Listing Thumbnail

    PrivaCI: In-VPC PostgreSQL Data Masking & Compliance Evidence

     Info
    Deployed on AWS
    Mask production PostgreSQL into realistic, referentially-intact staging data inside your own AWS VPC, with no PII leaving your network. PrivaCI runs as a one-shot container job with deterministic PII masking, FK-aware subsetting, schema-drift CI gates, and Ed25519-signed compliance evidence.

    Overview

    Play video

    PrivaCI runs as a one-shot container job inside your AWS VPC. It reads PostgreSQL source data, masks PII deterministically, and writes sanitized rows to a target database. No data leaves your network there is no SaaS control plane and no telemetry.

    Both tiers include the full open-source masking engine (regex + NER detection, deterministic faking, referential integrity, resumable streaming runs). The paid tiers add commercial capabilities on top:

    • Deterministic keyed masking (hmac_hash / pseudonym) stable pseudonyms across tables and runs.
    • JSONB path masking mask fields inside JSONB documents by path.
    • FK-aware data subsetting copy one tenant to staging with foreign-key closure, not the whole database.
    • Schema-drift detection fail CI when the schema changes out from under your mask rules.
    • Strict-gate CI preview sample rows, policy diff, and SARIF output for pull-request gates.
    • Ed25519-signed compliance reports tamper-evident JSON (plus Markdown / PDF summaries) mapped to common control frameworks.

    Requirements: a PostgreSQL source and target, and a container runtime (Amazon ECS or docker run for v1; EKS / AWS Batch / Kubernetes CronJob on request). Entitlement is resolved at job start via AWS License Manager; the task role needs only license-manager:CheckoutLicense / CheckInLicense.

    Highlights

    • In-VPC batch job: mask PostgreSQL inside your VPC with no SaaS data exfiltration
    • Realistic staging at any size: FK-aware subsetting copies one tenant with referential integrity intact
    • Audit-ready Ed25519-signed compliance reports and schema drift evidence for CI

    Details

    Delivery method

    Supported services

    Delivery option
    ECS Fargate one-shot batch job

    Latest version

    Operating system
    Linux

    Deployed on AWS
    New

    Introducing multi-product solutions

    You can now purchase comprehensive solutions tailored to use cases and industries.

    Multi-product solutions

    Features and programs

    Financing for AWS Marketplace purchases

    AWS Marketplace now accepts line of credit payments through the PNC Vendor Finance program. This program is available to select AWS customers in the US, excluding NV, NC, ND, TN, & VT.
    Financing for AWS Marketplace purchases

    Pricing

    PrivaCI: In-VPC PostgreSQL Data Masking & Compliance Evidence

     Info
    Pricing is based on the duration and terms of your contract with the vendor. This entitles you to a specified quantity of use for the contract duration. If you choose not to renew or replace your contract before it ends, access to these entitlements will expire.
    Additional AWS infrastructure costs may apply. Use the AWS Pricing Calculator  to estimate your infrastructure costs.

    1-month contract (2)

     Info
    Dimension
    Description
    Cost/month
    Standard
    Flat monthly tier for teams that need realistic, safe PostgreSQL staging data. Run PrivaCI as a one-shot container job in your VPC. Includes the full masking engine plus deterministic keyed masking (hmac_hash / pseudonym) and JSONB path masking. No source-database or data-volume limits.
    $149.00
    Compliance
    Flat monthly tier for regulated and platform teams. Everything in Standard plus FK-aware data subsetting (copy one tenant to staging with referential integrity), schema drift detection for CI gates, strict-gate CI preview with SARIF, and Ed25519-signed compliance reports. No source-database or data-volume limits.
    $749.00

    Vendor refund policy

    PrivaCI refunds: AWS bills via Marketplace. Full refund if you cancel within 48 hours of purchase (AWS standard). After 48 hours, contact support@boundarylogic.io  with AWS account ID, subscription date, and reason; we review case-by-case (billing errors, duplicate subs). Support: https://boundarylogic.io/support 

    How can we make this page better?

    Tell us how we can improve this page, or report an issue with this product.
    Tell us how we can improve this page, or report an issue with this product.

    Legal

    Vendor terms and conditions

    Upon subscribing to this product, you must acknowledge and agree to the terms and conditions outlined in the vendor's End User License Agreement (EULA) .

    Content disclaimer

    Vendors are responsible for their product descriptions and other product content. AWS does not warrant that vendors' product descriptions or other product content are accurate, complete, reliable, current, or error-free.

    Usage information

     Info

    Delivery details

    ECS Fargate one-shot batch job

    Supported services: Learn more 
    • Amazon ECS
    Container image

    Containers are lightweight, portable execution environments that wrap server application software in a filesystem that includes everything it needs to run. Container applications run on supported container runtimes and orchestration services, such as Amazon Elastic Container Service (Amazon ECS) or Amazon Elastic Kubernetes Service (Amazon EKS). Both eliminate the need for you to install and operate your own container orchestration software by managing and scheduling containers on a scalable cluster of virtual machines.

    Version release notes

    What's fixed License validation on startup: Resolved an issue where entitled Marketplace subscribers could see exit code 5 ("No active subscription entitlement") at the start of every run. License Manager checkout now works reliably when the task or instance IAM role has the correct permissions.

    What you need to do New deployments: Use image tag 1.0.11: 709825985650.dkr.ecr.us-east-1.amazonaws.com/boundarylogic/privaci-commercial:1.0.11 Existing deployments on 1.0.10 or earlier: Update the image tag in your ECS task definition (or equivalent) to 1.0.11 and redeploy. No changes to mask-rules.yaml, secrets, or tier selection are required.

    Additional details

    Usage instructions

    After subscribing, deploy PrivaCI in your VPC as a one-shot batch job. Recommended path: Amazon ECS Fargate + CloudFormation Quick Launch.

    1. One-time per AWS account (before your first run): Open AWS License Manager in the console and complete "Start using License Manager" to grant permissions. Without this step, the first run may fail with exit code 5 and "Service role not found". https://docs.boundarylogic.io/commercial/troubleshooting/#license-manager-one-time-account-setup 

    2. Create two PostgreSQL databases in your VPC:

      • Source (contains data to mask)
      • Target (empty staging database)
    3. Create AWS Secrets Manager secrets for:

    4. Upload your mask-rules.yaml to Amazon S3 (or mount via EFS).

    5. Deploy the Quick Launch CloudFormation template in your account: https://docs.boundarylogic.io/commercial/assets/quick-launch.yaml  The stack creates the ECS task definition and IAM roles for license checkout.

    6. Run the job:

    Image (pin this tag in production): 709825985650.dkr.ecr.us-east-1.amazonaws.com/boundarylogic/privaci-commercial:1.0.11

    Entrypoint: privaci (do not override)

    Your subscription tier (Standard or Compliance) is detected automatically at job start. There is no product code or license ARN to configure.

    Expected result: exit code 0 and JSON output with "status": "succeeded". Exit code 5 at start usually means License Manager is not set up, the task role is missing checkout permissions, AWS_REGION is wrong, or the image tag is older than 1.0.11. See troubleshooting: https://docs.boundarylogic.io/commercial/troubleshooting/#exit-5--license--entitlement 

    Full guide: https://docs.boundarylogic.io/commercial/deploy-aws-ecs/  Support:

    Support

    Vendor support

    Email: support@boundarylogic.io  Support page: https://boundarylogic.io/support  Documentation: https://docs.boundarylogic.io/ 

    Commercial subscribers receive email support through support@boundarylogic.io . We aim to respond within one business day for severity-1 (production blocking) issues and within three business days for general questions. Do not send production PII in support requests. Describe schema, exit codes, and redacted logs only.

    Privacy policy: https://boundarylogic.io/privacy  Terms of service:

    AWS infrastructure support

    AWS Support is a one-on-one, fast-response support channel that is staffed 24x7x365 with experienced and technical support engineers. The service helps customers of all sizes and technical abilities to successfully utilize the products and features provided by Amazon Web Services.

    Similar products

    Customer reviews

    Ratings and reviews

     Info
    0 ratings
    5 star
    4 star
    3 star
    2 star
    1 star
    0%
    0%
    0%
    0%
    0%
    0 reviews
    No customer reviews yet
    Be the first to review this product . We've partnered with PeerSpot to gather customer feedback. You can share your experience by writing or recording a review, or scheduling a call with a PeerSpot analyst.