Enterprise MCP Server
Deploy secure, enterprise-grade database connectivity for AI tools with comprehensive identity management, role-based access control, and audit capabilities.
Secure Data Access Point (SDAP)
Self-installable server that connects directly to your database with enterprise-grade security
The Secure Data Access Point (SDAP) is a self-installable server that connects directly to your database. It is compatible with the Apache Arrow Flight SQL protocol which means that data is streamed efficiently throughout the Ekaya pipeline to the AI. Database permissions do not leave your premises. The user authentication token is maintained, verified and access logged all the way to the data access layer. You have full access to the source code.
Key Benefits
- On-premises security: Database permissions never leave your infrastructure
- Full transparency: Complete access to source code
- Comprehensive logging: User authentication and access fully audited
- High performance: 20-50x faster than traditional ODBC/JDBC
- IP whitelisting: Access from whitelist-able IP addresses
- Mutual TLS security: Prevents man-in-the-middle attacks
- Multi-language support: Data directly processable by Python, C#, Java, Go, etc.
- ETL integration: Accessible for internal ETL pipelines
Apache Arrow Flight SQL
High-performance protocol: Apache Arrow Flight SQL leverages the Arrow in-memory columnar format and Flight RPC framework for efficient data transfer over networks.
- • Columnar data format minimizes serialization overhead
- • Parallel, bulk access to query results
- • Built-in encryption and authentication support
- • Scales across distributed systems
- • Cross-platform compatibility (Python, C++, Java)
Perfect for Modern Data Workloads
Database Support
Native support for your existing database infrastructure
Microsoft SQL Server
- • Windows Authentication integration
- • Azure AD authentication support
- • Service principal with user impersonation (EXECUTE AS USER)
- • Native SQL Server RBAC and RLS support
Setup Requirements:
Grant IMPERSONATE permissions to the SDAP service principal on target users. No individual user credentials required.
GRANT IMPERSONATE ON USER::[user@company.com] TO [sdap-service]Why this matters: Your existing SQL Server security just works. No need to create new service accounts or manage AI-specific credentials. The SDAP uses your current user permissions - nothing more, nothing less.
PostgreSQL
- • Service account authentication
- • Session authorization (SET SESSION AUTHORIZATION)
- • Role switching capabilities (SET ROLE)
- • Native PostgreSQL role-based security
Setup Requirements:
Grant role membership to the SDAP service account for target users/roles.
GRANT target_user TO sdap_service_accountWhy this matters: PostgreSQL's role system becomes your AI security layer. One service account can safely impersonate any user you've granted access to. Your RLS policies and row-level security automatically apply to AI queries.
Authentication & Identity Management
Seamless integration with your existing identity infrastructure
SAML and OIDC Integration
Connect directly with your identity providers including Active Directory, Entra ID, Okta, Ping Identity, and other enterprise solutions.
How It Works:
Users authenticate through your existing SSO portal. Ekaya receives identity tokens and maps them to database access permissions through JWT claims including customerUserId and databaseRole.
The magic: Zero integration work on your identity side. Your existing SAML/OIDC setup feeds directly into database permissions. No custom connectors, no API keys to manage, no new attack vectors.
User Provisioning
- • SCIM-based automated provisioning: Sync users and groups automatically
- • Just-In-Time (JIT) provisioning: Create accounts on first login
- • Directory sync: Periodic synchronization with your directory
- • MFA enforcement: Leverage your existing MFA policies
Authorization & Access Control
Fine-grained control over who can access what data
How Data Access Works
User Authentication
User logs in through your SSO portal (SAML/OIDC)
JWT Creation
Ekaya creates JWT with customerUserId and databaseRole claims from your identity provider
Database Impersonation
SDAP uses service principal to impersonate the user in your database
Query Execution
All queries run with the user's actual database permissions - no elevated access
Role-Based Access Control (RBAC)
Leverage your existing database roles and permissions. The SDAP respects all your current security policies without requiring changes.
- • Table and column-level permissions
- • Schema-based access control
- • Custom database roles
- • Inherited permissions from groups
Row-Level Security (RLS)
Automatic session context configuration enables your existing RLS policies to work seamlessly with AI queries.
- • Tenant isolation
- • Department-based filtering
- • User-specific data access
- • Dynamic security predicates
Per-User Connection Pooling
Each user gets isolated database connections with their specific security context. This ensures complete separation and prevents privilege escalation.
Security Guarantee
Users can only access data they would normally see in your database. The SDAP never grants additional permissions beyond what you've configured.
What this prevents: No more "AI has access to everything" scenarios. No shared service accounts with elevated privileges. No data leaks because someone misconfigured an AI tool. Each query runs as the actual user - period.
Security & Data Protection
Enterprise-grade security controls and compliance features
Data Encryption
- • In Transit: TLS 1.3 encryption for all communications
- • At Rest: Leverages your database's native encryption
- • Key Management: Uses your existing key management infrastructure
Audit & Compliance
- • Comprehensive Logging: All access attempts and queries logged
- → Finally, audit logs that actually tell you WHO accessed WHAT data through AI tools
Project & Semantic Layer Management
Organize and govern your data access patterns
Multi-Project Isolation
Each project operates in complete isolation with its own semantic layer, user permissions, and audit trail.
- • Separate connection pools per project
- • Project-specific user access controls
- • Independent semantic layer definitions
Governance & Lineage
Track data usage, maintain semantic consistency, and ensure compliance across all AI interactions.
- • Semantic layer versioning and rollback
- • Data lineage tracking
- • Column and row-level policy enforcement
Dedicated LLM Ontology
Each project can have its own isolated LLM with project-specific ontology, ensuring AI responses are tailored to your business context and terminology.
Translation: Your finance team's AI knows "EBITDA" while your engineering team's AI knows "deployment pipelines" - no cross-contamination.
SDAP Deployment & Setup
Deploy the Secure Database Access Proxy behind your firewall
Deployment Architecture
Behind Your Firewall
SDAP runs in your environment with direct database access
Your data never leaves your network
Whitelisted Access
Only accepts connections from Ekaya's infrastructure with valid JWTs
No VPN tunnels, no broad network access
Service Account
Runs with minimal privileges - only impersonation rights
Can't read data directly, only impersonate authorized users
The security win: The SDAP service account requires valid user JWTs from your identity provider to access any data. Without legitimate user authentication tokens, the service account cannot perform any database operations.
Configuration Requirements
- • Database connection strings
- • Service account credentials
- • Ekaya JWT validation keys (JWKS)
- • Network firewall rules
- • User/role mapping configuration
Ongoing Management
- • Monitor connection pools and performance
- • Review audit logs and access patterns
- • Update user permissions as needed
- • Rotate service account credentials
- • Apply security updates