Build a dam for your data
DataDam is the governed control plane between your AI agents and your enterprise data. Every request authenticated, policy-evaluated, masked where required, and written to an immutable audit log.
// no credit card . self-hosted in your environment . up in 5 minutes
The agent era broke governance
Agents don't read like analysts. They read fast, broad, recursive. Every API key is a fan-out vector. Every chat turn is a new lineage edge. By the time legal asks "what did the model see?" the answer is in a thousand places, and not one of them is the audit log.
An IDE assistant with read-all access becomes a credential that touches every column on every prompt. The breach is silent. The audit trail is whatever the model decided to log.
"We had no idea our IDE assistant was reading customer SSNs until a developer paste-bombed a finding into Slack."
The rule that says "marketing can't read PHI" is a paragraph in a Confluence page. The role that grants it is a Snowflake grant tweaked six months ago. Drift is the default. Detection is the surprise.
"Our data contracts are real. They are also nowhere a query plan can see them."
Most "AI governance" is a wrapper that tells the model to behave. That's not governance. That's an honor system in production. Auditors don't accept "we asked nicely."
"Compliance asked for an immutable log. The vendor sent a Datadog dashboard."
If the rule isn't enforced before the bytes leave the database, the rule isn't enforced. DataDam makes that line a real boundary, not a policy document.
"We finally have a place where 'who can read what' is a function, not a feeling."
How it works
Drop the container next to your databases. Point your agent's connection string at it. The agent thinks it's talking to Postgres. Your governance team thinks it's the best Tuesday of the quarter.
The agent points its connection string at the proxy. No SDK. No wrapper. Postgres on the wire, MySQL on the wire, Mongo, S3, MCP. Same shape, same drivers.
Every query is parsed, classified, masked, and policy-checked before the connector talks to the database. Contracts, trust scores, anomaly thresholds, kill switches: enforced, not advisory.
OpenLineage events for every read, denial, and mask. Append-only, tamper-evident, exportable to Splunk, Datadog, Elasticsearch, or your SIEM. The audit answer ships with the audit question.
| a***@acme.com | |
| ssn | ***-**-**** |
| phone | +1-***-***-1234 |
| alice@acme.com | |
| ssn | 489-12-1234 |
| phone | +1-415-555-1234 |
One row, two views
Same SQL. Same row in your database. The proxy strips, masks, or generalizes by role before the response reaches the agent. Operators get activity attribution; agents get governed values.
Operator view
/audit?agent=bi-runner
agent_id bi-runner role viewer source customers table customers column email classification pii.email mask_mode generalize_email count_24h 47 detections_24h 47 (all generalized) denied_24h 0 trust_score 820 (allowed)
The console shows who accessed what, how often, with which mask applied. The operator never sees a row value either; they see the classification and the count.
Agent view
POST /customers/query
[
{
"id": "7f3a-...",
"name": "Alice Liddell",
"email": "*@wonderland.test",
"ssn": "***"
},
{
"id": "9c1b-...",
"name": "Bob Cratchit",
"email": "*@buildit.test",
"ssn": "***"
}
]The agent's tool call returns governed values. Names pass (not classified PII in this contract); emails generalize to the domain; SSN redacts to placeholder. The mask runs inside the proxy on the row in memory, before bytes leave the proxy host.
Same data. Two views. Operator sees activity, classification, and mask attribution. Agent sees the governed row. Neither sees the raw values directly. The mask map is deterministic and authored by the operator in your data contract.
Tag-driven governance. No LLM in the loop.
What it does
Each layer is deterministic. Each layer is auditable. None of them ask the model to behave.
Runtime PII detection flags entities on un-contracted columns. ODCS contracts mask declared columns. Tokenize mode lets you reverse the mask via an audited admin call.
The Open Data Contract Standard, enforced at the proxy. Drift detection, freshness SLAs, schema stability. Versioned, immutable once active, deprecation paths.
Every read, every mask, every denial. OpenLineage-shaped, exportable to Splunk, Datadog, Elasticsearch, or your SIEM. DB-level UPDATE/DELETE prevention. Immutable means immutable.
Five components, 200 points each. Contract validity, freshness, schema stability, availability, ownership. Block below threshold, warn above. The agent learns the source is stale before the model does.
Three statistical detectors over 14-day rolling baselines: volume z-score, novelty, time-of-day. Multi-step threats correlate across windows. No LLM in the detection path.
One click stops an agent, source, or org. Recommendations surface idle agents, uncontracted sources, high-denial roles. Cohort intelligence (k=5) flags drift against industry peers.
Connectors
Postgres, MySQL, MongoDB, and S3 ship as first-party connectors today. The MCP gateway fans out to any MCP server you register. The proxy authenticates every agent, evaluates every request against your contracts and policies, masks fields per role, and writes the decision to an immutable audit log. Same governance pipeline for every source.
Data sources
MCP servers
Plus any MCP server you register. Common operator additions: Workday, ServiceNow, Google Workspace, Slack, Zoom, Zendesk, and any internal MCP tool your team builds. Register the upstream once and DataDam authenticates, governs, and audits every call.
First-party connector roadmap
Native, contract-aware connectors planned for premium tiers: Salesforce, Slack, Jira, ServiceNow, HubSpot, SharePoint. Custom first-party connectors are available on Enterprise plans.
Brand marks shown above identify the data systems DataDam connects to, used under nominative fair use. We do not imply partnership, endorsement, or commercial relationship with the named companies.
Six regulated verticals. Each gets pre-configured policy templates, the right audit retention floor, and a vocabulary the auditor recognizes.
PHI auto-masked at the proxy. Patient identifiers tokenized so analytics agents work without ever seeing real MRNs.
MNPI fenced at the contract layer. Trading agents and research agents get the data they need; the data they don't is a 403.
Privileged content stays privileged. Append-only audit trail per query, exportable on demand to your SIEM or eDiscovery flow.
Self-hosted, air-gapped, on-prem-ready. The control plane never sees query content; the proxy never calls home for policy.
PII masked at the column level. Claim-bot reads policy metadata without ever touching the underwriting file's medical fields.
Per-role scoping for student records and grades. Tutoring agents see what their cohort allows; admin queries are audited row-by-row.
Trust boundary
The proxy runs in your environment, on your Postgres, behind your firewall. The control plane (this site, your console at app.mydatadam.com) sees rollup metadata and contract definitions only.
Zero query content. Zero row values. Zero PII. Ever.
How DataDam compares
Five rows that summarize the difference. See the full breakdown on the Compare page.
| Capability | Data catalog | DLP | IAM / SSO | API gateway | DataDam |
|---|---|---|---|---|---|
| Documents what data exists | Yes | No | No | No | Imports from catalog |
| Enforces who reads what at runtime | No | Partial (post-hoc) | Coarse | Per-endpoint | Per-field, per-role |
| Masks PII before agent sees it | No | Detect-only | No | No | Yes (200+ entity types) |
| Immutable audit log per request | No | Partial | Coarse | Yes | Yes |
| Built for non-deterministic AI callers | No | No | No | No | Yes |
Pricing
DataDam is in early access. Every tier ships the full governance engine; final pricing lands at general availability. Join the waitlist to lock in early access.
Forever. The wedge.
For teams in early production.
For teams under audit pressure.
For 200+ agents, multi-region, SLA.
Frequently asked
Eight questions every CISO and platform team has worked through. If yours is missing, contact us.
A governance layer that sits between AI agents and the data sources they query. It authenticates each request, evaluates it against policy, masks fields per role, and writes the decision to an immutable audit log. DataDam is the first product in this category.
Catalogs document what data exists. DataDam enforces who can read what at runtime. The catalog answers "what does our company have"; DataDam answers "what is this agent allowed to read right now." They complement each other.
In your environment. Cloud, on-prem, or air-gapped. The proxy runs with your credentials, against your data sources. The control plane only sees rollup telemetry and policy configuration. No query content, no row values, no PII ever crosses to DataDam.
The proxy adds a few milliseconds for policy evaluation and field masking. PII detection on un-contracted sources is the heaviest path and runs inside your environment against the proxy CPU. For contracted sources the path is essentially zero overhead.
Postgres, MySQL, MongoDB, S3 at launch. Salesforce, Slack, Jira, ServiceNow, HubSpot, SharePoint follow as premium connectors. Custom connectors are available on Enterprise.
Each framework ships as a policy template inside the product. Apply the template and the proxy sets trust thresholds, mask defaults, and audit retention to values aligned with that framework. Evidence endpoints export rollups and change logs for auditor delivery in CSV or JSON. The templates help you meet your compliance obligations.
Not yet. The company has not been audited or attested to SOC 2, HIPAA, or any other framework. Certification of DataDam itself is a separate workstream we will pursue when there is customer demand and operational maturity to support it. We will update this page when it is real, not before. The product is designed so a customer can meet their own compliance obligations through configurable policy templates, audit retention, and architecture (customer data stays in your environment).
Enterprise tier deploys the proxy on-premise with the SaaS control plane. Air-gapped tier deploys both proxy and control plane on customer infrastructure with a signed license file bound to specific hardware.
The runtime governance engine, Microsoft Agent Governance Toolkit, is MIT licensed. The DataDam product (control plane, console, connectors, compliance blueprints) is commercial. Customer SDKs are MIT licensed and live on GitHub.
The proxy starts in 5 minutes. The first audit row lands within 30 seconds of your first agent query. Procurement doesn't get to slow this one down.