DAAM
Alpha
Login Sign Up
Getting Started
Using DAAM
CLIAccess Requests
Administration
OrganizationsPoliciesData MaskingRow FiltersSingle Sign-OnNotificationsAPI KeysAudit Log
Infrastructure
AgentArchitecture

How DAAM Works

HTTPS Encrypted tunnel (direct) via relay (fallback) Control Plane >_ CLI Agent Relay PostgreSQL
Connection
Query flow
Relay fallback
Policy sync

Establishing secure tunnel... Executing query with masking... Falling back through relay... Syncing policy in real-time...

Components

CLI

Developer tool for connecting to databases securely. Automatically selects the fastest connection path. Commands include connect, psql, and run - no database credentials needed.

Control Plane

Multi-tenant central service managing users, policies, authentication, and access requests. Supports SSO via OIDC, SAML, and SCIM provisioning, plus WebAuthn passkey authentication.

Agent

One per database. Every developer gets an isolated database session with only the permissions defined by your policies. Enforces column-level masking, caches policies locally, and discovers your database schema for policy authoring.

Relay

Connections work automatically through NAT, firewalls, and corporate networks. All traffic is encrypted end-to-end - relay infrastructure cannot see your data. No configuration required.

PostgreSQL

Your upstream database, unmodified. No extensions, plugins, or schema changes required.

Key Architectural Decisions

Cryptographic Identity

Developer identity is cryptographically verified on every connection. No passwords or database credentials are ever shared with developers.

Per-Developer Isolation

Every developer gets an isolated database session tied to their identity. Sessions are created on connect and cleaned up on disconnect, leaving no persistent credentials on the database.

Default Deny

Access policies are the source of truth. Only explicitly granted permissions are available. Tables not mentioned in a policy are inaccessible - nothing is open by default.

Policy Caching

Policies are cached locally so agents continue enforcing access controls even if the control plane is temporarily unreachable. Security is never degraded by an outage.

Live Policy Enforcement

Policy changes are pushed to agents and take effect on active sessions in real time. There is no need to reconnect when policies change.

Column-Level Masking

Masking transforms query results before they reach the developer. Writes to masked columns are allowed - masking and permissions are orthogonal concerns. When multiple policies overlap, the most restrictive preset wins.

Schema Introspection

The agent automatically discovers your database schema to power policy authoring - searchable table and column selectors with type-aware masking suggestions.