Open in app

Sign in

Write

Sign in

In many cases, you can run analytics directly against tokenized data as long as those tokens are…
2

Sean Falconer

Sean Falconer
2 min readJun 19, 2023

--

Yes, you're absolutely correct that storing the data isn't the only requirement, but access in the clear shouldn't have to happen in a different region. In the context of Snowflake, most workloads are going to be for analytics or ML, both of which can happen over deidentified data in the form of consistently generated tokens. We work with many customers doing exactly this.

For non-analytics use cases of PII, then they likely fall into one of the following situations: rendering PII in an application's UI, sharing data with a third party service, and some kind of one-off business logic. Let's take these one at a time.

Rendering PII: This can be done either by using a Skyflow SDK where the tokenized data is detokenized to the plaintext or partially redacted PII which is rendered directly within an iframe. The actual iframe is running within the correct vault's region. Or you could run your frontend in the desired region and detokenize the data in that regionalized frontend yourself.

Sharing PII: The vault can act as a proxy service to any third party API. You would call the vault with the tokenized data, the vault detokenizes within the proper region and passes it through to the third party. Your application can be running anywhere because it never touches PII. You'd have to make sure the third party is also compliant with whatever the data residency laws are in the given region but this is how something like processing a payment through a PSP would work.

One-off business logic: For other non-standard situations you can run code within the vault. For example, let's say you need to determine if a certain customer is over 21 by looking at a picture of their driver's license. You can do this by running a function within the vault that extracts the DOB from the image of the license and returns true for over 21 and false otherwise. The sensitive data is only ever in the clear within the regionalized vault. You only need the assertion, you never need to see the PII within your application.

If you're thinking of another use case, please let me know. Happy to explain further and thanks for the interest.

--

--

Sean Falconer
Sean Falconer

Written by Sean Falconer

317 Followers
52 Following

AI @ Confluent | Engineer & Storyteller | 100% Canadian 🇨🇦 | Snowflake Data Superhero ❄️ | AWS Community Builder

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams