Data Protection Services

Baffle Data Protection Services (DPS) protects data in the cloud via a “no code” and “low code” data security mesh. The solution provides universal data protection by de-identifying sensitive data and restricting access to the information. In a Zero Trust world where one must assume they are already breached, this data security layer allows companies to easily control who can see what data. 

Baffle DPS eliminates the security trade-off with strong data protection by supporting privacy preserving analytics and secure computation that allows businesses to perform AI and ML analytics on anonymized data, all without modifying business applications or processes.

Data Protection Services

Enterprises continue to battle cybersecurity threats such as ransomware, as well as breaches and losses of their data assets in public and private clouds. New data management restrictions and considerations on how it must be protected have changed how data is stored, retrieved and analyzed.

Baffle’s aim is to render data breaches and data losses irrelevant by assuming that breaches will happen. We provide a last line of defense by ensuring that unprotected data is never available to an attacker. Our data protection solutions protect data as soon as it is produced and keep it protected even while it is being processed.

Baffle's transparent data security mesh for both on-premises and cloud data offers several data protection modes. Capabilities include:

Protect data on the fly as it moves from a source data store to a cloud database or object storage, ensuring safe consumption of sensitive data by downstream applications


De-identify and tokenize data using Format Preserving Encryption (FPE) or deterministic encryption modes

Data-centric protection at the field or record level in data stores secures the actual data values

Simplified dynamic data masking plus role-based access control to control who can see what data. Irreversible static masking to devalue data for test/dev environments or production clones

No-code field or row-level encryption in Postgres, MySQL, Snowflake, Amazon Redshift, Microsoft SQL Server, Kafka, and more

Encrypt files and de-identify data in cloud data lakes to enable AI and privacy-preserving analytics

Provides an off-the-shelf BYOK service for SaaS vendors to support multiple customer-owned keys in multi-tenant environments

REST API Data Protection Services

Easily deploy tokenization and data protection service for virtually any application or data store

Define which systems, users or groups can access data stores and dynamically entitle who can see what data

Run AI and ML algorithms against encrypted data without ever decrypting the underlying values. Baffle DPS supports any mathematical operation on encrypted data in memory and in process

Multi-party data sharing without compromising privacy. Allow multiple parties to submit data with a HYOK model and allow aggregate analytics to execute on co-mingled data stores

Enable secure sharing of data across multiple parties without revealing private values to other participants

How It Works

SQL Proxy

SQL Proxy

SQL Proxy DiagramBaffle’s SQL Proxy offers a transparent “no code” approach to enable field or row level encryption of data.  The solution appears to applications and clients as the original database and always presents the original data schema to the application.  It functions by creating a key mapping to data fields and performing encrypt and decrypt operations on-the-fly for any application query.

Applications or entire app tiers are redirected to the SQL proxy via a simple connection string change.  This can also be implemented by a DNS hostname change.  Application connections are proxied to the database on a one-to-one basis and the solution is deployed inline with several Fortune 100 organizations at scale.  

Baffle DPS provides a key virtualization layer (KVL) to allow for integration with virtually any key management solution. The KVL enables orchestration of key generation, key rotation and mapping to application fields without embedding SDKs or figuring out key exchange and storage protocols. Baffle supports a two tier key management hierarchy with a master key (e.g. CMK, KEK) and a data encryption key (DEK).  The DEKs are encrypted with the master key for protection and simplified key rotation.  

At no time are any keys or data persisted by the Baffle solution.

Data Proxy
REST API Service

Schedule a live demo with one of our solutions experts to get answers to your questions