SECURITY

Enterprise Security. From Day 1, Not Phase 3.

HatiData deploys inside YOUR VPC. Your encryption keys. Your network. Your audit trail. We never see your data.

In-VPCCMEKPrivateLinkSOC 2

ARCHITECTURE

Your VPC. Your Data. Always.

Every component runs inside your AWS account. The only external connection is an AWS PrivateLink to our control plane.

Your VPC
HatiData Proxy

Postgres wire-compatible proxy. TLS 1.3. Handles auth, RBAC, column masking, and SQL transpilation.

DuckDB Engine

Single-tenant analytical engine. In-process with the proxy -- no network hop. Columnar execution.

NVMe Cache

Dedicated NVMe SSD for hot data. AES-256-XTS encrypted with your CMEK. Two-tier L1/L2 cache.

S3 (Iceberg)

Apache Iceberg tables in your S3 buckets. SSE-KMS encrypted. Zero vendor lock-in.

AWS KMS (CMEK)

Customer-managed encryption keys. Controls encryption for NVMe cache, S3 storage, and audit logs. You own the keys.

Encrypts NVMe + S3 + Audit Logs

PrivateLink(TLS 1.3)
HatiData VPC
Control Plane

Manages configuration, billing, and updates. Never sees your data. Connected via AWS PrivateLink only.

Config, billing, updates only. Never sees your data.

No data access
No public endpoints
SOC 2 in progress
Your VPC boundary
Secure data path
CMEK encrypted
Control plane (no data)

ENCRYPTION

Encrypted at Every Layer

Six layers of encryption from client to storage. Your keys, your control.

LayerProtocolKey Management
Client → Proxy
TLS 1.3Auto-rotated certificates
Proxy → DuckDB
In-processN/A (same process)
NVMe Cache
LUKS AES-256-XTSCustomer CMEK via KMS
S3 Storage
SSE-KMS (AES-256)Customer CMEK via KMS
Audit Logs
SSE-KMS + Object LockCustomer CMEK via KMS
Control Plane Link
PrivateLink (TLS 1.3)AWS-managed

COMPLIANCE

From Deploy to SOC 2 in 180 Days

A clear path to full compliance, starting from the moment you deploy.

Day 1

Deploy In-VPC

HatiData runs in your AWS account. Your existing SOC 2 controls cover the data plane.

Day 7

Security Review

Architecture review with your security team. SIG Lite questionnaire completed.

Day 14

Shadow Mode Complete

7-day comparison report delivered. Full compatibility matrix.

Day 30

Production Ready

Cutover from legacy warehouse. All audit trails active.

Day 90

SOC 2 Type I

HatiData control plane SOC 2 Type I report available.

Day 180

SOC 2 Type II

Type II observation period complete. Full report available.

GOVERNANCE

CISO Approval Checklist

Everything your security team needs to say yes.

  • Data never leaves your VPC
  • Customer-managed encryption keys (CMEK)
  • Zero public internet traversal (PrivateLink)
  • Immutable query audit logs (S3 Object Lock, 7yr retention)
  • Role-based access control with column masking
  • SOC 2 Type II (in progress, Day 180)
  • DPA/MSA/BAA templates available
Download as PDFSchedule Security Review

WHITEPAPER

Download the Security Whitepaper

Full technical deep-dive: encryption architecture, network topology, compliance controls, and audit trail design.

HatiData Security Whitepaper

PDF · 24 pages

Your CISO Will Thank You.

In-VPC deployment. CMEK encryption. PrivateLink. Immutable audit logs. Security that's built in, not bolted on.

Start Shadow Mode Pilot