Documentation
Ark helps engineering and security teams share realistic test data without copying raw production databases to the cloud. This page explains what runs where, what stays in your network, and how to reach your first masked sandbox.
Platform model
Think of Ark as a remote control in the cloud and a worker inside your network. You plan and approve in SaaS; the agent executes next to your data.
Where your team plans and governs
Hosted by Ark. Holds governance metadata in ark-meta — not your raw database rows.
Where work actually runs
You deploy and operate this component. Raw production data stays here.
Data boundary
The control plane coordinates work and stores governance metadata. It does not need a copy of your production tables to do its job.
Typical paths
Most customers start with one high-value workflow, prove value, then expand to governance and CI automation.
Engineering & QA
ark-cli testenvs create --config "<config-id>" --waitSecurity & compliance
Console → Source profile → Run classification jobPlatform & DevOps
ark-cli login --api-url "$ARK_URL" --api-key "$ARK_API_KEY" --tenant-id "$TENANT"Key concepts
Your organization's isolated workspace — users, connections, jobs, and policies are scoped to one tenant.
A registered source or target database endpoint. Credentials are resolved inside your VPC by the agent, not stored as plaintext in SaaS when using env-ref mode.
The governance object for a source DB: schema snapshot, classification report, and approved masking rules.
A runnable recipe derived from a source profile — extraction limits, masking runtime, target connection, and test-environment settings.
A unit of work dispatched to your agent: classification, subset export, synthetic data generation, or sandbox provisioning.
An ephemeral MySQL or PostgreSQL database provisioned in your VPC from a config, pre-loaded with a masked subset.
First deployment
Your Ark contact creates the tenant. An admin logs into the console and invites team members with the right roles.
Create an agent in the console, copy the token, and run ark-agent in your VPC with outbound access to the control plane URL.
Add source (and optional target) connections. Test connectivity through the agent — the control plane never opens a direct SQL session.
Run classification on a source profile. Security reviewers approve masking rules before data leaves production patterns.
Bind profile to target, set row limits, then trigger a subset or test-environment job. Monitor progress in the console or CLI.
Agent startup (customer VPC)
# Configure .env from portal provisioning bundle (mTLS certs + gRPC target)
ark-agent startAccess surfaces
Admins, profilers, operators
Full governance UI: connections, classification review, masking editor, job history, test-environment browser, and audit logs.
Best for: Day-to-day operations and security review
Any team, any language stack
Shell-first access for login, config listing, job triggers, and test-environment lifecycle. Works in CI without a language SDK.
Best for: Scripts, pipelines, and quick operator tasks
Platform engineers
Typed clients for config listing, job orchestration, wait loops, and DSN helpers inside services and internal portals.
Best for: Embedded automation in Go or Node services
Roles at a glance
tenant_admin Manage users, agents, connections, and tenant settingsprofiler Run classification, review columns, approve masking rulestenant_user / tenant_ci Trigger subset jobs, synthetic generation, and test environmentsThe getting-started guide walks through a focused CI pilot — one source, one config, one masked sandbox.