Skip to main contentMaster the key concepts behind Formal’s infrastructure security platform. Terms are organized from basic to advanced.
Getting Started
Connector
Security gateway that protects your infrastructure
The Connector sits between identities (employees, ai agents…) and your databases, APIs, Kubernetes clusters, and other resources. It intercepts every connection, enforces access policies, logs all activity, and can mask sensitive data—without requiring changes to your applications.
Also known as: Proxy
Related: Resource, Listener, Space
Resource
Any system protected by Formal
A Resource is any infrastructure you want to secure: PostgreSQL databases, MongoDB clusters, Snowflake warehouses, SSH servers, Kubernetes pods, APIs, and more. Resources are accessed through the Connector, which enforces policies and logs all activity.
Examples: Production database, staging API, Kubernetes cluster
Related: Connector, Native User
Policy
Rules that control who can access what
Policies are security rules that the Connector evaluates for every connection and query. They determine who can connect, what data they can see, which queries they can run, and whether to mask sensitive information. Policies are written in Rego, a purpose-built policy language.
Examples: “Engineers can only read from dev databases”, “Mask SSNs for support team”
Related: Rego, Policy Stage, Masking
Session
A recorded connection to a resource
A Session is a logged connection from a user through the Connector to a Resource. Sessions capture all queries, commands, responses, and metadata, providing a complete audit trail for compliance and security investigations.
Also known as: Connection, Access Session
Related: Audit Log, Session Recording
Deployment & Architecture
Space
Isolated environment for your resources
A Space is a logical grouping of Connectors, Satellites, and Resources that can securely communicate with each other. Spaces provide network isolation and organizational boundaries—think of them like separate environments (production, staging) or teams.
Also known as: Environment, Deployment Zone
Related: Connector, Satellite
Satellite
Optional add-on for advanced features
A Satellite is an application deployed alongside Connectors to enable advanced capabilities like automatic PII detection, data discovery, and schema scanning. Satellites help you classify sensitive data and maintain an up-to-date inventory of your resources.
Also known as: Data Scanner, Add-on Service
Related: Data Label, PII Detection
Listener
Port configuration for routing connections
A Listener is a configuration on the Connector that accepts connections on a specific port and routes them to designated Resources. Listeners enable a single Connector to handle multiple protocols (PostgreSQL, MongoDB, SSH) simultaneously.
Also known as: Port Configuration, Connection Rule
Related: Connector, Protocol Detection
Control Plane
Management console for Formal
The Control Plane is Formal’s management interface where you configure policies, manage users, view sessions, and monitor your infrastructure. It’s completely separate from your data—the Control Plane never sees or stores your actual data.
Also known as: Management Console, Dashboard
Related: Data Plane, Connector
Data Plane
Where your data flows
The Data Plane consists of your Connectors, which handle actual data traffic. All database queries and API requests flow through the Data Plane, not the Control Plane. This separation ensures Formal never has access to your data.
Also known as: Data Gateway, Traffic Layer
Related: Control Plane, Connector
Access & Authentication
Native User
Credential used to connect to resources
A Native User is the actual credential (username/password, IAM role, or certificate) that the Connector uses to authenticate to a Resource on behalf of end users. Native Users can be static credentials, cloud IAM roles, or dynamically generated temporary credentials.
Also known as: Database Credential, Resource Credential, Service Account
Related: Dynamic Secrets, End-user Identity
End-user Identity
Tracking who’s actually making requests
End-user Identity is the process of identifying the real person behind a connection, even when they’re using tools like Metabase, Retool, or other applications. Formal extracts user information from application parameters to attribute all queries to specific individuals.
Also known as: Identity Propagation, User Attribution
Related: Native User, Session
Just-in-Time Access
Temporary access granted on request
Just-in-Time (JIT) Access means users request temporary permissions that expire after a set time period. Instead of permanent access, engineers can request 2-hour database access that automatically revokes, reducing the risk of compromised credentials.
Also known as: Temporary Access, Time-bound Access
Related: Approval Workflow, Break Glass
Dynamic Secrets
Temporary credentials that auto-expire
Dynamic Secrets are short-lived credentials automatically generated for each connection and revoked when the session ends. This eliminates the risk of long-lived passwords being leaked or compromised.
Also known as: Temporary Credentials, Ephemeral Secrets
Related: Native User, Just-in-Time Access
MFA (Multi-Factor Authentication)
Two-step verification for high-risk access
MFA requires users to provide a second form of authentication (like a code from their phone) in addition to their password. Formal can enforce MFA for specific resources, time periods, or query types.
Also known as: Two-Factor Authentication, 2FA
Related: SSO, Policy
SSO (Single Sign-On)
Log in once, access everything
SSO allows users to authenticate through your company’s identity provider (Okta, Azure AD, Google) instead of managing separate Formal credentials. Once logged in, users can access all permitted resources without additional logins.
Also known as: SAML, Identity Federation
Related: Directory Sync, MFA
Policies & Rules
Rego
Policy language for writing access rules
Rego is the language used to write Formal policies. It’s designed specifically for access control and uses a JSON-like syntax. Rego policies evaluate user attributes, query patterns, and context to make allow/deny/mask decisions.
Also known as: Policy Language
Related: Policy, OPA
OPA (Open Policy Agent)
Engine that executes policy decisions
OPA is the open-source policy engine that powers Formal’s policy evaluation. It reads Rego policies and evaluates them in real-time for every connection and query, making access decisions in milliseconds.
Also known as: Policy Engine
Related: Rego, Policy
Policy Stage
When a policy is evaluated
Policies can run at three stages:
- Connection Time: When a user first connects (check credentials, enforce MFA)
- Before Query: Before a query executes (block unauthorized queries)
- After Query: After query execution (mask sensitive data in results)
Related: Policy, Masking
Policy Data Loader
Connect external data to policies
A Policy Data Loader is custom code that fetches data from external systems (HR databases, ticketing systems, APIs) and makes it available to policies. This enables dynamic decisions like “allow if user is on-call” or “deny if user has open security tickets.”
Also known as: External Data Connector, Policy Data Source
Related: Policy, Rego
Masking
Hide sensitive data in query results
Masking is the process of replacing sensitive data with obfuscated values. Formal can mask data in real-time as query results flow through the Connector, showing “XXX-XX-1234” instead of full social security numbers.
Masking Types:
- Redaction: Replace with fixed characters (
***)
- Partial Redaction: Show first/last characters (
joh***@example.com)
- Hashing: One-way encryption (always same output for same input)
- Random: Replace with realistic fake data
Also known as: Redaction, Data Obfuscation
Related: Policy, PII, Data Label
Data Governance
Data Label
Automatically detected sensitive data
Data Labels are PII entities automatically identified by Satellites scanning your databases. They tag columns containing emails, phone numbers, SSNs, credit cards, and other sensitive data, making it easy to write policies that protect all PII without manually cataloging every column.
Also known as: Sensitivity Tag, Data Classification
Related: Tags, PII, Satellite
Custom labels for organizing data
Tags are user-defined labels you attach to database columns for organization, search, and discovery. Unlike Data Labels (which are auto-detected), Tags are manually created to track business context like “customer_data”, “finance”, or “deprecated”.
Related: Data Label
Personal data that identifies individuals
PII is any data that can identify a specific person: names, email addresses, social security numbers, phone numbers, IP addresses, etc. Formal’s Satellites automatically detect PII in your databases and help you mask or restrict access to it.
Examples: Email, SSN, Credit Card, Phone Number, Home Address
Related: Data Label, Masking, Satellite
Logging & Compliance
Audit Log
Tamper-proof record of all activity
Audit Logs capture every connection, query, policy decision, and system action within Formal. They’re cryptographically secured to prevent tampering and provide evidence for compliance audits (SOC 2, HIPAA, GDPR).
Also known as: Activity Log, Compliance Log
Related: Session, Session Recording
Session Recording
Complete capture of terminal sessions
For SSH, Kubernetes, and other terminal-based resources, Formal can record the entire session including all commands typed and output displayed. This creates a video-like playback for security investigations.
Also known as: Terminal Recording, Command Logging
Related: Session, Audit Log
Log Encryption
Encrypt logs with your own keys
Log Encryption allows you to encrypt all session logs and audit data using your own encryption keys. This ensures Formal cannot decrypt your logs without your explicit permission, even if compelled by law enforcement.
Related: Encryption Key, Audit Log
Integrations
SIEM
Security monitoring and alerting platform
SIEM (Security Information and Event Management) systems like Splunk, Datadog, and Sumo Logic collect and analyze security logs. Formal can stream all audit logs and policy violations to your SIEM for centralized monitoring.
Also known as: Log Analysis Platform, Security Monitoring
Examples: Splunk, Datadog, Sumo Logic
Related: Audit Log
Cloud Integration
Automatic discovery of cloud resources
Cloud Integrations connect Formal to your AWS, GCP, or Azure account to automatically discover databases, Kubernetes clusters, and other resources. This eliminates manual configuration and keeps your inventory up-to-date as infrastructure changes.
Also known as: Auto-Discovery, Cloud Connector
Related: Resource, Satellite
Directory Sync
Automatically sync users from identity providers
Directory Sync (SCIM) automatically imports users and groups from identity providers like Okta, Azure AD, or Google Workspace. As employees join, change roles, or leave, their Formal access updates automatically.
Also known as: SCIM, User Provisioning
Related: SSO, Groups
Advanced Concepts
Protocol Detection
Automatic identification of database types
Protocol Detection allows the Connector to automatically identify what type of connection it’s receiving (PostgreSQL, MongoDB, MySQL, etc.) without manual configuration. This enables “smart routing” where a single port can handle multiple database types.
Also known as: Smart Routing, Wire Protocol Detection
Related: Listener, Connector
Break Glass Access
Emergency access with full audit trail
Break Glass is a mechanism for granting immediate emergency access during incidents, bypassing normal approval workflows. All break glass access is heavily logged and triggers alerts, providing accountability during emergencies.
Also known as: Emergency Access
Related: Just-in-Time Access, Approval Workflow
Approval Workflow
Multi-step access requests
Approval Workflows define who must approve access requests before they’re granted. You can configure multi-stage approvals (manager → security team → DBA) with time limits and escalation rules.
Also known as: Access Request, Approval Chain
Related: Just-in-Time Access, Slack Integration 
