Compliance
Datafi is designed to operate within regulated environments. This page outlines the platform's compliance posture across major frameworks and describes the built-in mechanisms for protecting sensitive data.
Compliance Frameworks
| Framework | Status | Details |
|---|---|---|
| HIPAA | Supported | BAA available; PHI handled with encryption, access controls, and audit logging |
| PCI DSS | Supported via Stripe | Payment processing delegated to Stripe; Datafi does not store, process, or transmit cardholder data |
| CSA CAIQ | Available | Cloud Security Alliance Consensus Assessments Initiative Questionnaire available upon request |
| SOC 2 Type II | In progress | Audit not yet completed; controls are in place and being formally assessed |
HIPAA
Datafi supports HIPAA-regulated workloads. When you process Protected Health Information (PHI) through the platform, the following controls are in effect:
- Encryption at rest and in transit -- all data is encrypted using AES-256 at rest and TLS 1.3 in transit.
- Access controls -- RBAC, ABAC, query-level security, and row-level security restrict who can access PHI.
- Audit logging -- every access to PHI is logged with the user identity, timestamp, and operation.
- Minimum necessary -- RLS and column-level policies enforce the minimum necessary standard by limiting access to only the fields and rows required for the user's role.
- BAA -- Datafi offers a Business Associate Agreement. Contact your account team to execute one.
A signed BAA is required before you process PHI through Datafi. Do not store or query PHI until the BAA is in place.
PCI DSS
Datafi does not directly handle payment card data. All payment processing is delegated to Stripe, which is PCI DSS Level 1 certified.
| Responsibility | Owner |
|---|---|
| Payment processing | Stripe |
| Card data storage | Stripe |
| Subscription management | Datafi (via Stripe API) |
| PCI compliance certification | Stripe |
If your data sources contain cardholder data and you query them through Datafi, you are responsible for ensuring that your access policies and RLS rules prevent unauthorized exposure of that data.
CSA CAIQ
The Cloud Security Alliance Consensus Assessments Initiative Questionnaire (CSA CAIQ) documents Datafi's security controls in a standardized format used by cloud security assessors.
To request a copy of the completed CAIQ, contact your account team or email [email protected].
SOC 2 Type II
Datafi is working toward SOC 2 Type II certification. The controls required for SOC 2 are implemented and operational, and a formal audit is in progress.
| Control Area | Status |
|---|---|
| Security | Implemented |
| Availability | Implemented |
| Processing Integrity | Implemented |
| Confidentiality | Implemented |
| Privacy | Implemented |
Sensitive Data Protection
Datafi includes built-in mechanisms to detect and protect sensitive data throughout the platform.
Credential Sanitization
Database connection credentials are never exposed in API responses, logs, or error messages. Credentials are:
- Encrypted at rest using AES-256 with tenant-scoped encryption keys.
- Masked in API responses -- connection details return
"password": "********". - Excluded from logs -- log entries redact credential fields before writing.
// API response for a connection (credentials sanitized)
{
"id": "conn_abc123",
"name": "Production PostgreSQL",
"host": "db.example.com",
"port": 5432,
"username": "datafi_reader",
"password": "********",
"ssl_mode": "verify-full"
}
PII Detection
Datafi can automatically detect columns that are likely to contain personally identifiable information (PII). Detected PII columns are flagged for review and can be automatically protected with access policies or RLS rules.
| Detection Category | Examples | Auto-Tag |
|---|---|---|
| Names | first_name, last_name, full_name | pii:name |
| Email addresses | email, contact_email | pii:email |
| Phone numbers | phone, mobile, fax | pii:phone |
| National IDs | ssn, sin, national_id | pii:national_id |
| Financial | credit_card, account_number | pii:financial |
| Health | diagnosis, medication, condition | phi:health |
| Location | address, zip_code, coordinates | pii:location |
Enable automatic PII detection on all new data sources to ensure that sensitive columns are tagged before any user queries them.
SQL Injection Prevention
Datafi's query-level security layer parses all SQL into an abstract syntax tree before execution, which neutralizes SQL injection attempts.
| Attack Vector | Mitigation |
|---|---|
String injection ('; DROP TABLE --) | AST parsing detects multiple statements |
Union injection (UNION SELECT password FROM users) | Table/column validation rejects unauthorized references |
Comment-based bypass (/* admin */ OR 1=1) | Comments are stripped during parsing |
Stacked queries (; INSERT INTO ...) | Multiple statements are rejected |
| Parameterized bypass | All user inputs are parameterized at the coordinator |
Error Sanitization
Error messages returned to users are sanitized to prevent information leakage.
| Information Type | Exposed to User | Logged Internally |
|---|---|---|
| SQL syntax errors | Generic message only | Full error with query text |
| Database errors | Generic message only | Full database error |
| Schema information | Never | Logged for debugging |
| Stack traces | Never | Logged for debugging |
| Connection details | Never | Logged for debugging |
// User-facing error (sanitized)
{
"error": {
"code": "QUERY_FAILED",
"message": "The query could not be executed. Please check your syntax and try again.",
"request_id": "req_7f8a9b2c"
}
}
// Internal log (full details)
// {
// "request_id": "req_7f8a9b2c",
// "error": "relation \"customers_backup\" does not exist",
// "query": "SELECT * FROM customers_backup",
// "user_id": "user_abc123",
// "tenant_id": "tenant_001"
// }
Data Residency
Datafi supports data residency requirements by allowing you to choose deployment regions for your edge servers. Data processed by an edge server remains within the region where that edge server is deployed.
| Component | Residency Control |
|---|---|
| Coordinator | Deployed in the region of your choice (SaaS) or your own infrastructure (Private Cloud / On-Prem) |
| Edge servers | Deployed in the region of your choice, co-located with your data sources |
| Metadata | Stored in the coordinator's region |
| Query results | Processed in the edge server's region; not persisted after delivery |
Best Practices
- Execute a BAA before processing PHI. Contact your account team to initiate the process.
- Enable PII detection on all data sources. Automated tagging reduces the risk of unprotected sensitive columns.
- Review compliance status quarterly. As Datafi progresses toward SOC 2 and other certifications, review updated compliance documentation.
- Use RLS for minimum necessary enforcement. Column-level policies and RLS filters are your primary tools for meeting HIPAA's minimum necessary standard.
- Audit error logs. Monitor internal error logs for patterns that might indicate data exposure or misconfiguration.