FutrixData logo FutrixData
Limitations & threat model

What FutrixData Does Not Protect Against — Threat Model and Limits

FutrixData reduces specific risks on AI-agent and human database access — it does not eliminate every database risk, and it does not stand in for compliance certification or a full IAM, DLP, or SIEM stack. This page is the inverse of the marketing copy: the things the product does not do, so you can decide where it fits in your environment.

Local-only audit, not external immutable storage

The agent audit log is local and hash-chained. The CLI verifier detects modified, deleted, inserted, or reordered rows inside the chained section. It does not detect a full local log rewrite where an attacker with host control rewrites every row and recomputes every hash. It also cannot prove that a truncated tail ever existed without an external anchor.

For environments that need stronger guarantees, mirror agent-tool events to a separate append-only store you control (for example, a Postgres instance with WAL archiving, an object store with object lock, or a write-only sink in another network). Local verification is meant to give you a quick, offline integrity signal — not to substitute for external immutable storage.

Deterministic masking is not anonymization

Result masking is a stable secret-backed HMAC, not an anonymizer. The algorithm is HMAC-SHA256: an HMAC key is derived per (data source, field) from a local secret, and the output format is masked:v1: followed by the first 16 hex characters of the HMAC — so the same raw value in a different field or a different data source produces a different hash. The substitution makes a sensitive value pseudonymous: callers see consistent hashes across calls without seeing raw values, but the mapping is deterministic by design. Anyone with access to the local masking secret can recompute hashes from known inputs; an attacker with control of the local host can do the same. Low-cardinality input spaces (booleans, gender, age in years, small enums) remain vulnerable to enumeration: anyone who can submit known inputs through the gateway — or who holds the local secret — can build a lookup table that effectively reverses such fields.

Deterministic masking is the right tool for keeping PII out of LLM prompts and agent contexts while preserving join keys for analysts. It is the wrong tool for releasing a dataset publicly — that requires k-anonymity, differential privacy, or full tokenization with an external secret manager.

Console is the authorized-human raw-data path, by design

The desktop Console returns raw rows to the engineer at the keyboard. Result masking is intentionally not applied here — the Console exists to inspect real data. If you do not want raw values to reach a given user, the right control is access to the data source itself (per-data-source ACL, per-environment credentials), not Console-side masking.

The agent result path (MCP, Skill, agent CLI) is masked separately. The two paths share the same risk engine and the same audit log, but masking diverges on purpose.

Schema metadata is a separate path from result rows

AI Chat, schema-knowledge browsing, and ER assistance can include schema metadata in prompts to the configured LLM provider. Result masking does not automatically cover schema metadata. If the schema itself is sensitive — KYC table names, regulatory column names, internal product codes — disable schema-to-LLM transmission for that data source. Each transmission is recorded; review the record before assuming a data source is "AI-safe".

Your AI provider has its own data policies

Bring-your-own-LLM means FutrixData does not see your prompts or completions, but it also means the provider you configured (Anthropic, OpenAI, Google, Azure, Ollama, etc.) has its own data-retention, training-eligibility, and regional-routing policies. FutrixData masks PII on the agent result path before the row leaves the gateway; what your LLM provider does with the resulting prompt is governed by the contract you have with them, not by FutrixData.

External MCP clients and external agents you build against FutrixData also have their own data-handling policies. The gateway can prove what was returned to a caller; it cannot enforce what the caller does next.

Not a certification, not a SIEM, not full IAM, not DLP

FutrixData is a database gateway. It is not, and does not replace:

Things the marketing copy avoids claiming

So the marketing copy and this page stay consistent, here are claims we explicitly do not make:

If you find marketing copy elsewhere on the site that conflicts with this page, treat this page as authoritative and report it to hi@futrixdata.com.

Frequently asked questions

If the audit log is hash-chained, why is local rewrite still possible?

The chain proves the file is internally consistent at read time. An attacker with full host control can rewrite every row, recompute every hash, and produce an internally-consistent forged file. To detect that, you need an external anchor — a copy of the chain head in a place the attacker cannot reach. Mirroring agent-tool events to an append-only external store is the standard fix.

Why isn't deterministic masking enough for public release?

It preserves a stable mapping between input and hash, which is exactly what makes joins and analytics still work. The same property makes it reversible against known inputs by anyone holding the local secret. For public release you want the mapping to break — k-anonymity, differential privacy, or a tokenizer with secrets in a separate trust boundary.

I want full team RBAC. Is that available?

Team RBAC with roles, permissions, environment scopes, and schema scopes is an Enterprise-edition feature on the self-hosted gateway. The free desktop client gives you per-agent identity, access keys, revocation, and audit attribution — which is enough for solo developers and small AI-native teams, but not enough for environment-by-environment role separation. See self-hosted.

Does FutrixData stop a malicious DB principal directly?

No. The gateway is in front of the database; it does not change the grants on the database itself. If a developer or agent has direct DB credentials, they can bypass the gateway. The mitigation is to remove direct credentials and route those callers through FutrixData, so the agent identity, masking, and audit log all apply.

How does this compare to a hosted SaaS database client?

Hosted SaaS database clients route your queries through their servers — the trust boundary is theirs, the audit log is theirs, and the credentials sit in their environment. FutrixData runs locally (desktop) or in your VPC (Enterprise gateway). The gateway does not see what FutrixData servers see; FutrixData servers do not see your queries or rows. Different trade-offs — convenience vs. perimeter control.

Try FutrixData on your own database

Free desktop app on macOS, Windows, and Linux. Self-hosted Enterprise Edition for production deployments.