Skip to main content
The most common security question: “What data does AnomalyArmor actually see?” Here’s the complete answer.

What We Access

AnomalyArmor queries metadata and aggregate statistics only, never your actual row data. Every query is validated by our open-source Query Gateway before execution.
We AccessWe Never Access
Table namesRow data
Column namesActual values in columns
Data typesPII content
Timestamps (for freshness)Query results
Row countsBusiness-sensitive data
Constraint definitionsFile contents

The Queries We Run

During discovery, we query system catalogs: 
-- PostgreSQL example
SELECT table_name, column_name, data_type
FROM information_schema.columns
WHERE table_schema NOT IN ('pg_catalog', 'information_schema');

-- For freshness, we query MAX of timestamp columns
SELECT MAX(updated_at) FROM your_table;
We never run: 
SELECT * FROM your_table;  -- ❌ Never
SELECT email FROM users;   -- ❌ Never

Freshness Monitoring

For freshness checks, we query the maximum value of your designated timestamp column: 
SELECT MAX(created_at) FROM orders;
-- Returns: 2024-01-15 08:30:00
-- We see: "Last update was 30 minutes ago"
-- We don't see: Any actual order data

Data Storage

What We Store

Data TypeLocationEncryptionRetention
Database credentialsAWS (encrypted)AES-256-GCMUntil you delete
Schema metadataAWS RDSAES-256Account lifetime
Change historyAWS RDSAES-25690 days
Audit logsAWS S3AES-2561 year

What We Don’t Store

  • Your actual data values
  • Query results beyond metadata
  • Copies of your database

Data Flow

Data flow showing TLS 1.3 connection from your database to AnomalyArmor with encrypted storage
  1. Discovery engine connects via TLS 1.3
  2. Runs metadata queries against system catalogs
  3. Receives only schema information
  4. Stores encrypted in our infrastructure
  5. Your actual data never leaves your database

Compliance Implications

For GDPR

  • We don’t process personal data (only metadata)
  • DPA available if required
  • Data deletion on account closure

For HIPAA

  • No PHI accessed
  • BAA available for healthcare customers
  • Enhanced audit logging available

Verification

Want to verify what we access? You have multiple options:

Check Your Database Logs

-- PostgreSQL: Enable query logging
ALTER SYSTEM SET log_statement = 'all';
SELECT pg_reload_conf();

-- Filter for AnomalyArmor user
grep 'anomalyarmor' /var/log/postgresql/postgresql.log
You’ll see only information_schema queries and timestamp aggregations.

Audit the Query Gateway

Our Query Gateway is open source. Your security team can:
  1. Review the source code
  2. Run the 97+ security tests
  3. Verify exactly which queries are allowed at each access level

Common Questions

No. We can’t see your data because we never access it. Support staff can see metadata (table names, column names) to help troubleshoot, but never actual data values.
We see the column name “password” exists and its data type (e.g., varchar). We never see the actual password values stored in that column.
  1. Audit our open-source Query Gateway
  2. Check your database query logs
  3. Use a read-only database user with only SELECT on system catalogs
  4. Run a network packet capture during discovery

See Also

Query Gateway

Open-source SQL security layer

Security Overview

Full security documentation

Data Retention

How long we keep data