FutrixData logo FutrixData
Trust & security

How FutrixData Handles Your Data — Local Execution, Local Secrets, Local Audit

FutrixData runs against your databases from your machine (or your VPC for the Enterprise gateway). Database credentials, sensitivity rules, and audit history live locally and encrypted. This page documents the data paths, what the gateway does on each one, and what the gateway explicitly does not do — so you can validate it against your own threat model.

Data paths at a glance

FutrixData has three data paths. They are intentionally separate and behave differently:

Where credentials and secrets live

Database credentials, datasource definitions, agent identities, sensitivity rules, AI provider keys, and the agent audit history are stored locally. From first launch the daemon uses a local encrypted store backed by an OS-keyring root key, so these files are encrypted at rest before any login takes place. If the OS keyring is unavailable on a given platform, the daemon surfaces a plaintext-fallback warning rather than silently downgrading.

None of these values are uploaded to FutrixData servers. The hosted gateway and license server only see what is required for billing and licensing — not your database credentials or query bodies. See limitations for the inverse: the things FutrixData does not protect against.

Result masking is secret-backed, deterministic, and one-way

On the agent result path, sensitive values are replaced with stable pseudonymous hashes. The substitution is a deterministic HMAC backed by a local secret stored in OS-level secret storage. The hash for a given input is stable inside an install (so analysts and agents see consistent values across calls) but cannot be reversed without that local secret.

Deterministic masking reduces leakage surface — it is not full anonymization. Two callers with the same secret will see the same hash; an attacker with full local-host control can recompute hashes for known inputs. See masking limitations.

Local hash-chain audit and the verify command

Every agent tool call writes an entry to the local agent audit log. New entries are hash-chained: each row carries the SHA-256 hash of the previous row, plus a payload hash and chain version. A built-in CLI command verifies the chain end-to-end and detects modified, deleted, inserted, or reordered records inside the chained section.

Run the verifier:

What the verifier reports

The JSON output includes whether verification passed, how many records were verified, how many legacy (pre-chain) records were found, the first failing position when verification fails, and the expected vs. actual hash for that position. The verifier is fully local — it does not need a network connection, an account, or the desktop app.

Local-only scope. Local hash-chain verification detects edits to the existing log, but external anchoring or immutable storage is required for stronger protection against full local log rewrite. The chain proves consistency of the file as you read it now; it cannot prove that an attacker with full local file control did not rewrite the entire file and recompute every hash. For higher assurance, you can mirror agent-tool events to a separate append-only store you control (for example Postgres with WAL archiving, an object store with object lock, or a write-only sink in another network). External immutable anchoring is not built into the gateway today; it is on the Enterprise roadmap (see the capability-state table below).

Risk-engine failure behavior on agent paths

Agent tool calls go through the same risk engine as Console queries: rules classify each statement as low / medium / high risk and decide whether to allow, warn, require approval, or block. On the agent path the engine is biased toward fail-closed: when the SQL parser cannot extract risk facts, when a probe fails, or when a multi-statement input mixes safe and unsafe operations, the agent path requires approval rather than auto-allowing. The Console (human) path may be more permissive on the same edge cases by design — see RBAC and audit for the full rule list.

Schema metadata to LLM providers

FutrixData's AI Chat, schema knowledge, and ER-assistance features may include schema metadata — table names, column names, indexes, comments, types — in prompts to the LLM provider you configured. This is on a separate path from query result rows. Result masking does not automatically cover schema metadata, because the schema is the question, not the data.

The desktop app exposes an explicit setting to enable or disable schema metadata transmission per data source. Each schema-to-LLM transmission is recorded so you can audit what schema left your machine, when, and to which provider. See the FAQ below for what to check before pointing FutrixData at databases whose schema itself is sensitive.

Capability state

This is the current implementation state of the security capabilities the rest of the marketing site references. We update this table when capabilities ship.

CapabilityState
Local encrypted stores for credentials, datasources, sensitivity rules, agent identities, audit historyImplemented
Local root key initialized at first launch (before login)Implemented
Per-agent access keys with revocationImplemented
Risk rules and approval gates on Console + agent pathsImplemented
Conservative parser / probe failure behavior on agent pathsImplemented
Secret-backed deterministic HMAC masking on agent result pathImplemented
Agent audit history (local)Implemented
Local hash-chain audit + audit verify CLIImplemented; local verification only
External immutable audit anchoringNot implemented; Enterprise candidate
Schema-to-LLM controls + transmission recordImplemented
Slack / email approval workflowNot implemented
External SIEM exportNot implemented
Team RBAC with roles, permissions, environment + schema scopesEnterprise edition only
SOC 2 / ISO 27001 certificationNot certified

Examples

Verify the local agent audit chain (any platform)
# Detects modified, deleted, inserted, or reordered records inside the chain.
# Legacy rows written before the chain feature are reported separately.
futrixdata-cli audit verify --json
Sample output (passing)
{
  "pass": true,
  "verified_records": 1287,
  "legacy_records": 4,
  "total_records": 1291,
  "source": "file",
  "path": "/Users/you/.futrixdata/agent_audit.jsonl",
  "chain_version": "local-sha256-v1"
}

Frequently asked questions

Does FutrixData send schema metadata to LLM providers?

It can, on the AI-Chat / schema-knowledge / ER-assistance paths. Schema metadata may include table names, column names, types, indexes, and comments. This is a separate data path from query result rows — result masking does not automatically cover schema metadata. The desktop app exposes a per-data-source setting to enable or disable schema-to-LLM transmission, and each transmission is recorded so you can audit it. If the schema itself is business-sensitive (KYC tables, internal codes, regulatory tables), disable the toggle for that data source.

What does "tamper-evident" mean here?

It means the audit log is locally hash-chained and a CLI verifier can detect modified, deleted, inserted, or reordered records inside the chained section. It does not mean the audit log is immutable storage. An attacker with full local file control can rewrite the entire log and recompute every hash; the chain cannot detect that scenario. For higher assurance, mirror events to an external append-only store. See limitations.

Where do my database credentials go?

They stay on the host where FutrixData runs — your desktop for solo use, or the Enterprise gateway server for team / VPC deployments. They are not stored in shared config, in agent prompts, or in third-party LLM context. The local store is encrypted at rest from first launch using an OS-keyring-backed root key.

What does FutrixData send back to FutrixData servers?

The hosted license server sees what is required for billing and license issuance — account identity, license state, anonymized usage counts. It does not see database credentials, query bodies, schema metadata, or agent audit entries. The Enterprise (self-hosted) gateway has no telemetry path back to FutrixData by design.

Are your releases verifiable?

Desktop releases are signed (macOS notarized, Windows signed). Release artifacts publish digests on GitHub. The hash-chain audit and the masking algorithm are documented and testable end-to-end on any local install — this page links to limitations so you can decide whether the local verifications are sufficient for your environment.

Is FutrixData SOC 2 / ISO 27001 / HIPAA certified?

No. FutrixData is not a certification. Your organization still owns its SOC 2, ISO 27001, GDPR, or HIPAA program. The gateway gives you concrete artifacts those programs typically ask for — per-user / per-agent identity, hash-chained audit entries with a verifier, and result masking — but the certification itself is yours.

Try FutrixData on your own database

Free desktop app on macOS, Windows, and Linux. Self-hosted Enterprise Edition for production deployments.