Request demo
V Valk
Security Model

Least Privilege by Design

Valk operates with zero access to your row data. We only require read access to PostgreSQL system catalogs and query statistics. We cannot see your customers, passwords, or business secrets.

The Zero-Table Promise

Valk is architected to function without SELECT permissions on your user tables. If we tried to read your data, the database itself would reject the query with permission denied.

Required Access

We only read system metadata to understand the structure and performance of your database.

Query Statistics
pg_stat_statements

Execution times, call counts, and CPU usage. Tells us how queries run, not what they return.

Schema Definitions
information_schema.*

Table names, columns, types, and constraints. We see "users table has email column", but not the emails.

Index Usage
pg_stat_user_indexes

Scan counts and index sizes. Used to identify unused indexes that can be safely dropped.

Table Bloat Stats
pg_stat_user_tables

Live tuple vs dead tuple counts. Essential for detecting vacuum issues and table bloat.

Prohibited Access (Not Requested)

SELECT on Tables

We never run queries against your tables.

INSERT / UPDATE / DELETE

Valk is read-only. We cannot modify data.

Superuser Mode

We do not need or want admin privileges.

Data Export

Functions like COPY TO are forbidden.

Code Evidence

Never Executed 
-- We NEVER read actual data
SELECT * FROM users;
SELECT email FROM accounts;

-- We NEVER export data
COPY users TO '/tmp/dump.csv';

-- We NEVER write data
UPDATE orders SET status=1;
DROP TABLE payments;
Actual Queries 
-- We read statistics
SELECT query, calls
FROM pg_stat_statements;

-- We read schema structure
SELECT table_name, data_type
FROM information_schema.columns;

-- We read metadata
SELECT relname, n_dead_tup
FROM pg_stat_user_tables;

Setup Script

create_valk_role.sql
-- 1. Create a restricted user
CREATE ROLE valk_monitor WITH LOGIN PASSWORD '<secure_password>';

-- 2. Grant connection rights
GRANT CONNECT ON DATABASE my_db TO valk_monitor;

-- 3. Grant schema metadata access (Required to see table names)
GRANT USAGE ON SCHEMA public TO valk_monitor;

-- 4. Grant system stats access (The core requirement)
GRANT SELECT ON pg_stat_statements TO valk_monitor;
GRANT SELECT ON pg_stat_user_tables TO valk_monitor;
GRANT SELECT ON pg_stat_user_indexes TO valk_monitor;

-- NOTE: We do NOT grant SELECT on your actual tables.

Security is our priority

Have specific compliance requirements? We can help.

Contact Security Team