Control & data plane

Architecture

Most database security tools put a third party in the query path — meaning your data flows through infrastructure you do not control. Safe Boundary separates policy management from query execution: the control plane runs in SB Cloud and never sees query content; the proxy runs as a lightweight container inside your VPC and never phones home with data.

Spectral Core — Established 2004 · Microsoft Partner · Google Partner · ISO 27001 Certified

Try Free Get in Touch See pricing

Control-plane / data-plane separation

Policies, identity mappings, and audit metadata are managed in the SB Cloud control plane. The actual proxy — the component that intercepts, analyzes, rewrites, and forwards SQL — runs entirely within your infrastructure. Query content and query results never leave your environment.

Drop-in deployment: one port change

Deploying Safe Boundary requires changing the port in your database connection string to point at the proxy. No application code changes. No Postgres extensions. No schema migrations. The proxy is transparent to the application; it speaks the standard Postgres wire protocol.

Built for performance: .NET Native AOT

The proxy is built with .NET Native AOT compilation, which eliminates JIT overhead and produces a compact, self-contained binary. This architecture is a primary reason Safe Boundary adds less than 1 millisecond of latency to the query path under production load.

Runs anywhere your VPC runs

The proxy ships as a container and runs on any infrastructure that can run containers — AWS, GCP, Azure, on-premises, or hybrid. No vendor lock-in to a specific cloud or managed database service.

Deploy Safe Boundary in your VPC — connect your Postgres with a single connection string change.

Get in Touch Try Free See pricing