Instant

Security

Governed on every surface. Nothing leaves your building.

The controls a CISO expects — shipped and enforced identically across files, SQL, FTP, MCP, and JDBC, behind one decision point. Self-hosted, so your regulated data never transits anyone else's cloud.

Roles & RBAC

Named roles + per-tenant API keys, checked on every data request.

Explicit-deny ACLs

POSIX permissions, inheritable defaults, and deny-lists down to the file.

Durable audit log

Every governed action recorded with who + when — survives restart.

Column-level masking

PII/PHI classified and masked server-side, with ABAC break-glass unmask.

SSO / SCIM / MFA

OIDC for Google, Azure AD, Okta… + directory sync + step-up TOTP MFA.

Encryption at rest

Secrets encrypted with per-tenant keys; table data on storage you control.

One enforcement point

check_vfs_access governs file · SQL · FTP · MCP · JDBC alike — no skeleton key.

Multi-tenant isolation

Structural separation across storage, scheduling, query, and config.

Security FAQ

Questions your security team will ask

Compliance

Maps to SOC 2 / HIPAA / GDPR. SOC 2 in progress.

We share the full control list and the honest gap list. The remaining hardening is weeks out, not months — bring your security team.

Request the security brief