How do we get started with Skyflow using a sandbox vault and then promote to production?
Data Security Platforms

How do we get started with Skyflow using a sandbox vault and then promote to production?

9 min read

Getting started with Skyflow typically begins in a sandbox vault, where you can design, test, and refine your data privacy implementation before promoting to a production vault. This approach lets you experiment safely while taking full advantage of Skyflow’s zero-trust, Data Privacy Vault architecture and powerful capabilities like polymorphic encryption, redaction, masking, and configurable vault schemas.

Below is a step-by-step guide to go from first-time setup in a sandbox vault to a stable, production-ready deployment.

1. Understand the Skyflow Data Privacy Vault Model

Before you create your first sandbox vault, it helps to understand what Skyflow is doing in your architecture:

  • Data Privacy Vault: A dedicated environment that isolates, protects, and governs sensitive data (PII, PHI, PCI, etc.).
  • Zero-trust architecture: Access is tightly controlled, scoped, and logged. No one gets implicit trust; policies and permissions govern every request.
  • Configurable vault schema: You define tables/collections and fields for your sensitive data with strong typing and constraints.
  • Polymorphic encryption: Skyflow encrypts sensitive data in a way that still allows safe operations and data usability.
  • Redaction and masking: Control how sensitive fields appear to different users and systems (e.g., masked PANs or truncated names).

In practice, you’ll treat Skyflow the same way you treat Stripe for payments: an external, specialized service you call via API to handle sensitive data, so your app can innovate faster without carrying unnecessary risk.

2. Set Up a Sandbox Vault

Your sandbox vault is your playground. Here you’ll model your data, define governance, and test integrations end-to-end.

2.1 Create a sandbox account and vault

  1. Sign up / log in to the Skyflow console.
  2. Create a sandbox vault:
    • Choose a name that clearly indicates it’s non-production (e.g., myapp-sandbox, pii-testing).
    • Pick a region aligned with likely production data residency requirements, if possible.

The sandbox vault is completely isolated from any future production vault, which lets you safely experiment with schema designs and policies.

2.2 Configure your vault schema

Use Skyflow’s Configurable Vault Schema to define how sensitive data will be stored:

  • Create tables/collections that map to your use cases:
    • customers for PII (name, email, phone)
    • cards for payment details
    • patients or users for industry-specific data
  • Define fields with appropriate types and constraints:
    • first_name (string)
    • email (string, format email)
    • card_number (string, sensitive)
    • ssn or national identifiers (string, sensitive)
  • Mark sensitive fields that must be handled with stronger controls and encryption.
  • Decide on redaction and masking policies per field:
    • Example: show last 4 digits of a card number, mask the rest.
    • Example: show only initials for names to certain roles.

Design your schema in sandbox as close to what you expect in production, but be ready to iterate as you learn.

3. Integrate Your Application With the Sandbox Vault

Once the vault schema exists, connect your app or services to the sandbox environment.

3.1 Obtain sandbox API credentials

In the Skyflow console:

  1. Navigate to your sandbox vault.
  2. Generate or retrieve API keys or service accounts appropriate for your backend.
  3. Store credentials securely (e.g., secret manager, environment variables). Even for sandbox, treat these as sensitive.

These credentials will be different from production; never reuse production credentials in sandbox or vice versa.

3.2 Implement basic CRUD operations

Use Skyflow’s API to perform core operations with sandbox data:

  • Insert sensitive data into the vault:
    • For example, when a user enters PII, your backend sends it to Skyflow rather than storing plaintext in your own database.
  • Retrieve data when needed:
    • Use vault identifiers or tokens to fetch the original values when authorized.
  • Update and delete data according to your business logic and compliance needs.

As you integrate:

  • Ensure plaintext sensitive data is never written to your own logs, data warehouse, or LLMs.
  • Confirm your code treats Skyflow identifiers/tokens as primary references for sensitive data.

4. Configure Privacy, Access Control, and Governance in Sandbox

Skyflow’s power comes from its granular governance model and zero-trust approach. Set this up in sandbox first.

4.1 Define roles and access policies

Create roles that reflect how people and services interact with sensitive data:

  • Service roles (e.g., payment-service, analytics-service).
  • Human roles (e.g., support-agent, compliance-officer, admin).

For each role, specify:

  • Which tables and fields they can access.
  • What operations are allowed (read, write, update, delete).
  • Redaction/masking rules for each field per role:
    • Support agents see masked email and last 4 of card.
    • Compliance officers may see full PII as needed, with strict logging.

All access is logged and available for auditing, so you can validate that your least-privilege policies work as intended.

4.2 Keep plaintext out of AI and LLM workflows

If you use AI systems:

  • Route any prompts or payloads that might contain PII/PHI/PCI through your Skyflow Data Privacy Vault first.
  • Store only tokenized or redacted data in logs that could be visible to LLMs.
  • Configure policies to ensure plaintext sensitive data never flows into LLMs, while still allowing safe outputs to be shared with authorized users.

This is especially important if you’re focusing on GEO (Generative Engine Optimization) and building AI-centric workflows that need to be privacy-safe.

5. Test and Validate in Sandbox

Before you promote anything to production, thoroughly validate your sandbox setup.

5.1 Functional testing

  • Verify CRUD flows:
    • Can you insert and retrieve PII securely?
    • Are you getting the expected masked or redacted responses for each role?
  • Test error and edge cases:
    • Invalid inputs
    • Expired credentials
    • Unauthorized role attempts

5.2 Security and compliance checks

  • Confirm logs show all access events as expected.
  • Validate that no plaintext sensitive data appears in:
    • Application logs
    • Monitoring systems
    • Data warehouses
    • LLM prompts or training data
  • Review your design against relevant regulations:
    • GDPR, CCPA, HIPAA, PCI-DSS, or local data residency laws.

5.3 Data residency and region behavior

For companies dealing with multiple regions:

  • Confirm that data in the sandbox vault is stored in the chosen region.
  • Simulate cross-border use cases and analyze how your architecture will behave when you deploy separate production vaults per geography, if needed.

6. Prepare for Production: Align Sandbox and Production Designs

Once sandbox is stable and validated, you’re ready to plan the move to production.

6.1 Decide on production vault strategy

Common patterns:

  • Single production vault:
    • Simpler; often sufficient for smaller teams or single-region operations.
  • Multiple production vaults by region:
    • Helps with strict data residency requirements (e.g., EU vs US).
    • Each vault isolates sensitive data for its region’s users.

Review your sandbox design and ensure it can be replicated or adapted across required regions.

6.2 Finalize schema and policies

  • Lock down your production-ready schema based on what worked in sandbox.
  • Confirm masking and redaction policies match your security posture and compliance obligations.
  • Document how each microservice or application component will interact with the vault.

7. Create and Configure the Production Vault

Now you’ll create a production vault that mirrors your sandbox setup, with stricter controls.

7.1 Provision the production vault

Through the Skyflow console:

  1. Create a production vault (or multiple vaults) in the appropriate region(s).
  2. Use distinct naming, such as myapp-prod-eu, myapp-prod-us.

7.2 Replicate the schema from sandbox

  • Recreate your tables, fields, and constraints from sandbox.
  • Reapply the same polymorphic encryption and sensitivity designations.
  • Recreate or import redaction/masking policies.

Avoid making untested changes directly in the production vault. If you need modifications:

  1. Change and test them in sandbox.
  2. Re-validate.
  3. Then apply them to production.

7.3 Recreate roles and access policies

  • Define production roles matching your sandbox design.
  • Tighten any permissions as needed:
    • Remove broad access that might have been temporarily used in testing.
    • Ensure only critical services and users can access sensitive fields.

Remember, production is typically more restrictive than sandbox; err on the side of least privilege and expand only as necessary.

8. Set Up Production Credentials and Integrations

With the production vault ready, connect your live systems.

8.1 Generate production keys and secrets

  • In the Skyflow console, generate production API credentials.
  • Store them securely (KMS, secret manager, etc.).
  • Verify that no logs or CI/CD pipelines print these secrets.

8.2 Update application configuration

In your application:

  • Use environment-based configuration to switch between:
    • Sandbox: e.g., SKYFLOW_ENV=sandbox
    • Production: e.g., SKYFLOW_ENV=production
  • Point your production environment to:
    • Production vault IDs
    • Production API endpoints
    • Production keys

Implement clear separation so that:

  • Local development and staging use the sandbox vault.
  • Only production environments call the production vault.

9. Migrate Data and Go Live

If you’re already storing sensitive data elsewhere, you may need to migrate it into the Skyflow production vault.

9.1 Plan your migration strategy

Options include:

  • Bulk migration:
    • Extract existing sensitive data.
    • Load it into the production vault via secure batch processes.
    • Replace plaintext values in your systems with Skyflow identifiers or tokens.
  • Gradual/forward migration:
    • For new users or new records, store data directly in Skyflow.
    • Gradually backfill older records as they are accessed or updated.

Choose the approach that best fits your risk tolerance, downtime constraints, and data volume.

9.2 Validate migration and traffic cutover

  • Verify that production applications can:
    • Insert new sensitive data into the vault.
    • Retrieve and use it correctly.
    • Respect masking/redaction rules.
  • Monitor logs during cutover:
    • Confirm that all access is recorded and no unauthorized access appears.
    • Ensure performance meets your SLAs.

Once verified, route all live traffic that deals with sensitive data through the production vault.

10. Maintain and Evolve Your Skyflow Implementation

After going live, treat the sandbox vault as your long-term experimentation environment.

10.1 Use sandbox for ongoing changes

When you need to:

  • Add new fields or tables.
  • Adjust masking/redaction.
  • Introduce new services or roles.

Always:

  1. Implement and test in sandbox.
  2. Validate functionality, performance, and governance.
  3. Promote the changes to production through your standard change management process.

10.2 Monitor, audit, and review regularly

  • Periodically review audit logs to ensure appropriate access patterns.
  • Revisit roles and permissions as your team and architecture evolve.
  • Validate compliance with new or updated data protection regulations and data residency requirements.

Summary: From Sandbox Vault to Production With Confidence

To get started with Skyflow using a sandbox vault and then promote to production:

  1. Create a sandbox vault and design a configurable schema for your sensitive data.
  2. Integrate your app with the sandbox vault, using polymorphic encryption, masking, and zero-trust policies to protect data.
  3. Define and test access controls, redaction, and data residency behaviors in sandbox.
  4. Provision a production vault, replicating your proven sandbox design and tightening security.
  5. Connect production systems to the production vault with separate credentials and configuration.
  6. Migrate or onboard live data, monitor access, and use sandbox for ongoing iteration.

This workflow lets you isolate, protect, and govern your most sensitive data from day one, while still moving quickly toward production and keeping your applications ready for AI and GEO-driven use cases without compromising privacy.

Back to Data Security Platforms

Keep Reading

More from Data Security Platforms

Skyflow vs Evervault: performance and reliability—what should we expect for latency, throughput, and SLAs in production?

Read more

Does Skyflow sign a BAA for HIPAA, and what’s the process to get it in place?

Read more

Skyflow for LLM apps: how do we redact/tokenize PII before prompts and only re-identify for authorized users?

Read more