FutrixData runs against your databases from your machine (or your VPC for the Enterprise gateway). Database credentials, sensitivity rules, and audit history live locally and encrypted. This page documents the data paths, what the gateway does on each one, and what the gateway explicitly does not do — so you can validate it against your own threat model.
FutrixData has three data paths. They are intentionally separate and behave differently:
Database credentials, datasource definitions, agent identities, sensitivity rules, AI provider keys, and the agent audit history are stored locally. From first launch the daemon uses a local encrypted store backed by an OS-keyring root key, so these files are encrypted at rest before any login takes place. If the OS keyring is unavailable on a given platform, the daemon surfaces a plaintext-fallback warning rather than silently downgrading.
None of these values are uploaded to FutrixData servers. The hosted gateway and license server only see what is required for billing and licensing — not your database credentials or query bodies. See limitations for the inverse: the things FutrixData does not protect against.
On the agent result path, sensitive values are replaced with stable pseudonymous hashes. The substitution is a deterministic HMAC backed by a local secret stored in OS-level secret storage. The hash for a given input is stable inside an install (so analysts and agents see consistent values across calls) but cannot be reversed without that local secret.
Deterministic masking reduces leakage surface — it is not full anonymization. Two callers with the same secret will see the same hash; an attacker with full local-host control can recompute hashes for known inputs. See masking limitations.
Every agent tool call writes an entry to the local agent audit log. New entries are hash-chained: each row carries the SHA-256 hash of the previous row, plus a payload hash and chain version. A built-in CLI command verifies the chain end-to-end and detects modified, deleted, inserted, or reordered records inside the chained section.
Run the verifier:
The JSON output includes whether verification passed, how many records were verified, how many legacy (pre-chain) records were found, the first failing position when verification fails, and the expected vs. actual hash for that position. The verifier is fully local — it does not need a network connection, an account, or the desktop app.
Local-only scope. Local hash-chain verification detects edits to the existing log, but external anchoring or immutable storage is required for stronger protection against full local log rewrite. The chain proves consistency of the file as you read it now; it cannot prove that an attacker with full local file control did not rewrite the entire file and recompute every hash. For higher assurance, you can mirror agent-tool events to a separate append-only store you control (for example Postgres with WAL archiving, an object store with object lock, or a write-only sink in another network). External immutable anchoring is not built into the gateway today; it is on the Enterprise roadmap (see the capability-state table below).
Agent tool calls go through the same risk engine as Console queries: rules classify each statement as low / medium / high risk and decide whether to allow, warn, require approval, or block. On the agent path the engine is biased toward fail-closed: when the SQL parser cannot extract risk facts, when a probe fails, or when a multi-statement input mixes safe and unsafe operations, the agent path requires approval rather than auto-allowing. The Console (human) path may be more permissive on the same edge cases by design — see RBAC and audit for the full rule list.
FutrixData's AI Chat, schema knowledge, and ER-assistance features may include schema metadata — table names, column names, indexes, comments, types — in prompts to the LLM provider you configured. This is on a separate path from query result rows. Result masking does not automatically cover schema metadata, because the schema is the question, not the data.
The desktop app exposes an explicit setting to enable or disable schema metadata transmission per data source. Each schema-to-LLM transmission is recorded so you can audit what schema left your machine, when, and to which provider. See the FAQ below for what to check before pointing FutrixData at databases whose schema itself is sensitive.
This is the current implementation state of the security capabilities the rest of the marketing site references. We update this table when capabilities ship.
| Capability | State |
|---|---|
| Local encrypted stores for credentials, datasources, sensitivity rules, agent identities, audit history | Implemented |
| Local root key initialized at first launch (before login) | Implemented |
| Per-agent access keys with revocation | Implemented |
| Risk rules and approval gates on Console + agent paths | Implemented |
| Conservative parser / probe failure behavior on agent paths | Implemented |
| Secret-backed deterministic HMAC masking on agent result path | Implemented |
| Agent audit history (local) | Implemented |
Local hash-chain audit + audit verify CLI | Implemented; local verification only |
| External immutable audit anchoring | Not implemented; Enterprise candidate |
| Schema-to-LLM controls + transmission record | Implemented |
| Slack / email approval workflow | Not implemented |
| External SIEM export | Not implemented |
| Team RBAC with roles, permissions, environment + schema scopes | Enterprise edition only |
| SOC 2 / ISO 27001 certification | Not certified |
# Detects modified, deleted, inserted, or reordered records inside the chain.
# Legacy rows written before the chain feature are reported separately.
futrixdata-cli audit verify --json{
"pass": true,
"verified_records": 1287,
"legacy_records": 4,
"total_records": 1291,
"source": "file",
"path": "/Users/you/.futrixdata/agent_audit.jsonl",
"chain_version": "local-sha256-v1"
}It can, on the AI-Chat / schema-knowledge / ER-assistance paths. Schema metadata may include table names, column names, types, indexes, and comments. This is a separate data path from query result rows — result masking does not automatically cover schema metadata. The desktop app exposes a per-data-source setting to enable or disable schema-to-LLM transmission, and each transmission is recorded so you can audit it. If the schema itself is business-sensitive (KYC tables, internal codes, regulatory tables), disable the toggle for that data source.
It means the audit log is locally hash-chained and a CLI verifier can detect modified, deleted, inserted, or reordered records inside the chained section. It does not mean the audit log is immutable storage. An attacker with full local file control can rewrite the entire log and recompute every hash; the chain cannot detect that scenario. For higher assurance, mirror events to an external append-only store. See limitations.
They stay on the host where FutrixData runs — your desktop for solo use, or the Enterprise gateway server for team / VPC deployments. They are not stored in shared config, in agent prompts, or in third-party LLM context. The local store is encrypted at rest from first launch using an OS-keyring-backed root key.
The hosted license server sees what is required for billing and license issuance — account identity, license state, anonymized usage counts. It does not see database credentials, query bodies, schema metadata, or agent audit entries. The Enterprise (self-hosted) gateway has no telemetry path back to FutrixData by design.
Desktop releases are signed (macOS notarized, Windows signed). Release artifacts publish digests on GitHub. The hash-chain audit and the masking algorithm are documented and testable end-to-end on any local install — this page links to limitations so you can decide whether the local verifications are sufficient for your environment.
No. FutrixData is not a certification. Your organization still owns its SOC 2, ISO 27001, GDPR, or HIPAA program. The gateway gives you concrete artifacts those programs typically ask for — per-user / per-agent identity, hash-chained audit entries with a verifier, and result masking — but the certification itself is yours.
Free desktop app on macOS, Windows, and Linux. Self-hosted Enterprise Edition for production deployments.