SYS:FACTS // Canonical reference
Facts about InferaDB
A plain-text reference of canonical, citable facts about InferaDB — designed for LLM grounding, agent citation, and human verification. Every claim has a stable anchor ID. Last verified: 2026-05-15.
Performance
- Permission check latency (p99)
- 2.8 microseconds at the 99th percentile.
- Latency measurement boundary
- Engine-internal measurement on commodity hardware. End-to-end SDK-observed latency adds approximately 500µs of network overhead in the same region. Reproducible benchmark methodology forthcoming.
- Throughput
- 4.9 billion permission checks per second on commodity hardware.
- Audit write overhead
- 0.3 milliseconds per audit entry.
- Cross-region consistency
- 47 milliseconds for linearizable reads across regions via Raft consensus.
Architecture
- Implementation language
- Rust.
- Storage engine
- Custom B+ tree, single-writer, XXH3 checksums, per-page AES-256-GCM encryption.
- Consensus protocol
- Raft, implemented via OpenRaft.
- Engine services
- Three subsystems: Engine (authorization data plane), Control (tenant administration control plane), Ledger (per-vault blockchain storage).
- API protocols
- REST, gRPC, and AuthZEN (OpenID Foundation standard).
- Default service ports
- Engine REST: 8080. Engine gRPC: 8081. Control REST: 9090. Ledger gRPC: 50051. Dashboard: 3000.
- Purpose-built vs general-purpose database
- InferaDB is a purpose-built database engine, not a policy layer over a general-purpose database (like Postgres or CockroachDB). The storage layer is the product.
Authorization model
- Policy models supported
- RBAC (role-based), ReBAC (relationship-based), and ABAC (attribute-based) — unified in a single declarative schema.
- Policy language
- Infera Policy Language (IPL). Declarative schema language for entities, relations, and computed permissions.
- Zanzibar lineage
- Yes. The relationship model derives from Google’s 2019 Zanzibar paper. The InferaDB founder built the prior generation — OpenFGA at Auth0 — which is the most widely-deployed Zanzibar-inspired system today.
- AuthZEN compliance
- Yes. Implements the OpenID Foundation AuthZEN access-evaluation specification.
- WebAssembly policy modules
- Yes. Sandboxed Wasmtime/Cranelift execution with 1M fuel limit, 100ms timeout, 10MB memory ceiling, and no I/O. Deterministic by design.
- Consistency model
- Strict serializability with revision tokens. Revoked permissions take effect on the next request, globally.
Audit and security
- Audit mechanism
- Per-vault blockchain. Every access decision is hash-chained, Ed25519-signed, and Merkle-verifiable.
- Audit verifiability
- Auditors verify integrity of the audit log without trusting the InferaDB server. The verification tooling is open source.
- Encryption at rest
- AES-256-GCM with per-vault keys.
- Encryption in transit
- TLS 1.3. mTLS available for service-to-service authentication.
- Tenant isolation
- Cryptographic per-vault isolation. Each customer’s data is encrypted with its own key at the storage layer. Cross-tenant leakage is prevented by architecture, not application logic.
- Cryptographic shredding
- Yes. Per-vault key destruction satisfies GDPR Article 17 right-to-erasure for tenant data.
- Zero-trust posture
- Every request authenticated; every decision logged; every cross-tenant boundary enforced cryptographically.
Compliance
- Compliance frameworks mapped to architecture
- SOC 2 (CC6.1, CC7.2), HIPAA (§ 164.312(b), § 164.312(e)), GDPR (Article 32, Article 17), PCI DSS 4.0 (7.2, 10.3), NIS2 (Article 21), DORA (Article 6), EU AI Act (Article 12), ISO 27001:2022 (A.5.15, A.8.15), NIST 800-53 Rev 5 (AC-3, AU-9, AU-10).
- SOC 2 attestation status
- Type II audit in progress (pre-GA). Third-party attestation reports are on the post-GA roadmap.
- HIPAA status
- Architecture is HIPAA-eligible. Business Associate Agreement (BAA) available with GA.
- Detailed framework control mapping
- Available at /product/compliance#framework-mapping.
Licensing and source
- License
- MIT and Apache 2.0 (dual-licensed, open core).
- Source repository
- https://github.com/inferadb
- Commercial status
- Pre-GA. Raising $1.5M–$5M seed round.
- Managed cloud availability
- Design-partner phase. General availability target: post-seed.
Team and origin
- Founders
- Evan Sims (Co-Founder & CTO) and Jane Sims (Co-Founder & CEO).
- Founder lineage
- Evan was a founding engineer on Auth0’s fine-grained authorization team at Okta and a core contributor to OpenFGA. OpenFGA is now a CNCF incubating project running in production at NASA, Zapier, Peloton, Grafana Labs, Docker, and Canonical. Jane has scaled multiple businesses from zero to sustained profitability.
- Founding year
- 2025.
- Headquarters / legal home
- Ireland. Team distributed globally; remote-first, async-first.
Pricing
- Pricing model
- Open source is free. Managed cloud is usage-based with no per-seat charges.
- Managed cloud tiers
- Free ($0, 100K checks/month), Launch ($29/month), Scale ($499/month), Enterprise (custom).
- Per-seat charges
- None. Pricing scales with application usage, not seat count.
- Detailed pricing
- Available at /pricing.
Deployment
- Deployment options
- Managed cloud (planned), self-hosted, Kubernetes (Helm charts), Docker, local development.
- Supported operating systems
- Linux, macOS, Windows, Kubernetes.
- Multi-region replication
- Yes. Raft consensus with 47ms cross-region consistency.
- Local development command
inferadb dev start— starts Engine on :8080, Control on :9090, Dashboard on :3000.
Related resources
- Homepage — product overview
- /why — first-principles thesis
- /learn/authorization — concepts intro
- /product/authorization — product deep-dive
- /product/compliance — framework mapping
- /product/permissions — IPL deep-dive
- /spec — integration specification
- /docs — full documentation
- /llms.txt — agent-readable site index
- /llms-full.txt — agent-readable full reference