https://github.com/boundarylogic/privaci
In-VPC PostgreSQL data-masking engine — stream production replicas into safe, FK-intact staging databases. Deterministic, auditable, ELv2.
https://github.com/boundarylogic/privaci
anonymization data-masking database devops docker pii postgresql privacy python security
Last synced: about 4 hours ago
JSON representation
In-VPC PostgreSQL data-masking engine — stream production replicas into safe, FK-intact staging databases. Deterministic, auditable, ELv2.
- Host: GitHub
- URL: https://github.com/boundarylogic/privaci
- Owner: BoundaryLogic
- License: other
- Created: 2026-06-16T16:17:31.000Z (15 days ago)
- Default Branch: main
- Last Pushed: 2026-06-24T19:20:20.000Z (7 days ago)
- Last Synced: 2026-06-24T21:07:43.573Z (7 days ago)
- Topics: anonymization, data-masking, database, devops, docker, pii, postgresql, privacy, python, security
- Language: Python
- Homepage: https://boundarylogic.io
- Size: 1.59 MB
- Stars: 0
- Watchers: 0
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- Changelog: CHANGELOG.md
- License: LICENSE
- Code of conduct: CODE_OF_CONDUCT.md
- Security: SECURITY.md
Awesome Lists containing this project
README
# PrivaCI
**One command. Sanitized staging data. No data leaves your VPC.**
PrivaCI is a stateless batch engine that reads from a PostgreSQL source
(typically a production replica), masks PII with a three-tier pipeline, and
writes realistic synthetic data to a staging database with referential
integrity preserved.
## Prerequisites
- Python **3.12+**, or the official container image
(`ghcr.io/boundarylogic/privaci`)
- A PostgreSQL **source** (typically a production replica) and an empty
**target** database
## Quickstart
**Fastest path** — self-contained evaluation stack (~60 s):
```bash
export ANONYMIZATION_SALT="$(openssl rand -hex 32)"
make eval-up
```
See the [quickstart](https://docs.boundarylogic.io/quickstart/) for the full walkthrough.
**Your own databases:**
```bash
pip install -e .
privaci gen-salt > .privaci-salt && chmod 600 .privaci-salt
export ANONYMIZATION_SALT=$(cat .privaci-salt)
export SOURCE_DB_URL=postgresql://user:pass@source-host:5432/app
export TARGET_DB_URL=postgresql://user:pass@target-host:5432/staging
privaci validate && privaci dry-run && privaci run && privaci verify
```
Browse the docs site locally: `pip install -e ".[dev]" && make docs-serve`
## Documentation
Start with the [documentation site](https://docs.boundarylogic.io/) or
[quickstart](https://docs.boundarylogic.io/quickstart/).
Key pages:
**Using PrivaCI**
- [CLI reference](https://docs.boundarylogic.io/cli-reference/) — every command, its options, and examples
- [Configuration reference](https://docs.boundarylogic.io/configuration/) — the `mask-rules.yaml` format
- [Error codes](https://docs.boundarylogic.io/error-codes/) — exit codes and message format
- [State & audit schema](https://docs.boundarylogic.io/state-schema/) — what runs write to `_privaci`
- [Extending PrivaCI](https://docs.boundarylogic.io/extending-privaci/) — the plugin contract model
**Developing PrivaCI**
- [Local development & testing](https://docs.boundarylogic.io/local-development/)
- [Test fixtures — MedicalHelpDesk Corp](https://docs.boundarylogic.io/test-fixtures/)
- [Architecture decision records](https://docs.boundarylogic.io/adr/)
## License
The engine is licensed under the [Elastic License 2.0](LICENSE). Optional
paid features ship as a separate plugin layer via the
[plugin contracts](https://docs.boundarylogic.io/extending-privaci/).
## Commercial
Optional paid capabilities — signed compliance reports, schema-drift detection,
FK-aware subsetting, JSONB path masking, and more — ship as a separate plugin
layer on top of this engine, still entirely in your VPC. Learn more at
[BoundaryLogic](https://boundarylogic.io/commercial).