourceWorkspace) ||
+			errors.Is(err, ErrInsufficientPermissionsInTargetWorkspace) {
+			ctx.JSON(http.StatusForbidden, gin.H{"error": err.Error()})
+			return
+		}
+		ctx.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
+		return
+	}
+
+	ctx.JSON(http.StatusOK, gin.H{"message": "notifier transferred successfully"})
+}
+
 // SendTestNotificationDirect
 // @Summary Send test notification directly
 // @Description Send a test notification using a notifier object provided in the request
--- a/backend/internal/features/notifiers/controller_test.go
+++ b/backend/internal/features/notifiers/controller_test.go
@@ -202,164 +202,161 @@ func Test_SendTestNotificationExisting_NotificationSent(t *testing.T) {
 	workspaces_testing.RemoveTestWorkspace(workspace, router)
 }

-func Test_ViewerCanViewNotifiers_ButCannotModify(t *testing.T) {
-	owner := users_testing.CreateTestUser(users_enums.UserRoleMember)
-	viewer := users_testing.CreateTestUser(users_enums.UserRoleMember)
-	router := createRouter()
-	workspace := workspaces_testing.CreateTestWorkspace("Test Workspace", owner, router)
-	workspaces_testing.AddMemberToWorkspace(
-		workspace,
-		viewer,
-		users_enums.WorkspaceRoleViewer,
-		owner.Token,
-		router,
-	)
+func Test_WorkspaceRolePermissions_Notifiers(t *testing.T) {
+	tests := []struct {
+		name          string
+		workspaceRole *users_enums.WorkspaceRole
+		isGlobalAdmin bool
+		canCreate     bool
+		canUpdate     bool
+		canDelete     bool
+	}{
+		{
+			name:          "owner can manage notifiers",
+			workspaceRole: func() *users_enums.WorkspaceRole { r := users_enums.WorkspaceRoleOwner; return &r }(),
+			isGlobalAdmin: false,
+			canCreate:     true,
+			canUpdate:     true,
+			canDelete:     true,
+		},
+		{
+			name:          "admin can manage notifiers",
+			workspaceRole: func() *users_enums.WorkspaceRole { r := users_enums.WorkspaceRoleAdmin; return &r }(),
+			isGlobalAdmin: false,
+			canCreate:     true,
+			canUpdate:     true,
+			canDelete:     true,
+		},
+		{
+			name:          "member can manage notifiers",
+			workspaceRole: func() *users_enums.WorkspaceRole { r := users_enums.WorkspaceRoleMember; return &r }(),
+			isGlobalAdmin: false,
+			canCreate:     true,
+			canUpdate:     true,
+			canDelete:     true,
+		},
+		{
+			name:          "viewer can view but cannot modify notifiers",
+			workspaceRole: func() *users_enums.WorkspaceRole { r := users_enums.WorkspaceRoleViewer; return &r }(),
+			isGlobalAdmin: false,
+			canCreate:     false,
+			canUpdate:     false,
+			canDelete:     false,
+		},
+		{
+			name:          "global admin can manage notifiers",
+			workspaceRole: nil,
+			isGlobalAdmin: true,
+			canCreate:     true,
+			canUpdate:     true,
+			canDelete:     true,
+		},
+	}

-	notifier := createNewNotifier(workspace.ID)
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			router := createRouter()
+			GetNotifierService().SetNotifierDatabaseCounter(&mockNotifierDatabaseCounter{})

-	var savedNotifier Notifier
-	test_utils.MakePostRequestAndUnmarshal(
-		t,
-		router,
-		"/api/v1/notifiers",
-		"Bearer "+owner.Token,
-		*notifier,
-		http.StatusOK,
-		&savedNotifier,
-	)
+			owner := users_testing.CreateTestUser(users_enums.UserRoleMember)
+			workspace := workspaces_testing.CreateTestWorkspace("Test Workspace", owner, router)

-	// Viewer can GET notifiers
-	var notifiers []Notifier
-	test_utils.MakeGetRequestAndUnmarshal(
-		t,
-		router,
-		fmt.Sprintf("/api/v1/notifiers?workspace_id=%s", workspace.ID.String()),
-		"Bearer "+viewer.Token,
-		http.StatusOK,
-		&notifiers,
-	)
-	assert.Len(t, notifiers, 1)
+			var testUserToken string
+			if tt.isGlobalAdmin {
+				admin := users_testing.CreateTestUser(users_enums.UserRoleAdmin)
+				testUserToken = admin.Token
+			} else if tt.workspaceRole != nil && *tt.workspaceRole == users_enums.WorkspaceRoleOwner {
+				testUserToken = owner.Token
+			} else if tt.workspaceRole != nil {
+				testUser := users_testing.CreateTestUser(users_enums.UserRoleMember)
+				workspaces_testing.AddMemberToWorkspace(
+					workspace,
+					testUser,
+					*tt.workspaceRole,
+					owner.Token,
+					router,
+				)
+				testUserToken = testUser.Token
+			}

-	// Viewer cannot CREATE notifier
-	newNotifier := createNewNotifier(workspace.ID)
-	test_utils.MakePostRequest(
-		t, router, "/api/v1/notifiers", "Bearer "+viewer.Token, *newNotifier, http.StatusForbidden,
-	)
+			// Owner creates initial notifier for all test cases
+			var ownerNotifier Notifier
+			notifier := createNewNotifier(workspace.ID)
+			test_utils.MakePostRequestAndUnmarshal(
+				t, router, "/api/v1/notifiers", "Bearer "+owner.Token,
+				*notifier, http.StatusOK, &ownerNotifier,
+			)

-	// Viewer cannot UPDATE notifier
-	savedNotifier.Name = "Updated by viewer"
-	test_utils.MakePostRequest(
-		t, router, "/api/v1/notifiers", "Bearer "+viewer.Token, savedNotifier, http.StatusForbidden,
-	)
+			// Test GET notifiers
+			var notifiers []Notifier
+			test_utils.MakeGetRequestAndUnmarshal(
+				t, router,
+				fmt.Sprintf("/api/v1/notifiers?workspace_id=%s", workspace.ID.String()),
+				"Bearer "+testUserToken, http.StatusOK, &notifiers,
+			)
+			assert.Len(t, notifiers, 1)

-	// Viewer cannot DELETE notifier
-	test_utils.MakeDeleteRequest(
-		t,
-		router,
-		fmt.Sprintf("/api/v1/notifiers/%s", savedNotifier.ID.String()),
-		"Bearer "+viewer.Token,
-		http.StatusForbidden,
-	)
+			// Test CREATE notifier
+			createStatusCode := http.StatusOK
+			if !tt.canCreate {
+				createStatusCode = http.StatusForbidden
+			}
+			newNotifier := createNewNotifier(workspace.ID)
+			var savedNotifier Notifier
+			if tt.canCreate {
+				test_utils.MakePostRequestAndUnmarshal(
+					t, router, "/api/v1/notifiers", "Bearer "+testUserToken,
+					*newNotifier, createStatusCode, &savedNotifier,
+				)
+				assert.NotEmpty(t, savedNotifier.ID)
+			} else {
+				test_utils.MakePostRequest(
+					t, router, "/api/v1/notifiers", "Bearer "+testUserToken,
+					*newNotifier, createStatusCode,
+				)
+			}

-	deleteNotifier(t, router, savedNotifier.ID, workspace.ID, owner.Token)
-	workspaces_testing.RemoveTestWorkspace(workspace, router)
-}
+			// Test UPDATE notifier
+			updateStatusCode := http.StatusOK
+			if !tt.canUpdate {
+				updateStatusCode = http.StatusForbidden
+			}
+			ownerNotifier.Name = "Updated by test user"
+			if tt.canUpdate {
+				var updatedNotifier Notifier
+				test_utils.MakePostRequestAndUnmarshal(
+					t, router, "/api/v1/notifiers", "Bearer "+testUserToken,
+					ownerNotifier, updateStatusCode, &updatedNotifier,
+				)
+				assert.Equal(t, "Updated by test user", updatedNotifier.Name)
+			} else {
+				test_utils.MakePostRequest(
+					t, router, "/api/v1/notifiers", "Bearer "+testUserToken,
+					ownerNotifier, updateStatusCode,
+				)
+			}

-func Test_MemberCanManageNotifiers(t *testing.T) {
-	owner := users_testing.CreateTestUser(users_enums.UserRoleMember)
-	member := users_testing.CreateTestUser(users_enums.UserRoleMember)
-	router := createRouter()
-	workspace := workspaces_testing.CreateTestWorkspace("Test Workspace", owner, router)
-	workspaces_testing.AddMemberToWorkspace(
-		workspace,
-		member,
-		users_enums.WorkspaceRoleMember,
-		owner.Token,
-		router,
-	)
+			// Test DELETE notifier
+			deleteStatusCode := http.StatusOK
+			if !tt.canDelete {
+				deleteStatusCode = http.StatusForbidden
+			}
+			test_utils.MakeDeleteRequest(
+				t, router,
+				fmt.Sprintf("/api/v1/notifiers/%s", ownerNotifier.ID.String()),
+				"Bearer "+testUserToken, deleteStatusCode,
+			)

-	notifier := createNewNotifier(workspace.ID)
-
-	// Member can CREATE notifier
-	var savedNotifier Notifier
-	test_utils.MakePostRequestAndUnmarshal(
-		t,
-		router,
-		"/api/v1/notifiers",
-		"Bearer "+member.Token,
-		*notifier,
-		http.StatusOK,
-		&savedNotifier,
-	)
-	assert.NotEmpty(t, savedNotifier.ID)
-
-	// Member can UPDATE notifier
-	savedNotifier.Name = "Updated by member"
-	var updatedNotifier Notifier
-	test_utils.MakePostRequestAndUnmarshal(
-		t,
-		router,
-		"/api/v1/notifiers",
-		"Bearer "+member.Token,
-		savedNotifier,
-		http.StatusOK,
-		&updatedNotifier,
-	)
-	assert.Equal(t, "Updated by member", updatedNotifier.Name)
-
-	// Member can DELETE notifier
-	test_utils.MakeDeleteRequest(
-		t,
-		router,
-		fmt.Sprintf("/api/v1/notifiers/%s", savedNotifier.ID.String()),
-		"Bearer "+member.Token,
-		http.StatusOK,
-	)
-
-	workspaces_testing.RemoveTestWorkspace(workspace, router)
-}
-
-func Test_AdminCanManageNotifiers(t *testing.T) {
-	owner := users_testing.CreateTestUser(users_enums.UserRoleMember)
-	admin := users_testing.CreateTestUser(users_enums.UserRoleMember)
-	router := createRouter()
-	workspace := workspaces_testing.CreateTestWorkspace("Test Workspace", owner, router)
-	workspaces_testing.AddMemberToWorkspace(
-		workspace,
-		admin,
-		users_enums.WorkspaceRoleAdmin,
-		owner.Token,
-		router,
-	)
-
-	notifier := createNewNotifier(workspace.ID)
-
-	// Admin can CREATE, UPDATE, DELETE
-	var savedNotifier Notifier
-	test_utils.MakePostRequestAndUnmarshal(
-		t,
-		router,
-		"/api/v1/notifiers",
-		"Bearer "+admin.Token,
-		*notifier,
-		http.StatusOK,
-		&savedNotifier,
-	)
-
-	savedNotifier.Name = "Updated by admin"
-	test_utils.MakePostRequest(
-		t, router, "/api/v1/notifiers", "Bearer "+admin.Token, savedNotifier, http.StatusOK,
-	)
-
-	test_utils.MakeDeleteRequest(
-		t,
-		router,
-		fmt.Sprintf("/api/v1/notifiers/%s", savedNotifier.ID.String()),
-		"Bearer "+admin.Token,
-		http.StatusOK,
-	)
-
-	workspaces_testing.RemoveTestWorkspace(workspace, router)
+			// Cleanup
+			if tt.canCreate {
+				deleteNotifier(t, router, savedNotifier.ID, workspace.ID, owner.Token)
+			}
+			if !tt.canDelete {
+				deleteNotifier(t, router, ownerNotifier.ID, workspace.ID, owner.Token)
+			}
+			workspaces_testing.RemoveTestWorkspace(workspace, router)
+		})
+	}
 }

 func Test_UserNotInWorkspace_CannotAccessNotifiers(t *testing.T) {
@@ -678,6 +675,10 @@ func Test_NotifierSensitiveDataLifecycle_AllTypes(t *testing.T) {
 					WebhookNotifier: &webhook_notifier.WebhookNotifier{
 						WebhookURL:    "https://webhook.example.com/test",
 						WebhookMethod: webhook_notifier.WebhookMethodPOST,
+						Headers: []webhook_notifier.WebhookHeader{
+							{Key: "Authorization", Value: "Bearer my-secret-token"},
+							{Key: "X-Custom-Header", Value: "custom-value"},
+						},
 					},
 				}
 			},
@@ -690,14 +691,40 @@ func Test_NotifierSensitiveDataLifecycle_AllTypes(t *testing.T) {
 					WebhookNotifier: &webhook_notifier.WebhookNotifier{
 						WebhookURL:    "https://webhook.example.com/updated",
 						WebhookMethod: webhook_notifier.WebhookMethodGET,
+						Headers: []webhook_notifier.WebhookHeader{
+							{Key: "Authorization", Value: "Bearer updated-token"},
+						},
 					},
 				}
 			},
 			verifySensitiveData: func(t *testing.T, notifier *Notifier) {
-				// No sensitive data to verify for webhook
+				assert.NotEmpty(
+					t,
+					notifier.WebhookNotifier.WebhookURL,
+					"WebhookURL should be visible",
+				)
+				// Verify header values are encrypted in DB
+				assert.True(
+					t,
+					isEncrypted(notifier.WebhookNotifier.Headers[0].Value),
+					"Header value should be encrypted in DB",
+				)
+				decrypted := decryptField(
+					t,
+					notifier.ID,
+					notifier.WebhookNotifier.Headers[0].Value,
+				)
+				assert.Equal(t, "Bearer updated-token", decrypted)
 			},
 			verifyHiddenData: func(t *testing.T, notifier *Notifier) {
-				// No sensitive data to hide for webhook
+				assert.NotEmpty(
+					t,
+					notifier.WebhookNotifier.WebhookURL,
+					"WebhookURL should be visible",
+				)
+				for _, header := range notifier.WebhookNotifier.Headers {
+					assert.Empty(t, header.Value, "Header value should be hidden")
+				}
 			},
 		},
 	}
@@ -908,7 +935,7 @@ func Test_CreateNotifier_AllSensitiveFieldsEncryptedInDB(t *testing.T) {
 			},
 		},
 		{
-			name: "Webhook Notifier - WebhookURL encrypted",
+			name: "Webhook Notifier - Header values encrypted, URL not encrypted",
 			createNotifier: func(workspaceID uuid.UUID) *Notifier {
 				return &Notifier{
 					WorkspaceID:  workspaceID,
@@ -917,17 +944,48 @@ func Test_CreateNotifier_AllSensitiveFieldsEncryptedInDB(t *testing.T) {
 					WebhookNotifier: &webhook_notifier.WebhookNotifier{
 						WebhookURL:    "https://webhook.example.com/test456",
 						WebhookMethod: webhook_notifier.WebhookMethodPOST,
+						Headers: []webhook_notifier.WebhookHeader{
+							{Key: "Authorization", Value: "Bearer secret-token-12345"},
+							{Key: "X-API-Key", Value: "api-key-67890"},
+						},
 					},
 				}
 			},
 			verifySensitiveEncryption: func(t *testing.T, notifier *Notifier) {
-				assert.True(
+				assert.False(
 					t,
 					isEncrypted(notifier.WebhookNotifier.WebhookURL),
-					"WebhookURL should be encrypted",
+					"WebhookURL should NOT be encrypted",
 				)
-				decrypted := decryptField(t, notifier.ID, notifier.WebhookNotifier.WebhookURL)
-				assert.Equal(t, "https://webhook.example.com/test456", decrypted)
+				assert.Equal(
+					t,
+					"https://webhook.example.com/test456",
+					notifier.WebhookNotifier.WebhookURL,
+				)
+
+				assert.True(
+					t,
+					isEncrypted(notifier.WebhookNotifier.Headers[0].Value),
+					"Header value should be encrypted",
+				)
+				decrypted1 := decryptField(
+					t,
+					notifier.ID,
+					notifier.WebhookNotifier.Headers[0].Value,
+				)
+				assert.Equal(t, "Bearer secret-token-12345", decrypted1)
+
+				assert.True(
+					t,
+					isEncrypted(notifier.WebhookNotifier.Headers[1].Value),
+					"Header value should be encrypted",
+				)
+				decrypted2 := decryptField(
+					t,
+					notifier.ID,
+					notifier.WebhookNotifier.Headers[1].Value,
+				)
+				assert.Equal(t, "api-key-67890", decrypted2)
 			},
 		},
 	}
@@ -965,6 +1023,204 @@ func Test_CreateNotifier_AllSensitiveFieldsEncryptedInDB(t *testing.T) {
 	}
 }

+func Test_TransferNotifier_PermissionsEnforced(t *testing.T) {
+	tests := []struct {
+		name               string
+		sourceRole         *users_enums.WorkspaceRole
+		targetRole         *users_enums.WorkspaceRole
+		isGlobalAdmin      bool
+		expectSuccess      bool
+		expectedStatusCode int
+	}{
+		{
+			name:               "owner in both workspaces can transfer",
+			sourceRole:         func() *users_enums.WorkspaceRole { r := users_enums.WorkspaceRoleOwner; return &r }(),
+			targetRole:         func() *users_enums.WorkspaceRole { r := users_enums.WorkspaceRoleOwner; return &r }(),
+			isGlobalAdmin:      false,
+			expectSuccess:      true,
+			expectedStatusCode: http.StatusOK,
+		},
+		{
+			name:               "admin in both workspaces can transfer",
+			sourceRole:         func() *users_enums.WorkspaceRole { r := users_enums.WorkspaceRoleAdmin; return &r }(),
+			targetRole:         func() *users_enums.WorkspaceRole { r := users_enums.WorkspaceRoleAdmin; return &r }(),
+			isGlobalAdmin:      false,
+			expectSuccess:      true,
+			expectedStatusCode: http.StatusOK,
+		},
+		{
+			name:               "member in both workspaces can transfer",
+			sourceRole:         func() *users_enums.WorkspaceRole { r := users_enums.WorkspaceRoleMember; return &r }(),
+			targetRole:         func() *users_enums.WorkspaceRole { r := users_enums.WorkspaceRoleMember; return &r }(),
+			isGlobalAdmin:      false,
+			expectSuccess:      true,
+			expectedStatusCode: http.StatusOK,
+		},
+		{
+			name:               "viewer in both workspaces cannot transfer",
+			sourceRole:         func() *users_enums.WorkspaceRole { r := users_enums.WorkspaceRoleViewer; return &r }(),
+			targetRole:         func() *users_enums.WorkspaceRole { r := users_enums.WorkspaceRoleViewer; return &r }(),
+			isGlobalAdmin:      false,
+			expectSuccess:      false,
+			expectedStatusCode: http.StatusForbidden,
+		},
+		{
+			name:               "global admin can transfer",
+			sourceRole:         nil,
+			targetRole:         nil,
+			isGlobalAdmin:      true,
+			expectSuccess:      true,
+			expectedStatusCode: http.StatusOK,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			router := createRouter()
+			GetNotifierService().SetNotifierDatabaseCounter(&mockNotifierDatabaseCounter{})
+
+			sourceOwner := users_testing.CreateTestUser(users_enums.UserRoleMember)
+			targetOwner := users_testing.CreateTestUser(users_enums.UserRoleMember)
+
+			sourceWorkspace := workspaces_testing.CreateTestWorkspace(
+				"Source Workspace",
+				sourceOwner,
+				router,
+			)
+			targetWorkspace := workspaces_testing.CreateTestWorkspace(
+				"Target Workspace",
+				targetOwner,
+				router,
+			)
+
+			notifier := createNewNotifier(sourceWorkspace.ID)
+			var savedNotifier Notifier
+			test_utils.MakePostRequestAndUnmarshal(
+				t,
+				router,
+				"/api/v1/notifiers",
+				"Bearer "+sourceOwner.Token,
+				*notifier,
+				http.StatusOK,
+				&savedNotifier,
+			)
+
+			var testUserToken string
+			if tt.isGlobalAdmin {
+				admin := users_testing.CreateTestUser(users_enums.UserRoleAdmin)
+				testUserToken = admin.Token
+			} else if tt.sourceRole != nil {
+				testUser := users_testing.CreateTestUser(users_enums.UserRoleMember)
+				workspaces_testing.AddMemberToWorkspace(
+					sourceWorkspace,
+					testUser,
+					*tt.sourceRole,
+					sourceOwner.Token,
+					router,
+				)
+				workspaces_testing.AddMemberToWorkspace(
+					targetWorkspace,
+					testUser,
+					*tt.targetRole,
+					targetOwner.Token,
+					router,
+				)
+				testUserToken = testUser.Token
+			}
+
+			request := TransferNotifierRequest{
+				TargetWorkspaceID: targetWorkspace.ID,
+			}
+
+			testResp := test_utils.MakePostRequest(
+				t,
+				router,
+				fmt.Sprintf("/api/v1/notifiers/%s/transfer", savedNotifier.ID.String()),
+				"Bearer "+testUserToken,
+				request,
+				tt.expectedStatusCode,
+			)
+
+			if tt.expectSuccess {
+				assert.Contains(t, string(testResp.Body), "transferred successfully")
+
+				var retrievedNotifier Notifier
+				test_utils.MakeGetRequestAndUnmarshal(
+					t,
+					router,
+					fmt.Sprintf("/api/v1/notifiers/%s", savedNotifier.ID.String()),
+					"Bearer "+targetOwner.Token,
+					http.StatusOK,
+					&retrievedNotifier,
+				)
+				assert.Equal(t, targetWorkspace.ID, retrievedNotifier.WorkspaceID)
+
+				deleteNotifier(t, router, savedNotifier.ID, targetWorkspace.ID, targetOwner.Token)
+			} else {
+				assert.Contains(t, string(testResp.Body), "insufficient permissions")
+				deleteNotifier(t, router, savedNotifier.ID, sourceWorkspace.ID, sourceOwner.Token)
+			}
+
+			workspaces_testing.RemoveTestWorkspace(sourceWorkspace, router)
+			workspaces_testing.RemoveTestWorkspace(targetWorkspace, router)
+		})
+	}
+}
+
+func Test_TransferNotifierNotManagableWorkspace_TransferFailed(t *testing.T) {
+	router := createRouter()
+	GetNotifierService().SetNotifierDatabaseCounter(&mockNotifierDatabaseCounter{})
+
+	userA := users_testing.CreateTestUser(users_enums.UserRoleMember)
+	userB := users_testing.CreateTestUser(users_enums.UserRoleMember)
+
+	workspace1 := workspaces_testing.CreateTestWorkspace("Workspace 1", userA, router)
+	workspace2 := workspaces_testing.CreateTestWorkspace("Workspace 2", userB, router)
+
+	notifier := createNewNotifier(workspace1.ID)
+	var savedNotifier Notifier
+	test_utils.MakePostRequestAndUnmarshal(
+		t,
+		router,
+		"/api/v1/notifiers",
+		"Bearer "+userA.Token,
+		*notifier,
+		http.StatusOK,
+		&savedNotifier,
+	)
+
+	request := TransferNotifierRequest{
+		TargetWorkspaceID: workspace2.ID,
+	}
+
+	testResp := test_utils.MakePostRequest(
+		t,
+		router,
+		fmt.Sprintf("/api/v1/notifiers/%s/transfer", savedNotifier.ID.String()),
+		"Bearer "+userA.Token,
+		request,
+		http.StatusForbidden,
+	)
+
+	assert.Contains(
+		t,
+		string(testResp.Body),
+		"insufficient permissions to manage notifier in target workspace",
+	)
+
+	deleteNotifier(t, router, savedNotifier.ID, workspace1.ID, userA.Token)
+	workspaces_testing.RemoveTestWorkspace(workspace1, router)
+	workspaces_testing.RemoveTestWorkspace(workspace2, router)
+}
+
+type mockNotifierDatabaseCounter struct{}
+
+func (m *mockNotifierDatabaseCounter) GetNotifierAttachedDatabasesIDs(
+	notifierID uuid.UUID,
+) ([]uuid.UUID, error) {
+	return []uuid.UUID{}, nil
+}
+
 func createRouter() *gin.Engine {
 	gin.SetMode(gin.TestMode)
 	router := gin.New()
@@ -979,6 +1235,7 @@ func createRouter() *gin.Engine {
 	}

 	audit_logs.SetupDependencies()
+	GetNotifierService().SetNotifierDatabaseCounter(&mockNotifierDatabaseCounter{})

 	return router
 }
--- a/backend/internal/features/notifiers/di.go
+++ b/backend/internal/features/notifiers/di.go
@@ -14,6 +14,7 @@ var notifierService = &NotifierService{
 	workspaces_services.GetWorkspaceService(),
 	audit_logs.GetAuditLogService(),
 	encryption.GetFieldEncryptor(),
+	nil,
 }
 var notifierController = &NotifierController{
 	notifierService,
--- a/backend/internal/features/notifiers/dto.go
+++ b/backend/internal/features/notifiers/dto.go
@@ -0,0 +1,7 @@
+package notifiers
+
+import "github.com/google/uuid"
+
+type TransferNotifierRequest struct {
+	TargetWorkspaceID uuid.UUID `json:"targetWorkspaceId" binding:"required"`
+}
--- a/backend/internal/features/notifiers/errors.go
+++ b/backend/internal/features/notifiers/errors.go
@@ -0,0 +1,36 @@
+package notifiers
+
+import "errors"
+
+var (
+	ErrInsufficientPermissionsToManageNotifier = errors.New(
+		"insufficient permissions to manage notifier in this workspace",
+	)
+	ErrInsufficientPermissionsToViewNotifier = errors.New(
+		"insufficient permissions to view notifier in this workspace",
+	)
+	ErrInsufficientPermissionsToViewNotifiers = errors.New(
+		"insufficient permissions to view notifiers in this workspace",
+	)
+	ErrInsufficientPermissionsToTestNotifier = errors.New(
+		"insufficient permissions to test notifier in this workspace",
+	)
+	ErrNotifierDoesNotBelongToWorkspace = errors.New(
+		"notifier does not belong to this workspace",
+	)
+	ErrInsufficientPermissionsInSourceWorkspace = errors.New(
+		"insufficient permissions to manage notifier in source workspace",
+	)
+	ErrInsufficientPermissionsInTargetWorkspace = errors.New(
+		"insufficient permissions to manage notifier in target workspace",
+	)
+	ErrNotifierHasAttachedDatabases = errors.New(
+		"notifier has attached databases and cannot be deleted",
+	)
+	ErrNotifierHasAttachedDatabasesCannotTransfer = errors.New(
+		"notifier has attached databases and cannot be transferred",
+	)
+	ErrNotifierHasOtherAttachedDatabasesCannotTransfer = errors.New(
+		"notifier has other attached databases and cannot be transferred",
+	)
+)
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Rostislav Dugin	bc870b3f8e	Merge pull request #261 from databasus/develop FIX (webhook): Update webhook tests to not expect URL to be encrypted	2026-01-14 09:43:26 +03:00
Rostislav Dugin	15383c59eb	FIX (webhook): Update webhook tests to not expect URL to be encrypted	2026-01-14 09:42:25 +03:00
Rostislav Dugin	d14c223a65	Merge pull request #259 from databasus/develop Develop	2026-01-14 09:10:28 +03:00
Rostislav Dugin	2c0a294027	FIX (webhook): Do not encypt webhook URL, keep encyption for headers only	2026-01-14 09:09:00 +03:00
Rostislav Dugin	5d851d73bd	FIX (mysql \ mariadb): Decrease strictness of SELECT check for health check	2026-01-14 08:39:27 +03:00
Rostislav Dugin	699913c251	FIX (postgresql): Filter TEMP table SELECT checks	2026-01-14 07:42:29 +03:00
Rostislav Dugin	a2e3f30a6d	Merge pull request #258 from databasus/develop FEATURE (backups): Add support of multinode Databasus setup	2026-01-14 07:34:06 +03:00
Rostislav Dugin	80f1174ecd	FEATURE (backups): Add support of multinode Databasus setup	2026-01-14 07:32:13 +03:00
Rostislav Dugin	a47f8d5e2c	Merge pull request #253 from databasus/develop FIX (permissions check): Check permissions only in schemas selected f…	2026-01-12 14:23:24 +03:00
Rostislav Dugin	54b9e67656	FIX (permissions check): Check permissions only in schemas selected for backup	2026-01-12 14:22:12 +03:00
Rostislav Dugin	3782846872	Merge pull request #251 from databasus/develop FIX (tidy): Run go mod tidy	2026-01-12 11:32:25 +03:00
Rostislav Dugin	245a81897f	FIX (tidy): Run go mod tidy	2026-01-12 11:31:52 +03:00
Rostislav Dugin	5cbc0773b6	Merge pull request #250 from databasus/develop FEATURE (backups): Move backups cancellation to Valkey pub\sub	2026-01-12 11:26:29 +03:00
Rostislav Dugin	997fc01442	FEATURE (backups): Move backups cancellation to Valkey pub\sub	2026-01-12 11:24:25 +03:00
Rostislav Dugin	6d0ae32d0c	Merge pull request #240 from databasus/develop FIX (oauth): Enable GitHub and Google OAuth	2026-01-10 20:15:43 +03:00
Rostislav Dugin	011985d723	FIX (oauth): Enable GitHub and Google OAuth	2026-01-10 19:19:37 +03:00
Rostislav Dugin	d677ee61de	Merge pull request #239 from databasus/develop FIX (mariadb): --skip-ssl-verify-server-cert for mariadb / mysql	2026-01-10 18:34:58 +03:00
Rostislav Dugin	c6b8f6e87a	Merge pull request #237 from wzzrd/bugfix/disable_mariadb_mysql_ssl_verify --skip-ssl-verify-server-cert for mariadb	2026-01-10 18:33:45 +03:00
Maxim Burgerhout	2bb5f93d00	--skip-ssl-verify-server-cert for mariadb / mysql This change adds the --skip-ssl-verify-server-cert flag to mariadb database connections for both backups and restores. This errors when trying to verify certificates during those procedures.	2026-01-10 15:50:09 +01:00
Rostislav Dugin	b91c150300	Merge pull request #236 from databasus/develop Develop	2026-01-10 15:19:19 +03:00
Rostislav Dugin	12b119ce40	FIX (readme): Update readme	2026-01-10 15:16:25 +03:00
Rostislav Dugin	7c6f0ab4ba	FIX (mysql\mariadb): Use custom TLS handler to skip verification instead of build-in	2026-01-10 15:13:47 +03:00
Rostislav Dugin	6d2db4b298	Merge pull request #232 from databasus/develop Develop	2026-01-09 11:12:27 +03:00
Rostislav Dugin	6397423298	FIX (temp folder): Ensure permissions 0700 for temp folders to meet PG requirements for .pgpass ownership	2026-01-09 11:10:50 +03:00
Rostislav Dugin	3470aae8e3	FIX (mysql\mariadb): Remove PROCESS permission check before backup, because it is not mandatory for backup	2026-01-09 11:02:14 +03:00
Rostislav Dugin	184fbcdb2c	Merge pull request #230 from databasus/develop FIX (temp): Use Databasus temp folder instead of system over PG backup	2026-01-08 20:41:45 +03:00
Rostislav Dugin	2d897dd722	FIX (temp): Use Databasus temp folder instead of system over PG backup	2026-01-08 20:40:22 +03:00
Rostislav Dugin	cba40afd00	Merge pull request #228 from databasus/develop FIX (backend): Fix formatting	2026-01-08 17:11:43 +03:00
Rostislav Dugin	7aea012aeb	FIX (backend): Fix formatting	2026-01-08 17:10:47 +03:00
Rostislav Dugin	6d5534deaa	Merge pull request #227 from databasus/develop Develop	2026-01-08 16:55:12 +03:00
Rostislav Dugin	c04bd54683	FIX (download): Add streamable download of backups	2026-01-08 15:55:52 +03:00
Rostislav Dugin	1c3f16b372	FIX (google drive): Fix UI after new local redirect PR	2026-01-08 12:22:47 +03:00
Rostislav Dugin	ed08da56a6	FIX (cicd): Get rid of CITATION auto generate	2026-01-08 11:35:55 +03:00
Rostislav Dugin	c53e84b48d	FIX (devex): Fix Linux tools installation script	2026-01-08 11:34:35 +03:00
Rostislav Dugin	dbfeb9e27f	merge develop	2026-01-08 11:33:34 +03:00
Rostislav Dugin	02e86ffb3b	FIX (devex): Fix Linux tools installation script	2026-01-08 11:10:56 +03:00
github-actions[bot]	207382116c	Update CITATION.cff to v2.21.0	2026-01-05 18:38:28 +00:00
Rostislav Dugin	a91ee50e31	Merge pull request #221 from databasus/develop Develop	2026-01-05 21:08:50 +03:00
Rostislav Dugin	7e5562b115	FEATURE (mysql): Add automatic detection of allowed privileges to backup proper DB items	2026-01-05 21:07:53 +03:00
Rostislav Dugin	3ef51c4d68	FEATURE (databases): Imrove check for required permissions to backup, check for read-only user and extend DBs models tests	2026-01-05 21:07:53 +03:00
github-actions[bot]	e47e513460	Update CITATION.cff to v2.20.3	2026-01-04 21:28:24 +00:00
Rostislav Dugin	226a6c06e6	Merge pull request #216 from databasus/develop FIX (readonly user): Improve complexity of readonly user passwords to…	2026-01-05 00:07:37 +03:00
Rostislav Dugin	615fd9d574	FIX (readonly user): Improve complexity of readonly user passwords to pass Google Cloud requirements	2026-01-05 00:06:24 +03:00
github-actions[bot]	e9fcf20cdf	Update CITATION.cff to v2.20.2	2026-01-04 20:14:38 +00:00
Rostislav Dugin	7649f4acfd	Merge pull request #214 from databasus/develop FIX (databases): Add timeout for deletion in case of storage stuck	2026-01-04 22:54:13 +03:00
Rostislav Dugin	7e4c3bcc19	FIX (databases): Add timeout for deletion in case of storage stuck	2026-01-04 22:51:11 +03:00
Rostislav Dugin	f2aecc0427	Merge pull request #212 from databasus/develop FIX (mariadb): Add events exclusion for MariaDB	2026-01-04 22:16:24 +03:00
Rostislav Dugin	3ce7da319f	FIX (mariadb): Add events exclusion for MariaDB	2026-01-04 22:15:31 +03:00
github-actions[bot]	096098f660	Update CITATION.cff to v2.20.1	2026-01-04 18:13:01 +00:00
Rostislav Dugin	c3ba4a7c5a	Merge pull request #209 from databasus/develop FIX (backups): Escape password over connection check to allow whitesp…	2026-01-04 20:50:08 +03:00
Rostislav Dugin	52c0f53608	FIX (backups): Escape password over connection check to allow whitespaces	2026-01-04 20:49:22 +03:00
github-actions[bot]	a5095acad4	Update CITATION.cff to v2.20.0	2026-01-04 14:54:48 +00:00
Rostislav Dugin	a6d32b5c09	Merge pull request #208 from databasus/develop FIX (tests): Use unique DB names for PostgreSQL parallel tests	2026-01-04 17:26:52 +03:00
Rostislav Dugin	722560e824	FIX (tests): Use unique DB names for PostgreSQL parallel tests	2026-01-04 17:24:49 +03:00
Rostislav Dugin	496ac6120c	Merge pull request #207 from databasus/develop Develop	2026-01-04 16:24:22 +03:00
Rostislav Dugin	756c6c87af	FIX (password): Trim db password at the moment of save and test connection instead right on the moment of input	2026-01-04 16:20:37 +03:00
Rostislav Dugin	a23d05b735	FIX (backups): Allow to make manual backups when scheduled are disabled	2026-01-04 16:11:14 +03:00
Rostislav Dugin	33a8d302eb	FEATURE (workspaces): Add tranasfer between databases, storages and notifiers	2026-01-04 15:59:21 +03:00
github-actions[bot]	25ed1ffd2a	Update CITATION.cff to v2.19.2	2026-01-02 13:30:15 +00:00
Rostislav Dugin	67582325bb	Merge pull request #204 from databasus/develop FIX (restores): Restore via stream instead of downloading backup to l…	2026-01-02 16:09:21 +03:00
Rostislav Dugin	5a89558cf6	FIX (restores): Restore via stream instead of downloading backup to local storage	2026-01-02 16:06:46 +03:00
github-actions[bot]	0ec02430b7	Update CITATION.cff to v2.19.1	2026-01-02 11:43:51 +00:00
Rostislav Dugin	49115684a7	Merge pull request #203 from databasus/develop FIX (backups): Revert directory update	2026-01-02 14:23:27 +03:00
Rostislav Dugin	58ae86ff7a	FIX (backups): Revert directory update	2026-01-02 14:20:32 +03:00
github-actions[bot]	82939bb079	Update CITATION.cff to v2.19.0	2026-01-02 09:55:59 +00:00
Rostislav Dugin	1697bfbae8	Merge pull request #202 from databasus/develop Develop	2026-01-02 12:34:58 +03:00
Rostislav Dugin	205cb1ec02	FEATURE (restores): Validate there is enough disk space on restore	2026-01-02 12:33:31 +03:00
Rostislav Dugin	b9668875ef	FIX (mongodb): Fix MongoDB build for ARM	2026-01-02 12:21:02 +03:00
Rostislav Dugin	ca3f0281a3	FIX (temp folders): Improve temp folders cleanup over backups and restores	2026-01-02 12:09:43 +03:00
Rostislav Dugin	1b8d783d4e	FIX (temp): Add NAS temp directory to .gitignore	2026-01-02 11:50:08 +03:00
Rostislav Dugin	75b0477874	FIX (temp): Remove temp directory for NAS	2026-01-02 11:49:26 +03:00
Rostislav Dugin	19533514c2	FEATURE (postgresql): Move to directory format to speed up parallel backups	2026-01-02 11:46:15 +03:00
github-actions[bot]	b3c3ef136f	Update CITATION.cff to v2.18.6	2026-01-01 19:11:46 +00:00
Rostislav Dugin	4a2ada384e	Merge pull request #196 from databasus/develop FIX (assets): Add square logos	2026-01-01 21:51:30 +03:00
Rostislav Dugin	b4fc0cfb56	FIX (assets): Add square logos	2026-01-01 21:51:04 +03:00
github-actions[bot]	a8fca1943b	Update CITATION.cff to v2.18.5	2025-12-30 15:37:44 +00:00
Rostislav Dugin	880b635827	Merge pull request #192 from databasus/develop Develop	2025-12-30 18:17:22 +03:00
Rostislav Dugin	67c14cfa89	FIX (backups): Fix extension when downloading backup depending on compression type	2025-12-30 18:15:49 +03:00
Rostislav Dugin	428a87ae84	FIX (s3): Calculate checksum over streaming to S3 chunk by chunk	2025-12-30 18:12:35 +03:00
github-actions[bot]	1f1e22e69c	Update CITATION.cff to v2.18.4	2025-12-30 13:07:47 +00:00
Rostislav Dugin	c325d42b89	Merge pull request #191 from databasus/develop Develop	2025-12-30 15:46:51 +03:00
Rostislav Dugin	04a19cead1	FIX (readme): Update readme	2025-12-30 15:45:57 +03:00
Rostislav Dugin	648c315312	FIX (readme): Update README	2025-12-30 15:40:54 +03:00
github-actions[bot]	3a205c2f1d	Update CITATION.cff to v2.18.3	2025-12-29 17:57:56 +00:00
Rostislav Dugin	49ebb01ffd	Merge pull request #186 from databasus/develop Develop	2025-12-29 20:36:39 +03:00
Rostislav Dugin	e957fb67dd	FIX (s3): Include checksum over file upload	2025-12-29 20:35:10 +03:00
Rostislav Dugin	7cda83122a	FIX (read-only): Use read-only user via frontend for MariaDB and MongoDB after creation	2025-12-29 20:31:27 +03:00
github-actions[bot]	11195d9078	Update CITATION.cff to v2.18.2	2025-12-29 15:27:04 +00:00
Rostislav Dugin	64d7a12f9f	Merge pull request #184 from databasus/develop Develop	2025-12-29 15:48:09 +03:00
Rostislav Dugin	9853ac425a	FIX (sftp): Fix initial value in case of private key	2025-12-29 15:47:00 +03:00
Rostislav Dugin	6ad38228ce	Merge pull request #182 from m4tt72/fix/sftp-storage-auth-method-radio-selection fix(storages): SFTP auth method radio button now correctly switches to Private Key	2025-12-29 15:44:22 +03:00
Rostislav Dugin	7d576b50a9	Merge pull request #183 from databasus/main Merge changes to develop	2025-12-29 15:43:01 +03:00
Rostislav Dugin	db3bd98425	FIX (readme): Fix installation methods	2025-12-29 15:41:22 +03:00
Yassine Fathi	7d8d0846cb	fix(storages): SFTP auth method radio button now correctly switches to Private Key	2025-12-29 12:10:00 +01:00
github-actions[bot]	05540a8d8d	Update CITATION.cff to v2.18.1	2025-12-28 17:14:24 +00:00
Rostislav Dugin	8250db9ce5	FIX (readme): Add AI disclaimer	2025-12-28 19:49:16 +03:00
github-actions[bot]	1e8cc46672	Update CITATION.cff to v2.18.0	2025-12-27 20:21:44 +00:00
Rostislav Dugin	9d30406d83	FEATURE (audit logs): Add retention for audit logs within 1 year	2025-12-27 22:58:35 +03:00
Rostislav Dugin	22e9c605da	FEATURE (dockefile): Recover internal PostgreSQL in case of corruption	2025-12-27 22:39:39 +03:00
github-actions[bot]	60fe0322f1	Update CITATION.cff to v2.17.0	2025-12-27 18:15:43 +00:00