Skip to main content
Database access allows the DB Analyst agent to query your databases during incident investigation. This is often the difference between identifying a slow query or data anomaly as the root cause versus concluding the investigation without a definitive answer.
CauseFlow never modifies your database data. All access is enforced as read-only at the driver level — READ ONLY transactions for PostgreSQL and blocked write operations for MongoDB.

Two modes of access

The Relay is a lightweight Docker agent you deploy inside your own private network. It is the recommended approach for PostgreSQL and MongoDB databases that are not publicly reachable. Why use Relay:
  • Your database never needs to be exposed to the internet
  • No inbound firewall rules required — the Relay opens a single outbound WebSocket connection
  • PII is masked inside your network before results are returned to CauseFlow
  • A policy engine controls exactly which tables and operations are permitted
To get started: See the Relay documentation for deployment instructions.

AWS API (for AWS-managed databases)

For DynamoDB and other AWS-managed databases, CauseFlow uses STS AssumeRole to access data through the AWS API. This requires:
  1. An IAM role in your AWS account with read-only permissions on the target databases
  2. A trust policy allowing CauseFlow’s AWS account to assume the role
  3. The role ARN configured in Dashboard > Settings > AWS Integration
This approach is configured through your tenant AWS settings and does not require deploying any additional infrastructure.

DB Analyst agent activation

The DB Analyst agent is automatically activated when:
  • A CauseFlow Relay connection is detected, or
  • AWS database access is configured in your tenant settings
No manual configuration is needed. As soon as the connection is available, the DB Analyst agent joins investigations involving services connected to those databases.

Read-only enforcement

CauseFlow enforces read-only access at multiple layers:
LayerEnforcement
PostgreSQL via RelaySET TRANSACTION READ ONLY on every connection
MongoDB via RelayOnly find and aggregation operations permitted; write operations blocked by the Relay policy engine
DynamoDB via AWS APIIAM role restricted to dynamodb:GetItem, dynamodb:Query, dynamodb:Scan
These restrictions are enforced independently of CauseFlow’s own application logic. Even if an agent were to generate a write query, the database driver would reject it.

Getting started

Deploy CauseFlow Relay

Set up the privacy-preserving Relay for PostgreSQL and MongoDB in your private network.

Relay architecture

Understand how the Relay communicates with CauseFlow and handles PII masking.