A lightweight connector that sits inside your network and brokers secure access to your most sensitive data sources — on-premise databases, VPC-locked warehouses, internal data lakes. The agent talks to your data without your data ever leaving your perimeter.
The data that matters most — the operational databases, the regulated warehouses, the legacy systems that actually run the business — usually sits behind firewalls, inside VPCs, or in on-prem datacenters. Connecting those to a SaaS analytics tool traditionally means opening inbound ports, standing up a VPN, or handing over read credentials your security team would rather not exist. Most CISOs say no. Data Gateway changes the answer.
A single small gateway runs inside your network. It opens an outbound mTLS connection to AirQuery Cloud and tunnels queries through. No inbound firewall rules. No exposed databases. Your data never traverses the public internet without the gateway being the one to start the conversation.
Every query the agent runs flows back through the gateway to your data. Results stream back the same way. No bulk extracts. No copies. No data residency surprises.
The gateway initiates every connection. Your firewall sees outbound TCP 443 — nothing else. No inbound exceptions to negotiate with your network team.
Mutual TLS between the gateway and AirQuery Cloud. Certificates are pinned at both ends — no MITM, no rogue CA shenanigans.
Database credentials live in your gateway's environment, never in AirQuery Cloud. Pull from HashiCorp Vault, AWS Secrets Manager, Azure Key Vault, or env vars.
Deploy multiple gateway replicas behind a service. Queries load-balance across them; if one dies, the others keep serving. No single point of failure inside your network.
The gateway pools and reuses connections to your databases — the agent's "ad-hoc" questions don't translate into database connection storms.
Optionally restrict which tables, schemas, or even SQL patterns can be executed through the gateway. Defense in depth, in your hands.
Every query and result hash is logged locally and streamed to your SIEM (Splunk, Datadog, S3, Sumo Logic). No black box.
Pin a version or auto-update from a curated channel. Air-gapped customers use offline bundles signed with our release key.
The gateway is stateless. It does not persist query results, datasets, or sensitive metadata. Restart it: nothing is lost; nothing was there.
Same binary, four delivery surfaces. Pick whatever already fits your operational patterns — no need to introduce a new runtime just for AirQuery.
# pull & run docker run -d \ -e AQ_TOKEN=... \ airquery/gateway
# Helm chart helm install gateway \ airquery/data-gateway
# systemd unit systemctl enable \ --now airquery-gateway
Air-gapped environment? We ship signed offline installers and pin a private update channel. Talk to us about FedRAMP, IL5, and classified network deployments.
The gateway is the boundary your CISO will ask about first. Here's exactly what it does and doesn't do — in writing, before you need to ask.
The gateway listens on nothing. It only opens outbound TCP 443. Your firewall rules don't change. Your network architect can review the diagram once and approve it.
Use database roles with read-only access to exactly the schemas the agent needs. The gateway enforces them. Even if AirQuery Cloud were compromised, blast radius is bounded by your DB grants.
Every query, every result, every Thinkmap traversal — logged with the user, the timestamp, the DAF trace, the hash. Streamed to your SIEM in real time. SOC 2-grade audit trail.
SOC 2 Type II, HIPAA (with BAA), GDPR, CCPA. The gateway has been reviewed by Fortune-500 security teams. Architecture diagrams, threat models, and pen-test summaries available under NDA.
Data Gateway is included with every AirQuery Enterprise plan. Setup is one Docker command, one Helm install, or one MSI. Most teams are live in an hour.
Talk to Sales Read the Gateway Docs