Security
Governed on every surface. Nothing leaves your building.
The controls a CISO expects — shipped and enforced identically across files, SQL, FTP, MCP, and JDBC, behind one decision point. Self-hosted, so your regulated data never transits anyone else's cloud.
Roles & RBAC
Named roles + per-tenant API keys, checked on every data request.
Explicit-deny ACLs
POSIX permissions, inheritable defaults, and deny-lists down to the file.
Durable audit log
Every governed action recorded with who + when — survives restart.
Column-level masking
PII/PHI classified and masked server-side, with ABAC break-glass unmask.
SSO / SCIM / MFA
OIDC for Google, Azure AD, Okta… + directory sync + step-up TOTP MFA.
Encryption at rest
Secrets encrypted with per-tenant keys; table data on storage you control.
One enforcement point
check_vfs_access governs file · SQL · FTP · MCP · JDBC alike — no skeleton key.
Multi-tenant isolation
Structural separation across storage, scheduling, query, and config.
Security FAQ
Questions your security team will ask
Compliance
Maps to SOC 2 / HIPAA / GDPR. SOC 2 in progress.
We share the full control list and the honest gap list. The remaining hardening is weeks out, not months — bring your security team.
Request the security brief