Query Analytics & Logging
Every sensitive system produces queries, but most teams cannot answer “who queried the users table at 2 AM, what did the SQL look like, and what did they get back?” Safe Boundary logs every query, block, rewrite, and mask event in structured format with full identity context, ready for compliance reporting and operational investigation.
Structured logs with full query context
Each log entry includes the authenticated identity (human or agent), source IP, original SQL, rewritten SQL, whole application, the masked/unmasked rule, data-classification tags, outcome, and timestamp. Logs are machine-readable and integrate with your existing SIEM or log-aggregation pipeline.
The same records feed dashboards, alerts, and ad-hoc investigations. Filter by identity, policy, table, or time window from a single query language, no separate logging stack and no custom parsers to maintain.
Audit-ready for SOC 2, HIPAA, and PCI-DSS
The log schema is aligned with the access and change-event requirements of SOC 2 Type II, HIPAA audit controls, and PCI-DSS logging requirements. Spectral Core is SOC 2 Type II in progress and ISO 27001 certified.
Access events with subject identity
Every read, write, and schema change is recorded with the verified human or agent identity that issued it, exactly the access-event format SOC 2 CC6 controls and HIPAA 164.312(b) audit logs require, with no extra instrumentation in your application.
Change events with full SQL
INSERT, UPDATE, DELETE, and DDL events are captured with the original SQL, the rewritten SQL if any, and the matching policy. Auditors can replay the change history of any sensitive table without asking engineering to dig through database logs.
Retention and export controls
Per-domain retention windows, signed exports, and configurable archival to S3 Object Lock or any WORM backend. The default schema satisfies the seven-year retention required by PCI-DSS 10.5 out of the box, no custom pipelines needed.
You do not need to build a separate logging layer to satisfy auditor requests.
Query analytics across all identities
The Safe Boundary dashboard surfaces query volume, block rates, PII exposure events, and policy match frequency across all human and agent identities. Identify which agent is generating the most risk, which query patterns are triggering blocks, and which tables are accessed most frequently.
AI startups on Supabase
Track which agent prompts produce risky SQL. Spot the moment a model starts drifting before it reaches production data.
Learn moreFinTech & payments
Replay every cardholder-data query end to end. The PCI assessor gets evidence; you get back hours of audit prep time.
Learn moreFinTech & payments
Detect anomalous spikes in payments-table reads in real time and investigate before a breach report writes itself.
Learn moreImmutable, tamper-evident log stream
Each entry is hash-chained to the previous one and signed with a rotating write key, so any retroactive edit breaks the chain and is visible at the next verification. The log is the evidence, not a copy of it.
Logs are written in the data plane inside your VPC and forwarded to the control plane for visibility. The control plane never sees raw query content, it receives structured metadata only, so your sensitive data never leaves your environment.
Hash chain every entry; tampering invalidates the chain.
Write key rotation for forward-confidentiality.
Integration with immutable storage: S3 Object Lock, WORM backends.
Archival retention schedule configurable by log domain.
Connect Safe Boundary and get full query observability across your database fleet from day one.
Free for 1 database. No credit. No Time limit. Full AI SQL Injection prevention.