Telemetry privacy.
What Vericto sends for every evaluated query, how to choose between raw and sanitized modes, and why rule enforcement is never weakened by sanitizing.
Overview
For every query the proxy evaluates, Vericto emits a telemetry event to its API. That event includes the evaluation status, the severity, the applied rule's rule_code, the latency, and the query text. These events power the dashboard, metrics, and audit trail.
This page explains exactly what data leaves your network, how to control the level of detail of the query text through the telemetry mode, and why changing that mode never affects what the proxy blocks or allows.
The telemetry mode only changes what is reported, not what is evaluated. Rule evaluation always runs against the full query inside the process. Sanitizing affects the report, never the block.
What is sent
Each telemetry event contains a bounded set of fields describing the evaluation result:
- status: the evaluation result (for example, allowed or blocked).
- severity: the severity level associated with the rule that fired.
- rule_code: the identifier of the applied rule.
- latency: the time it took to evaluate the query.
- query text: the evaluated SQL statement, in raw or sanitized mode depending on the workspace configuration.
Database credentials are never part of the telemetry. That said, the query text can contain sensitive values in its literals, for example WHERE email = 'alice@acme.com'. The telemetry mode exists precisely to control that case.
Modes: raw and sanitized
The query telemetry mode is configured per workspace in Dashboard → Settings → Telemetry privacy. It requires the enforcementPolicy.manage capability. There are two possible values:
| Mode | What it sends | Advantage | To keep in mind |
|---|---|---|---|
| raw (default) | The full query text, exactly as it was evaluated. | Maximum forensic detail: you see exactly what ran. | Literals, with possible PII, leave your network and are stored by Vericto. |
| sanitized | The query with its literals normalized to placeholders ($1, $2, …). | No user data leaves your network; the structure is preserved for metrics and grouping. | You will not see the concrete literal values in the audit trail. |
In raw mode the text is reported without modifications. In sanitized mode the literals are normalized to placeholders before leaving the proxy, so no user data leaves your network while the shape of the query is preserved for metrics and grouping.
How sanitization works
Sanitization is structural: it operates on the parsed AST of the query, not on plain text. Vericto parses the SQL with libpg_query, the same parser as Postgres, and replaces the literals with placeholders directly in the tree. The process is deterministic and does not use regular expressions, so it does not rely on fragile pattern-matching heuristics.
The result keeps the full structure of the statement (tables, columns, operators, clauses) intact and only substitutes the values. For example:
DELETE FROM users WHERE email = 'alice@acme.com' AND tenant_id = 42
-- se reporta como:
DELETE FROM users WHERE email = $1 AND tenant_id = $2
Because the substitution preserves the shape of the query, two executions with different values produce the same sanitized text. That makes it possible to group equivalent queries and compute metrics without exposing a single user value.
Enforcement is not affected
This is the key point. Rule enforcement does not depend on the telemetry mode. The evaluation always runs against the full query, with all its literals, inside the proxy process. Sanitization only changes what is reported after the decision has already been made.
Switching to sanitized never weakens the block. Rules are evaluated against the full query before sanitizing. The telemetry mode is a privacy decision about the report, not a security setting on enforcement.
The CLI also reads this same mode to decide whether to sanitize on the client side before sending the telemetry, consistently with the proxy.
Recommendation
Choose the mode according to your data profile and your compliance requirements:
- Use sanitized when you handle regulated or personal data, for example under GDPR, HIPAA, or Colombia's Law 1581 of 2012. That way no user value leaves your network.
- Use raw when the priority is forensic fidelity and your queries do not embed sensitive literals.
If in doubt, start with sanitized: you keep the structure for metrics and grouping, and you can switch to raw later without affecting enforcement.
Frequently asked questions
Does sanitizing make Vericto block fewer queries?
No. Rule evaluation always runs against the full query inside the process. Sanitization only changes the text reported to telemetry, never the decision to block or allow.
Do database credentials appear in the telemetry?
Never. Connection credentials are not part of any telemetry event, in any mode. The only thing that can contain sensitive data is the query text, and that is what the sanitized mode is for.
Which mode is active by default?
The default mode is raw. To change it to sanitized, go to Dashboard → Settings → Telemetry privacy. You need the enforcementPolicy.manage capability.
Does sanitization use regular expressions?
No. It is structural and deterministic: it operates on the AST parsed with libpg_query, the Postgres parser, and replaces literals with placeholders in the tree. There are no heuristics or regex.
Does the CLI respect the telemetry mode?
Yes. The CLI reads the same mode configured in the workspace to decide whether to sanitize on the client side before sending the telemetry.