Formal

Formal

Automated data access governance platform

Overview

Formal builds and runs a centralized data governance platform that helps businesses control who can access data, while automatically protecting it. It decouples access controls from data stores and provides automated workflows, dynamic masking, and security controls to manage data access across the entire data infrastructure. The platform continuously discovers and classifies data, shows query-level visibility, and flags sensitive information like PII and PHI to prevent leaks. This makes it easier for organizations in finance, healthcare, and tech to stay compliant with data privacy rules and protect sensitive information as they scale data usage. Formal’s goal is to help teams enforce data access policies, automate compliance processes, and reduce the risk of data breaches across the organization.

YC Company
Significant Headcount Growth

About Formal

Simplify's Rating
Why Formal is rated
C+
Rated C on Competitive Edge
Rated B on Growth Potential
Rated C on Differentiation

Industries

Data & Analytics

Enterprise Software

Cybersecurity

Company Size

51-200

Company Stage

Seed

Total Funding

$5.9M

Headquarters

San Francisco, California

Founded

2020

People at Formal

People at Formal who can refer or advise you

Simplify Jobs

Simplify's Take

What believers are saying

  • AI governance urgency drives demand for Formal's automated access control and masking features
  • Privacy-by-design regulations require Formal's dynamic masking and PII/PHI detection capabilities
  • Enterprise need for unified governance frameworks boosts Formal's centralized platform adoption

What critics are saying

  • Collibra and Oracle will displace Formal's mid-market clients with broader feature sets by Q2 2027
  • Open-source proxy alternatives will reduce demand for Formal's premium reverse-proxy by Q3 2027
  • EU AI Act amendments will force Formal to add native logging without third-party connectors by Q1 2027

What makes Formal unique

  • Formal decouples access controls from data stores via a centralized reverse-proxy platform
  • Formal offers fine-grained connector log controls with encryption, SQL stripping, and payload capping
  • Formal enables policy input retention tuning and audit trail generation for sensitive data flows

Help us improve and share your feedback! Did you find this helpful?

Funding

Total Funding

$5.9M

Below

Industry Average

Funded Over

2 Rounds

Notable Investors:
Seed funding is usually the first official round after pre-seed, when a startup has a prototype or concept. It’s typically used to develop the product, test the market, and start building the team. Investors here are often angel investors or early-stage venture capitalists.
Seed Funding Comparison
Above Average

Industry standards

$3.3M
$2M
Netflix
$2.3M
Instacart
$3M
Robinhood
$5.8M
Formal

Benefits

Health Insurance

Dental Insurance

Vision Insurance

Unlimited Paid Time Off

Growth & Insights and Company News

Headcount

6 month growth

25%

1 year growth

25%

2 year growth

-4%
Formal
Dec 17th, 2025
Introducing - Fine Grained Control for Connector Logs

Introducing - Fine Grained control for Connector Logs. How does the Formal Connector work? The Formal Connector is a protocol-aware reverse proxy that sits between identities (AI agents, users, and machines) and sensitive systems such as databases, SSH, Kubernetes clusters, and APIs. As requests flow through this Connector, teams gain visibility on requests and sessions to then enforce security policies such as blocking, masking, hashing, and more. What data does the Formal Connector log? The Formal Connector can see the traffic that passes through such as SQL queries, HTTP requests and responses, and stream events. As the data that flows through the connector can be sensitive (e.g., PII, PHI), Formal group has launched Fine Grained Connector Log Controls to allow admins to encrypt data (requests, response, streams), strip SQL queries, set payload sizes, and determine retention timelines. This ensures the Connector can enforce security and access controls effectively while giving you precise control over privacy, sensitive data exposure, and compliance requirements. An added benefit, you can bring your own encryption key (e.g., leveraging AWS KMS) to encrypt data within the Formal Connector Logs. Log Configurations - enabling Fine Grained control. A Log Configuration is an object in Formal that ties three things together: Scope, Encryption/Logging settings, and Retention Rules. The log configuration is what enables fine grained control of your connector logs. They're defined once in Terraform, visible and editable in the dashboard, and enforced in real time by the Connector. What you can do with Log Configurations. * Encrypt sensitive payloads with your own keys * Use a managed encryption key to protect HTTP request/response bodies, SQL queries, and stream events in your logs. * Scope logging precisely * Apply settings at the Account level for global defaults, Connector level as a baseline, Spaces for logical separation, or at the Resource level for specific databases, instances, or buckets that need stricter controls. Resource-level rules override all broader scopes. * Limit log payload sizes * Cap request and response payloads independently in bytes (for example, only log the first 32 KB), so you get enough context for debugging without shipping entire blobs into Formal or your SIEM. * Strip sensitive values from SQL * Remove parameter values while preserving the structure of queries - ideal for analyzing patterns (e.g., tables and operations) without exposing PII/PHI. * Tune policy evaluation input retention * Configure how long Formal keeps the inputs used for request, response, and session policy evaluations, or disable retention entirely if your compliance posture requires it. The result: the rich context your security and governance teams rely on, paired with significantly greater control over privacy and data minimization. A look at the logs. Once a configuration is in place, each log entry still contains the rich context you expect. Depending on your configuration, the query may be fully encrypted, have values stripped, or be left as-is for low-risk environments. Likewise, HTTP bodies and stream events may be encrypted or truncated. SQL query example. Formal group ran a query to select from the users table for a specific user "[email protected]". In this case, the email would show in the SQL query logs in Formal which would over expose data that the Formal logs normally do not emit. However, if you have Strip SQL Values enabled in the log configuration, the logs now strip out sensitive parts of the query. If you have Encrypt SQL Values enabled in the log configuration, the logs now encrypt the query. How to set it up. You can configure logs in two ways: via the Dashboard or Terraform. In the Dashboard. * Go to Connectors | Logs Configuration | Create configuration. * Give it a name and choose an encryption key (if you're looking to set up encryption) * Select the scope type: - Account: Global Defaults for Your Entire Organization - Space: Logical Separation by Environment - Connector: all traffic through a given Connector - Resource: only traffic for a specific database / API / bucket * Toggle: - Encrypt Requests / Responses - Encrypt SQL - Encrypt Streams - Strip SQL values * Set Max request/response payload size (in bytes). * Configure Policy Evaluation Retention for request, response, and session inputs (e.g., 7 days, 30 days, or disabled). * Click Create Configuration and the Connector will pick it up automatically. Common patterns Formal group is seeing. Strategies are already emerging from early adopters: * Encrypt everything, allow only where needed * Default: encrypt all HTTP bodies and SQL queries at the connector level. * Override: for low-risk sandbox resources, keep bodies unencrypted but cap payload size tightly for debugging. * Structure without values (for regulated data stores) * Enable SQL value stripping + encryption on customer and billing databases. * Leave normalized query structure in logs so you can still analyze which tables are accessed most often. * Short-lived policy inputs * Keep request/response policy inputs for a brief window (e.g., 7 days) to debug policies. Log Configuration roadmap. Log Configurations are available now for all customers. Stay tuned - more features are on the way that will give you even more granular control of your logs and help you stay ahead of you infrastructure security.

Recently Posted Jobs

Sign up to get curated job recommendations

Formal is Hiring for 10 Jobs on Simplify!

Find jobs on Simplify and start your career today

Don't see your dream role? Check out thousands of other roles on Simplify. Browse all jobs →