No AI processing
Masking and generation run through deterministic code paths and curated corpora. Uploaded CSV previews are not sent to LLM vendors.
Security and data handling
PII-safe fake data workflows need boring controls.
DerpData is built for staging, QA, demos, CI, and privacy review workflows where teams need realistic data without copying production records into unsafe places.
Structure-preserving masking
Masking preserves headers, row counts, and broad field semantics while replacing sensitive values with generated alternatives.
Keyed production API
Member API routes require API keys or internal credentials. Anonymous API probes are hidden behind 404/401 behavior.
Abuse controls
UI generation, masking, exports, schema sharing, and waitlist capture are rate-limited. Bulk/download paths require verification.
Preserved artifacts
Production deploys preserve environment secrets and operational data directories while replacing application code from release artifacts.
Live smoke gates
Deploys are checked with API docs, corpus quality, security smoke, billing/auth smoke, readiness API sweep, and memory budget tests.
Operational stance
What happens to uploaded masking data?
The browser sends the uploaded CSV to the masking endpoint for parsing and replacement. The endpoint returns a masked preview or export; the app does not need the original file after that request finishes.
Current public masking is designed for small CSV previews and exports. Larger files, audit logs, private deployments, team access, and contractual data-processing terms belong in the paid masking tier.
API keys, checkout, webhooks, and admin metrics are protected by membership checks or internal keys. Production deploys preserve `.env.local` and operational `data/` directories and restart only the DerpData process.