Security Overview

​

Security in Isofold

Isofold is built for secure, production-grade environments. Whether you use the hosted service or deploy it yourself, security is a core part of the architecture.

This page outlines how Isofold handles:

• Query data
• Authentication
• Isolation
• Auditing

​

Zero Data Persistence

Isofold does not store:

• Query results
• Customer datasets
• Authorization tokens

Queries are processed in-memory and streamed directly to your warehouse. Logs contain metadata only—never full payloads—unless explicit debug logging is enabled.

​

TLS and Encryption

• All traffic between clients and the hosted Isofold proxy is encrypted via TLS 1.3.
• Self-hosted deployments can terminate TLS using your own certificate or a load balancer.
• Internal traffic (e.g. rewrite → warehouse) can be secured via mutual TLS or private VPC routing.

​

Role-Based Access

You can configure scoped API keys and proxy endpoints per team or environment.

• API keys can be restricted by IP, warehouse, or role
• Proxy endpoints are isolated at the DNS layer
• All requests are logged with high-entropy trace IDs

​

Verification Mode

Verification mode provides an audit mechanism by comparing the results of original and rewritten queries.

export ISOFOLD_VERIFY_MODE=true

This is particularly useful for:

• Staging environments
• High-assurance workloads
• Change management pipelines

​

Self-Hosting Security Tips

If you’re deploying Isofold in your own infrastructure:

• Run the proxy in a private subnet
• Disable verification mode unless needed
• Rotate environment variables or API keys periodically
• Limit egress to only your data warehouse

​

Compliance and Audit

Isofold is designed to help with compliance-aligned operations:

• Compatible with SOC2 audit trails (via verification logs)
• Optional full query diffs for security review
• Self-hosted logs can be pushed to your SIEM

Next: Explore Data Handling Practices