How Isofold Handles Data

Isofold is designed to operate without retaining any sensitive data. It processes SQL queries in transit and guarantees that:

  • Query results are never stored
  • Sensitive input is not logged
  • All computation happens in-memory or in a configured warehouse

Query Lifecycle

Each query follows this lifecycle:

  1. Ingress The query arrives at the Isofold proxy via HTTP, JDBC, or native wire protocol.

  2. Rewrite Phase The SQL is parsed, transformed, and optionally verified.

  3. Execution Phase The rewritten query is sent to your data warehouse. Results are streamed back directly to the client.

  4. Egress The original query and its result are discarded unless verification mode is enabled.

Logging & Redaction

By default, Isofold logs only the following:

  • Query fingerprint (e.g. hashed SELECT pattern)
  • Warehouse used
  • Execution metadata (latency, cost, rewrite path)
  • High-entropy trace ID

No SQL contents or results are persisted.

You may enable full SQL logging in test environments using:

export ISOFOLD_LOG_QUERIES=true

We strongly advise against enabling full SQL logging in production environments.

Data Residency

  • Hosted mode: All query processing occurs in transit, at the Fly.io edge region nearest to the client.
  • Self-hosted mode: Data never leaves your environment. Isofold can run inside the same region or VPC as your warehouse.

Supported Isolation Levels

Deployment ModeData RetentionTLS RequiredVPC IntegrationLogging Scope
Hosted (Default)NoneYesFingerprints only
Self-hosted (VPC)NoneOptionalConfigurable
Debug ModeOptionalYes✓ / ✕Full query + result

Next: View the Security Network Diagram