New: give your agents governed data they can query and write to, no warehouse to run.Get started
Nightshift

Nightshift for Public Sector

Mission data, query-ready and cleared for every agent.

Connect case, benefits, and records systems once. Your program analysts and their agents query live data in plain requests, with clearance and classification enforced on every read and every access logged for oversight. No warehouse to stand up, and the records they are not cleared for never reach the request.

Records catalog4 sources
CAcase.recordsPII1.9kGoverned
BEbenefits.warehouse8.6M rows3.4kGoverned
RErecords.apiclassified720Cleared
GIgis.parcelsread only260Read only
Governed catalog · every access logged for the record

Sovereignty

Runs inside your boundary.

Records never have to leave your network. Nightshift deploys inside your existing authorization boundary, even air-gapped, so the data stays put and only governed responses cross the line to an agent.

Your network · self-hosted or air-gapped

case.recordsbenefits.warehouserecords.apiNightshift
MCP
Caseworker agentoutside the boundary

Run it self-hosted and the data stays in your boundary. Only governed responses cross it.

Cross-source oversight

Where the grant money actually went.

An agent connects Nightshift over MCP and attributes $4.6M of grant overspend across Workday, ServiceNow, SAP, and DocuSign, down to the program and contract behind it. No single system holds this answer: the catalog composes all four into one governed query.

Grant overspend, FY24total$4.6M
ProgramWorkdayContractDocuSignChange ordersServiceNowCommittedSAPOverspendNightshift
Head StartVendor A7$8.0M$1.4M
HousingVendor B4$6.5M$1.1M
Workforce DevVendor C6$5.2M$0.9M
NutritionVendor D3$4.0M$0.7M
BroadbandVendor E2$3.1M$0.5M
Composed across Workday, ServiceNow, SAP, and DocuSign · no single system holds this join

Classification

Access follows clearance.

PublicOpen records and aggregates, available to any agent
InternalCase and benefits data, scoped to the assigned office
RestrictedSealed and classified records, left out of the view unless explicitly granted

Identity-aware

The same catalog, different clearance.

Each agent is granted its own governed view: the caseworker its office’s cases with the citizen masked, the analytics agent only aggregates. The catalog answers each by what it is granted.

request case records for your office
caseworker-agentOffice: DET
CaseCitizenStatus
C-4471••••Open
C-2210••••Review
C-9982••••Closed
analytics-agentAggregates
RegionCasesBacklog
Midwest12,4814.1%
South9,0023.3%
West7,3302.7%

What agents do

Caseworker agents, cleared and logged.

Move the case

Read the cases its office owns and draft a determination or case note into Nightshift for a cleared officer to review and record, with the citizen masked and restricted records left out of the view.

Answer the public

A service agent that sees only public records and aggregates, never a sealed file.

Report without exposure

Read aggregates for analytics, so trends are visible while individual citizens are not.

Governance in plain SQL

Scope to an office, mask PII, exclude the restricted.

A governed view limits an agent to its assigned office, masks identifiers like SSN and date of birth, and leaves anything marked restricted out. Grant the agent read on the view, and it is the only data the agent can reach.

  • Scope rows and columns by office, role, or classification
  • Mask PII, leave restricted records out of the view
  • Agents draft into Nightshift; a cleared person reviews and records the official action
views/cases_det.sqlview
-- cases_det: Detroit office, identifiers masked, restricted excluded
create view cases_det as
select case_id, assigned_office, status,
hmac_sha256(ssn, :pii_key) as ssn_token, -- tokenized, not reversible
hmac_sha256(dob, :pii_key) as dob_token
from case_records
where assigned_office = 'DET'
and classification <> 'restricted'; -- sealed records excluded
grantcaseworker-agent → cases_det · read

Questions the agency asks

What the record demands.

Can clearance be enforced per agent?
Yes. Each agent is granted read on a governed view scoped to its office and clearance, so a caseworker agent and an analytics agent get different data from the same catalog.
Can an agent take an official action?
No. Taking an official action, entering a determination into the system of record, stays with a cleared person. An agent can draft the determination, prepare a case note, or flag an eligibility issue, and that draft lands in a governed Nightshift table where a cleared officer reviews and records it. The agent does the casework prep; a human owns the decision on the record.
Where does the data live?
In your systems. Nightshift can query records where they live, or run inside your own network, so access stays under your control and policy.
Is every access accountable?
Yes. Each request is logged with the identity, the record, and the outcome, for the audit the record demands.

Put an agent on public data, within the rules.

Start free, connect a system of record, and watch clearance-aware reads reach your agent in minutes. Run it inside your own network when you need to.

Want to look first? Take the product tour