Enable least-privilege at the packet level on autopilot

Formal is a protocol-aware reverse-proxy for datastores and APIs that helps security teams understand and control their data.

1
2
3
4
5
6
Parafin-Bio-Logo-2
Notion-Logo-3
Gusto-Bio-Logo-2
Modern-Health-Logo-2
Ramp-Logo-2
ManoMano-Logo-2
> The Problem

The past decade has seen incredible innovation in the data stack, but also increased complexity. Without a clear picture and control of their data, enterprises face greater risk than ever before.

Security

The Growing Data Problem

The modern data stack in the cloud certainly does better enable data-driven decision making. But it also multiplies the vulnerabilities to data breaches – it makes it complex to know where data lives and who can access it.

> The solution

Formal empowers security teams to understand their data flows in real-time and enforce access policies that actually work.

Understand
Your org’s data consumption
Product Shots Icons
Logs
Product Shots Icons 1
Session Management
Product Shots Icons 2
Data Discovery
Product Shots Icons 3
PII and PHI classification
Product Shots Icons 4
Monitors
Product Shots Icons 5
Anomally detection & alerts
+ more
Align
Policies across teams & tools
Product Shots Icons
Comment & live collaboration
Product Shots Icons 1
Just-in-time access
Product Shots Icons 2
Notification system
Product Shots Icons 3
No-code and code editor
Product Shots Icons 4
Integrations with modern tools
Product Shots Icons 5
ChatOps
+ more
Control
Your entire data stack
Product Shots Icons
Dynamic Data Masking
Product Shots Icons 1
Dynamic Data Filtering
Product Shots Icons 2
RBAC/ABAC
Product Shots Icons 3
Data Store MFA
Macbook, Laptop, Computer
Device Trust
Product Shots Icons 4
Secret-less auth
+ more
Frame 1948758836

Formal Data Graph

The Formal Data Graph dynamically learns from your organization’s data flow, classifies data, and automatically recommends and enforces least-privilege policies in real time.

Understand
align
Control
Understand

The Formal Data Graph helps you understand the who, what, and where of data consumption across your organization.

Desktop Formal
align

Agree on a strategy that secures your data and brings your teams closer together.

Comment on logs and policies and collaborate directly via Slack. Task colleagues in Jira and Linear directly from the platform. Code and No-code options allow everyone to collaborate.

Group 140
Control

Control your entire data stack in one place

The Formal AI Engine recommends you the policies to enforce based on historical trend to enforce least-privilege access and decrease potential blast radius.

Organized Group
> For Developers

Data Security as Code

Formal helps security teams to win the heart and minds of DevOps thanks to an API-first design that seamlessly integrates with your stack. Choose your IaC, pick your VPC, and deploy a single distroless Docker image containing only a single statically linked binary for unrivaled simplicity and security.

terraform {
    required_providers {
        formal = {
        source  = "formalco/formal"
        version = "~>4.0.0"
        }
    }
    required_version = ">= 0.14.9"
}

provider "formal" {
    api_key = var.formal_api_key
}

resource "formal_sidecar" "main" {
    name = var.name
    technology = "mysql"
    hostname = var.mysql_sidecar_hostname
}

resource "formal_resource" "main" {
    technology = "mysql"
    name = var.name
    hostname = var.mysql_hostname
    port = var.main_port
}

resource "formal_sidecar_resource_link" "main" {
    resource_id = formal_resource.main.id
    sidecar_id = formal_sidecar.main.id
    port = 3306
}

# Native Role
resource "formal_native_user" "main_mysql" {
    resource_id = formal_datastore.main.id
    native_user_id = var.mysql_username
    native_user_secret = var.mysql_password
    use_as_default = true 
    // per sidecar, exactly one native role must be marked    
    as the default.
}
    
func main() {
    pulumi.Run(func(ctx *pulumi.Context) error {
        cfg := config.New(ctx, "")

        // Load required configuration
        formalApiKey := cfg.Require("formal_api_key")
        name := cfg.Require("name")
        mysqlSidecarHostname := cfg.Require("mysql_sidecar_hostname")

        // Initialize the Formal provider
        provider, err := formal.NewProvider(ctx, "formal", &formal.ProviderArgs{
            ApiKey: pulumi.String(formalApiKey),
        })
        if err != nil {
            return err
        }

        // Create the formal_sidecar resource
        sidecar, err := formal.NewSidecar(ctx, "main", &formal.SidecarArgs{
            Name:      pulumi.String(name),
            Technology: pulumi.String("mysql"),
            Hostname:   pulumi.String(mysqlSidecarHostname),
        }, pulumi.Provider(provider))
        if err != nil {
            return err
        }

        // Create the formal_resource resource
        resource, err := formal.NewResource(ctx, "main", &formal.ResourceArgs{
            Technology: pulumi.String("mysql"),
            Name:       pulumi.String(name),
            Hostname:   pulumi.String(mysqlHostname),
            Port:       pulumi.Int(mainPort),
        }, pulumi.Provider(provider))
        if err != nil {
            return err
        }

        // Create the formal_sidecar_resource_link resource
        _, err = formal.NewSidecarResourceLink(ctx, "main", &formal.SidecarResourceLinkArgs{
            ResourceId: resource.ID(),
            SidecarId:  sidecar.ID(),
            Port:       pulumi.Int(3306),
        }, pulumi.Provider(provider))
        if err != nil {
            return err
        }

        // Create the formal_native_user resource
        _, err = formal.NewNativeUser(ctx, "main_mysql", &formal.NativeUserArgs{
            ResourceId:       resource.ID(),
            NativeUserId:     pulumi.String(mysqlUsername),
            NativeUserSecret: pulumi.String(mysqlPassword),
            UseAsDefault:     pulumi.Bool(true),
        }, pulumi.Provider(provider))
        if err != nil {
            return err
        }

        return nil
    })
}
import * as formal_sdk from 'formal-sdk';
import { CreateSidecarRequest } from 'formal-sdk/gen/admin/v1/sidecar_pb';

// Get the API key from environment variables
const apiKey = process.env.API_KEY;
if (!apiKey) {
    throw new Error('API_KEY environment variable is not set');
}

// Initialize the Formal client
const formalClient = new formal_sdk.Client(apiKey);

// Create a sidecar
const request = new CreateSidecarRequest({
    name: '<string>',
    resource_id: '<string>',
    hostname: '<string>',
    technology: '<string>',
    termination_protection: <boolean>
});

formalClient.SidecarClient.CreateSidecar(request)
    .then(response => {
        console.log('Sidecar created successfully:', response);
    })
    .catch(error => {
        console.error('Error creating sidecar:', error);
    });
import os
import formal_sdk

from formal_sdk.gen.admin.v1.sidecar_pb2 import CreateSidecarRequest

api_key = os.environ.get('API_KEY')
formal_client = formal_sdk.Client(api_key) # Formal base client

formal_client.SidecarClient.CreateSidecar(
    CreateSidecarRequest("name": <string>,
                         "resource_id": <string>,
                         "hostname": <string>,
                         "technology": <string>,
                         "termination_protection": <bool>)
)
> Security & Reliability

We secure the flow of data — without being in the flow.

Formal is designed with enterprise-grade security. Our Proxy is deployed in your VPC, ensuring only you control your data. Reliability is our top concern and our Proxy is designed to be highly available.

SOC 2 Badge
PCI DSS Compliance Logo
HIPAA Compliance Logo
> Integrations

The data security platform that works with everything.

Jira Logo Default
Slack Logo Default
Linear Logo Default
AWS S3 Logo Default
Authy Logo Default
SumoLogic Logo Default
PagerDuty-Logo-Default-2
Okta Logo Default
SentinelOne Logo Default
ClickUp Logo Default
CTA BG

Speak to an Engineer

Learn the platform in less than an hour. Secure your data stack in less than a day.