Policy as data,enforced server-side
RBAC, masking, RLS and audit declared on the view — not bolted onto each consumer. Compliance becomes a property of the data, not a runbook.
// preview · role: analyst
pii masked// policies
rbac.role-tenant
analyst · acme
masking.pii
email · cpf · phone
audit.all
siem stream live
// recent access
One layer for every control
RBAC, masking and audit travel with the view — every consumer inherits them by default.
RBAC by tenant + role
Roles — admin, data_steward, analyst, viewer — gate every column. Postgres RLS enforced server-side, not in your app.
Column-level masking
Mask email, cpf, phone or any tagged column. Mask once on the view — no per-consumer wiring, no leaks.
Audit you can prove
Every query, allow and deny lands in an immutable trail. Stream to your SIEM, query it like any view.
Declared once, enforced everywhere
Four steps. Audit-ready from minute one.
Declare
policy as code · pii.masked · audit.all
Attach
view · column · role · tenant scope
Evaluate
server-side · before any byte returns
Audit
trail · siem · revoke · explain
Policies are just code
Version them in Git, attach them via API, audit them like any other view.
from sofi import Sofi
sofi = Sofi(api_key="YOUR_KEY")
policy = sofi.policy.create(
name="customer_pii",
rules=[
{"column": "email", "action": "mask", "format": "***@{domain}"},
{"column": "cpf", "action": "mask", "format": "***.***.***-{2}"},
{"column": "phone", "action": "mask", "format": "***-***-{4}"},
],
audit=True,
)
policy.attach(view="customer_360", roles=["analyst", "viewer"])Compliance that runs itself
LGPD, SOX, multi-tenant — the same policy primitives cover all of it.
// pattern
LGPD compliance
Mask PII at the federation layer. Prove access trails per data subject. Honor erasure and consent without rewriting consumers.
// pattern
Multi-tenant SaaS
Postgres RLS isolates tenants. One view definition, zero cross-tenant leaks — even when analysts share dashboards.
// pattern
Audit-ready by default
SOX, ISO 27001, SOC 2 — every query is recorded with actor, role, view and outcome. Export the trail to any SIEM.
// pattern
Granular consent
Honor per-column consent flags from your consent service. A revoked consent removes the column without redeploys.
Enforcement that never slows you down
Sub-12 ms policy evaluation, 100% audit coverage, RLS-backed isolation.
<12 ms
policy eval p95
Policies evaluate inline with the federation plan — no extra hop, no extra service to scale.
100%
audit coverage
Every allow and deny is recorded. Trails are immutable, exportable and queryable like any view.
5+
policy actions
Mask, redact, hash, tokenize, deny — composable per column, per role, per tenant.
RLS
enforced in Postgres
Row-level security on every tenant table. Tenant boundaries hold even when consumers connect via SQL.
Questions about govern
What CISOs and DPOs ask before adopting Govern as the policy layer.
Server-side, inside the federation engine, before any column leaves the perimeter. The view consumer never sees the unmasked value — there is no client-side enforcement to bypass.
// ready to govern
Make compliance a property of the data.
Declare a policy once, attach it to every consumer, prove it any time. Trial includes RLS, masking and SIEM streaming.