Zero-trust data plane for agentic AI

The security layer between your data and AI agents.

Airlock is an MCP server. LLM agents query a per-user, PII-masked DuckDB snapshot of your production data, generated inside your VPC. Read-only. Your prod credentials never leave your network.

Book a demoRead the security overview
No data egress Ephemeral by default
Egress
Zero rows
Raw production data never leaves your VPC. The control plane sees routing metadata only.
Sandbox lifetime
Ephemeral
5-minute default TTL, configurable up to 24 hours. Snapshots live in tmpfs and vanish on worker exit.
Audit
Append-only
Every query, every column, every agent action — recorded to a tamper-proof ledger.

How it works

Your data stays put. The agent sees a shadow.

Airlock provisions a read-only, PII-masked DuckDB mirror inside your infrastructure — scoped to a single agent session, time-limited, and erased at the end. Production credentials and raw rows never leave your VPC.

CUSTOMER VPCProduction DBPostgresAirlock Workermask · encrypt · auditpolicy enforced in-VPCno egress of raw dataEphemeral DuckDB5-min TTL · configurableAI Agentmasked onlySOURCE OF TRUTHCONTROL PLANESANDBOXQUERY
Airlock control plane
Customer-owned
VPC boundary

Two unsafe defaults

Today, you have two options. Both are bad.

If you want to ship an AI feature that touches real user data, the field forks at the agent: hand it your database, or hand-roll a tool for every question. Airlock is a third path.

01Unsafe default

Give the LLM prod credentials

One prompt injection drains your database.

02Unsafe default

Pre-build a tool for every question

You ship the questions, not the agent.

03Airlock

Airlock

Free-form SQL on a per-user, masked, ephemeral snapshot. Nothing the agent does touches prod.

Why the gateway model fails

The breach is already in the architecture.

See the full threat model
01Risk

Centralized keys

One stolen credential unlocks every model and every customer's data.

02Risk

Inherited CVEs

Self-hosted proxies ship with every upstream zero-day already loaded.

03Risk

Persistent prompts

Logs, caches, fine-tunes — every gateway hoards PII forever.

Capabilities

Security primitives, you can watch in motion.

PII masking

Raw rows in. Tokens out.

Deterministic tokenization preserves joins. Agents never see a real SSN, email, or PAN.

users · masked export
live
nameemailssn
Aria ChenUSR_417D84aria@kikoff.com***@kikoff.com412-88-3091***-**-3091
Daniel ParkUSR_65FFDCd.park@stripe.com***@stripe.com523-91-2741***-**-2741
Mei TanakaUSR_39E4E8mei.t@plaid.com***@plaid.com609-44-5523***-**-5523
Rohan KapoorUSR_36E424rohan@brex.com***@brex.com711-32-9081***-**-9081
Sofia AlvarezUSR_78BED1sofia@mercury.com***@mercury.com830-55-7126***-**-7126
Owen RichardsUSR_13BFB2o.rich@ramp.com***@ramp.com924-17-4408***-**-4408
Aria ChenUSR_417D84aria@kikoff.com***@kikoff.com412-88-3091***-**-3091
Daniel ParkUSR_65FFDCd.park@stripe.com***@stripe.com523-91-2741***-**-2741
Mei TanakaUSR_39E4E8mei.t@plaid.com***@plaid.com609-44-5523***-**-5523
Rohan KapoorUSR_36E424rohan@brex.com***@brex.com711-32-9081***-**-9081
Sofia AlvarezUSR_78BED1sofia@mercury.com***@mercury.com830-55-7126***-**-7126
Owen RichardsUSR_13BFB2o.rich@ramp.com***@ramp.com924-17-4408***-**-4408
Ephemeral by default

Snapshots expire. Always.

5-minute default TTL, configurable per-tenant. Snapshots live in tmpfs; a worker exit wipes them.

default ttl
5
min · configurable
Tamper-proof audit

Append-only ledger.

Every query, every column, hash-chained.

audit.log · append-only
tailing
12:42:58sandbox.create src=postgres ttl=300 mask=[ssn,email,pan]
12:39:47sandbox.query rows=128 cols=12 scan=42ms
12:36:36policy.applied ssn→*** email→*** pan→***
12:33:25audit.write hash=0x9f4c… prev=0x88a1…
12:30:14sandbox.query rows=42 cols=8 scan=11ms
12:27:03sandbox.expire ttl=0 bytes_zeroed=128MiB reaped=ok
12:24:52sandbox.create src=postgres ttl=900 mask=[phone,addr]
12:21:41audit.write hash=0xa12d… prev=0x9f4c…
12:18:30sandbox.create src=postgres ttl=300 mask=[ssn,email,pan]
12:15:19sandbox.query rows=128 cols=12 scan=42ms
12:12:08policy.applied ssn→*** email→*** pan→***
12:09:57audit.write hash=0x9f4c… prev=0x88a1…
12:06:46sandbox.query rows=42 cols=8 scan=11ms
12:03:35sandbox.expire ttl=0 bytes_zeroed=128MiB reaped=ok
12:00:24sandbox.create src=postgres ttl=900 mask=[phone,addr]
12:57:13audit.write hash=0xa12d… prev=0x9f4c…
Your VPC. Your credentials.

DB credentials never leave your network.

The worker runs inside your VPC and reads your source DB over a read-only role. The control plane never sees a connection string.

Self-hostedRead-only roleOutbound-only WSS
Drop-in

Any agent. Any model.

Sits between the agent and the data — not between the agent and the model.

AnthropicOpenAIBedrockVertexLangChainMCP

For developers

Five lines of YAML. Add Airlock to your LiteLLM gateway.

Airlock is an MCP server. Point your LiteLLM proxy — or any MCP client — at it, and your agent picks up execute_sql, get_schema, null_rates against your masked snapshot.

MCPLiteLLMJSON-RPCBearer auth
litellm.yaml
$ litellm --config litellm.yaml --port 4000
# Add Airlock as an MCP server in your gateway
mcp_servers:
  airlock:
    url: "$${AIRLOCK_CP_URL}/mcp/$${AIRLOCK_TENANT_SLUG}"
    transport: http
    auth_type: bearer_token
    auth_value: os.environ/AIRLOCK_API_KEY

Compliance

Built for the questionnaire, not the demo.

HIPAA
Controls ready · BAA
GDPR
DPA available
PCI DSS
Out of scope
ISO 27001
On roadmap
FedRAMP
On roadmap
Self-hosted
Available
Single-tenant
Available
Read the security overview·security@airlocklabs.ai

Ship agentic AI without shipping the breach.

We're onboarding a small first cohort of design partners. Send a real email, get a real engineer. No sales calls, no demo decks — just architecture diagrams and code.

Book a demoRead the security overview

hello@airlocklabs.ai · we reply same business day