Multi-tenant SaaS
Isolate every customer's data with a tenant_id predicate that composes across teams — no forked tables, no nightly ETL hacks.
Governance & compliance
Enterprise-grade access, without the enterprise bureaucracy.
Row, column, and table-level policies. Audit every query. SOC 2, HIPAA, and PCI DSS templates out of the box.
policies/finance-read.yaml
# policies/finance-read.yaml
policy: finance_read
match:
resource: iceberg.finance.*
allow: select
when:
user.department == 'finance'
and user.clearance >= 2
mask:
columns: [ssn, tax_id]
audit_log · entry
allowed · 2026-04-19 14:22:07 UTC
- actor
- a.nakamura@acme.co
- role
- finance.analyst
- action
- SELECT · 412 rows
- resource
- iceberg.finance.payouts
- policy
- finance_read · v12
- masked
- ssn, tax_id
Immutable · sha256: 7f3c…a914
// the tension
Security teams say no. Data teams ship anyway.
Governance is usually bolted on after a breach scare. The security team builds a spreadsheet of who can see what, the data team writes one-off views to hide the sensitive columns, and the audit team stitches logs together at quarter-end. Everyone agrees the policies are right. Nobody trusts the system to enforce them.
DXData moves governance into the query path. Policies are code, not documents. Access decisions happen in the planner, before rows leave the warehouse. Every query — allowed or denied — writes a tamper-evident audit entry. The same rules that keep auditors happy also keep your analysts fast.
Three governance building blocks
Attribute-based policies
Match on department, team, clearance, or any claim your IdP supplies. No static group sprawl.
Row + column + table controls
One policy language covers every scope. Enforcement happens at query time, not ingest.
Immutable audit log
Every query is hash-chained and exportable to your SIEM. Seven-year retention by default.
abac/clinical-readers.yaml
# abac/clinical-readers.yaml
policy: clinical_readers
description: 'PHI access for on-service clinicians'
match:
resource: iceberg.clinical.*
allow: [select, describe]
when:
user.team == 'care_team'
and user.on_shift == true
and row.patient_id in user.assigned_panel
deny_reason: 'Not on care team for this patient.'
// access.abac
Attribute-based access control, as code.
DXData policies match on the attributes you already trust — department, team, clearance, project, tenant — pulled straight from your IdP. No duplicated group hierarchies, no manual user management.
Policies live in your repo, flow through code review, and deploy through the same CI your engineers already use. The platform compiles them into plan-time predicates, so enforcement is free at runtime.
- Any claim from your IdP is a first-class policy attribute
- Versioned, reviewable, rolled out with canaries
- Deterministic deny-by-default with clear deny reasons
query · orders as alice@finance
regionowner_teamrevenuevisible
- us-eastfinance$128,400
- us-westfinance$94,220
- emeaopshidden by policy
- apacopshidden by policy
- latamfinance$41,980
3 of 5 rows returned · policy: rls.team_scope
// access.rls
Row-level security that runs at query time.
RLS policies translate to predicates the Trino planner injects into every query. Forbidden rows are never scanned, never cached, and never handed to the client — not even in aggregates unless the policy explicitly allows it.
Because enforcement happens at query time rather than ingest, you can change who sees what without rewriting tables or backfilling years of history.
- Predicate pushdown on Iceberg, Parquet, and federated sources
- Aggregate-safe: sums and counts respect the same filters
- Time-travel queries honor the policy in effect at the queried snapshot
query · customers as analyst
idfull_namessnemailbalance
- cust_01Maya Torres***-**-0000[redacted]$12,480
- cust_02Jordan Lee***-**-0000[redacted]$2,115
- cust_03Priya Shah***-**-0000[redacted]$48,002
- cust_04Sam Rivers***-**-0000[redacted]$630
mask: deterministic hashmask: full redaction
// access.masking
Column-level masking without a new query language.
Pick a masking mode per column: deterministic hash for joins, partial reveal for support workflows (last four digits, domain only), or full redaction for the auditor-facing view. The planner rewrites the select-list; your SQL does not change.
Masks are composable with RLS and ABAC, so you can grant broader row access while keeping specific columns private — or vice versa — without inventing two-dimensional policies by hand.
- Deterministic hashing preserves joinability across tables
- Partial masks for realistic dashboards without PII exposure
- Mask bypass requires an explicit break-glass grant with dual review
SOC 2 Type IIbundle installed
HIPAAbundle installed
GDPRbundle installed
PCI DSSbundle installed
ISO 27001bundle installed
FedRAMPbundle installed
// compliance.templates
Compliance bundles that install in one click.
Start from a pre-built bundle for SOC 2, HIPAA, GDPR, PCI DSS, ISO 27001, or FedRAMP. Each bundle ships with the classification rules, policy skeletons, audit exports, and evidence queries that framework asks for, mapped to the DXData catalog.
Bundles are opinionated, not opaque. You can customize any control, and DXData tracks exactly which policy satisfies which clause — useful the next time an auditor asks.
- Control-to-policy mapping you can hand to an auditor
- Evidence queries generate the artifacts you need at review time
- Works on your existing catalog — no tables to duplicate
audit_log · live
- 14:22:07a.nakamuraSELECTfinance.payoutsallow
- 14:21:50svc.etlINSERTops.events_rawallow
- 14:21:31b.okaforSELECTclinical.patientsdeny
- 14:20:58c.levineCREATEsandbox.exp_dauallow
- 14:20:14a.nakamuraEXPORTfinance.payoutsallow
hash-chained · retained 7 years · exportable to SIEM
// audit.trail
An audit log every SIEM already knows how to read.
Every query — read, write, denied, or schema change — writes a hash-chained audit entry. Entries are immutable, signed, and retained for seven years by default. You can extend retention or pin a snapshot for a litigation hold with one command.
The audit stream exports to Splunk, Datadog, Elastic, and any S3-compatible sink using a schema designed for SIEM pipelines. A Sigma rule pack for common violation patterns ships out of the box.
- Hash-chained, tamper-evident, exportable in real time
- Structured events include the policy that fired and the rows touched
- Seven-year retention by default; per-resource retention overrides supported
catalog · iceberg.clinical.members
columntypeclassification
- customer_idvarcharInternal
- full_namevarcharPII
- emailvarcharPII
- ssnvarcharPII
- diagnosis_codevarcharPHI
- payer_idvarcharPHI
- balance_centsbigintFinancial
- tiervarcharInternal
// catalog.classification
Data classification that keeps up with your schema.
DXData auto-classifies columns as PII, PHI, Financial, or Internal on every catalog sync, using a combination of schema hints, sample-based heuristics, and policy-defined patterns. Reviewers can override any tag; overrides stick across schema changes.
Classifications drive everything downstream — default masking, audit routing, and the evidence artifacts your compliance bundles produce.
- Auto-classification on ingest and on catalog refresh
- Manual overrides are versioned and survive schema evolution
- Tags flow into policies — no reclassification step at policy-write time
// identity
SSO, SCIM, and no user-CSV rituals.
Connect your IdP once and DXData stays in sync. SCIM provisioning creates and deprovisions users automatically, pushes group memberships into policy attributes, and keeps offboarding the same day the HR system does.
Okta
Azure AD
Google Workspace
OneLogin
// compliance
Certified, mapped, and ready for your next audit.
- SOC 2 Type II
- HIPAA Ready
- GDPR
- PCI DSS
- ISO 27001
- FedRAMP
// where it fits
Built for the workloads auditors ask about first.
Healthcare org with PHI
Care-team attributes decide who sees which chart. Break-glass access is logged, time-boxed, and routed to compliance for review.
Financial firm
Regulator-ready audit trails, 7-year retention, and SIEM-native export for every query that touches regulated data.
// questions we get
Answers for the audit committee.
How do policies compose across teams?
Policies are additive: a query is allowed only if every matching policy allows it. Conflicts are resolved deterministically by specificity, and the audit log records exactly which policies fired. Platform teams can publish shared policies as modules that product teams import.
Can I audit without slowing queries?
Audit writes are asynchronous, hash-chained, and offloaded to a dedicated log stream. Latency impact is typically under 2 ms per query. Enforcement decisions happen in the planner, so we skip scanning forbidden partitions entirely — many queries actually get faster.
What about break-glass access?
Break-glass grants are time-boxed roles that require a second approver, produce a highlighted audit entry, and auto-expire. You can scope them to a specific resource and require a justification string that flows into the audit event.
Do you integrate with our SIEM?
Yes. The audit stream exports to Splunk, Datadog, Elastic, and any S3-compatible sink in real time, with a JSON schema designed to be ingested without custom parsers. A Sigma rule pack for common policy-violation patterns ships with the platform.
// keep exploring
Related capabilities.
Data Catalog
Every column classified, every lineage edge documented — the substrate policies run on.
ExploreObservability
See which policies fired, which queries were denied, and where the audit stream is headed.
ExploreQuery Engine
Policy evaluation runs in the Trino planner, so RLS and masking cost nothing at runtime.
Explore// ship faster, stay safe
Ship faster without trading security.
Pair your data with the policies, audit trail, and compliance coverage your security team would write if they had the time.
No credit card. Policies are yours to keep on export.