In a move that tightens data privacy for restaurant analytics, PAR Technology Corporation has rolled out a production‑ready natural‑language text‑to‑SQL agent that enforces strict row‑level security across more than 300 tenant customers. Built on Amazon Web Services (AWS) and Amazon Bedrock, the system employs a three‑layer architecture to keep sensitive data isolated even when the underlying large language model (LLM) is compromised.

The new agent lets business users pose questions in plain English and receive a data‑backed answer in seconds. To achieve this, PAR first authenticates every API request with AWS Signature Version 4 (SigV4), then validates the intent of the question with Amazon Bedrock, and finally constructs a programmatic data sandbox using a Split‑Plane SQL technique. The sandbox contains only the rows that the authenticated user is authorized to see, and the LLM operates solely on the sandbox’s schema.

Row‑level security is a core challenge for multi‑tenant analytics. Two users can ask the same question—"What were total sales last week?"—but the correct answer depends on the user’s data scope. A franchise owner with two Chicago locations should see $84,000, while a corporate brand manager overseeing 200 locations should see $9.2 million. The system must return the correct figure for each user without exposing data from other tenants.

PAR’s first version of the agent used a single LLM call to generate SQL directly against a Databricks data warehouse. While the model produced accurate queries for a proof‑of‑concept, the team identified several risks for production: a model could omit a required filter, hallucinate a tenant ID, or broaden a query’s scope in a way that leaks data. Because LLMs are probabilistic, relying on them for security would be unacceptable.

To address these risks, the company added three independent safeguards:

1. Integrity‑protected requests – Every API call is signed with SigV4, binding the Tenant ID, Business ID, and Admin ID to the caller’s AWS credentials. Any tampering invalidates the signature, and the request is rejected before reaching the application.

2. Semantic input validation – A reasoning engine on Bedrock checks whether the user’s question maps to a supported, well‑defined business metric. Ambiguous or unsupported queries are rejected or clarified before any data is accessed.

3. Programmatic data isolation – Before the LLM sees any data, the system generates a set of common table expressions (CTEs) that filter the Databricks tables to the rows the authenticated user may access. The LLM receives only the schema of these filtered views, so it can generate analytical SQL but cannot reference tables or rows outside the sandbox.

The architecture was tested against several attack scenarios. In a session‑hijacking attempt, a malicious actor could not alter the Tenant ID because the SigV4 signature would fail. When a user tried to ask for data from another business, the sandbox had no rows for that business, causing the generated SQL to fail at execution time. Even a jailbreak‑style prompt that asked the model to list all tables in the database could not succeed because the model had no knowledge of tables beyond the sandbox.

PAR reports that the system has processed over 50,000 queries with zero cross‑tenant data exposure incidents. The company also introduced a user feedback loop that stores ratings of the agent’s responses, allowing continuous refinement of the semantic validation layer.

Security and compliance were addressed through additional controls. Audit logs capture every query, session, and permission change in AWS CloudTrail. Data at rest is encrypted with AWS Key Management Service (KMS) keys that rotate automatically, and all traffic uses TLS 1.3. Secrets such as Bedrock API keys and Databricks tokens are stored in AWS Secrets Manager with rotation policies.

The architecture aligns with AWS’s shared responsibility model: AWS secures the underlying infrastructure, while PAR implements identity verification, semantic validation, and data filtering in the cloud. The design is intended to be adaptable to other multi‑tenant applications that rely on LLMs for data access.

PAR Technology’s approach demonstrates how deterministic security controls can coexist with probabilistic AI models. By keeping the LLM inside a sandbox that enforces row‑level security, the company can offer self‑serve analytics to restaurant operators without compromising data governance.

The system is currently available to all existing customers and is expected to support additional tenants as PAR expands its restaurant‑industry portfolio.