Overview
PrivaCI: In-VPC PostgreSQL Masking Demo
Two-minute demo: declare mask rules, dry-run, mask PostgreSQL to staging, verify-run, and export a signed compliance report. Runs entirely in your VPC.
PrivaCI runs as a one-shot container job inside your AWS VPC. It reads PostgreSQL source data, masks PII deterministically, and writes sanitized rows to a target database. No data leaves your network there is no SaaS control plane and no telemetry.
Both tiers include the full open-source masking engine (regex + NER detection, deterministic faking, referential integrity, resumable streaming runs). The paid tiers add commercial capabilities on top:
- Deterministic keyed masking (hmac_hash / pseudonym) stable pseudonyms across tables and runs.
- JSONB path masking mask fields inside JSONB documents by path.
- FK-aware data subsetting copy one tenant to staging with foreign-key closure, not the whole database.
- Schema-drift detection fail CI when the schema changes out from under your mask rules.
- Strict-gate CI preview sample rows, policy diff, and SARIF output for pull-request gates.
- Ed25519-signed compliance reports tamper-evident JSON (plus Markdown / PDF summaries) mapped to common control frameworks.
Requirements: a PostgreSQL source and target, and a container runtime (Amazon ECS or docker run for v1; EKS / AWS Batch / Kubernetes CronJob on request). Entitlement is resolved at job start via AWS License Manager; the task role needs only license-manager:CheckoutLicense / CheckInLicense.
Highlights
- In-VPC batch job: mask PostgreSQL inside your VPC with no SaaS data exfiltration
- Realistic staging at any size: FK-aware subsetting copies one tenant with referential integrity intact
- Audit-ready Ed25519-signed compliance reports and schema drift evidence for CI
Details
Introducing multi-product solutions
You can now purchase comprehensive solutions tailored to use cases and industries.
Features and programs
Financing for AWS Marketplace purchases
Pricing
Dimension | Description | Cost/month |
|---|---|---|
Standard | Flat monthly tier for teams that need realistic, safe PostgreSQL staging data. Run PrivaCI as a one-shot container job in your VPC. Includes the full masking engine plus deterministic keyed masking (hmac_hash / pseudonym) and JSONB path masking. No source-database or data-volume limits. | $149.00 |
Compliance | Flat monthly tier for regulated and platform teams. Everything in Standard plus FK-aware data subsetting (copy one tenant to staging with referential integrity), schema drift detection for CI gates, strict-gate CI preview with SARIF, and Ed25519-signed compliance reports. No source-database or data-volume limits. | $749.00 |
Vendor refund policy
PrivaCI refunds: AWS bills via Marketplace. Full refund if you cancel within 48 hours of purchase (AWS standard). After 48 hours, contact support@boundarylogic.io with AWS account ID, subscription date, and reason; we review case-by-case (billing errors, duplicate subs). Support: https://boundarylogic.io/support
How can we make this page better?
Legal
Vendor terms and conditions
Content disclaimer
Delivery details
ECS Fargate one-shot batch job
- Amazon ECS
Container image
Containers are lightweight, portable execution environments that wrap server application software in a filesystem that includes everything it needs to run. Container applications run on supported container runtimes and orchestration services, such as Amazon Elastic Container Service (Amazon ECS) or Amazon Elastic Kubernetes Service (Amazon EKS). Both eliminate the need for you to install and operate your own container orchestration software by managing and scheduling containers on a scalable cluster of virtual machines.
Version release notes
What's fixed License validation on startup: Resolved an issue where entitled Marketplace subscribers could see exit code 5 ("No active subscription entitlement") at the start of every run. License Manager checkout now works reliably when the task or instance IAM role has the correct permissions.
What you need to do New deployments: Use image tag 1.0.11: 709825985650.dkr.ecr.us-east-1.amazonaws.com/boundarylogic/privaci-commercial:1.0.11 Existing deployments on 1.0.10 or earlier: Update the image tag in your ECS task definition (or equivalent) to 1.0.11 and redeploy. No changes to mask-rules.yaml, secrets, or tier selection are required.
Additional details
Usage instructions
After subscribing, deploy PrivaCI in your VPC as a one-shot batch job. Recommended path: Amazon ECS Fargate + CloudFormation Quick Launch.
-
One-time per AWS account (before your first run): Open AWS License Manager in the console and complete "Start using License Manager" to grant permissions. Without this step, the first run may fail with exit code 5 and "Service role not found". https://docs.boundarylogic.io/commercial/troubleshooting/#license-manager-one-time-account-setup
-
Create two PostgreSQL databases in your VPC:
- Source (contains data to mask)
- Target (empty staging database)
-
Create AWS Secrets Manager secrets for:
- SOURCE_DB_URL
- TARGET_DB_URL
- ANONYMIZATION_SALT (at least 32 characters) Step-by-step: https://docs.boundarylogic.io/commercial/deploy-aws-ecs/#21-create-secrets-manager-secrets
-
Upload your mask-rules.yaml to Amazon S3 (or mount via EFS).
-
Deploy the Quick Launch CloudFormation template in your account: https://docs.boundarylogic.io/commercial/assets/quick-launch.yaml The stack creates the ECS task definition and IAM roles for license checkout.
-
Run the job:
- ECS: RunTask using the stack's task definition
- Docker: docker run with SOURCE_DB_URL, TARGET_DB_URL, ANONYMIZATION_SALT, AWS_REGION, and your mask-rules.yaml mounted
- Kubernetes: run as a Job or CronJob with IRSA for license checkout https://docs.boundarylogic.io/commercial/deployment-options/#amazon-eks--kubernetes
Image (pin this tag in production): 709825985650.dkr.ecr.us-east-1.amazonaws.com/boundarylogic/privaci-commercial:1.0.11
Entrypoint: privaci (do not override)
Your subscription tier (Standard or Compliance) is detected automatically at job start. There is no product code or license ARN to configure.
Expected result: exit code 0 and JSON output with "status": "succeeded". Exit code 5 at start usually means License Manager is not set up, the task role is missing checkout permissions, AWS_REGION is wrong, or the image tag is older than 1.0.11. See troubleshooting: https://docs.boundarylogic.io/commercial/troubleshooting/#exit-5--license--entitlement
Full guide: https://docs.boundarylogic.io/commercial/deploy-aws-ecs/ Support:
Resources
Vendor resources
Support
Vendor support
Email: support@boundarylogic.io Support page: https://boundarylogic.io/support Documentation: https://docs.boundarylogic.io/
Commercial subscribers receive email support through support@boundarylogic.io . We aim to respond within one business day for severity-1 (production blocking) issues and within three business days for general questions. Do not send production PII in support requests. Describe schema, exit codes, and redacted logs only.
Privacy policy: https://boundarylogic.io/privacy Terms of service:
AWS infrastructure support
AWS Support is a one-on-one, fast-response support channel that is staffed 24x7x365 with experienced and technical support engineers. The service helps customers of all sizes and technical abilities to successfully utilize the products and features provided by Amazon Web Services.
Similar products

