Data Privacy Cloud

Baffle Data Privacy Cloud (DPC) enables organizations to serve their own data protection cloud services for easy consumption by developers and applications across multiple business units. With simple API calls, developers can easily apply encryption for cloud data protection and privacy.

Baffle DPC is set up as AWS Lambda services in your own cloud instances, allowing for dynamic scale and performance while safeguarding data ownership. Additionally, unlike other software as a service (SaaS) offerings, your data is never shared with Baffle.

Key Benefits

  • Simplified “"low-code”" privacy API for developers and DevOps
  • Private instances in your own VPC
  • Infinite dynamic scalability and performance via serverless functions
  • Unified protection across cloud and on-premises data stores
  • Seamless cloud infrastructure management via AWS Lambda
  • Perform analytics operations on encrypted data, in the cloud or on-prem
  • Pre-integrated with AWS Redshift and Snowflake
  • Easily integrate with any database, data warehouse, data lake, or data store
  • Offloads the work of integrating with encryption key management systems

Watch this webinar to learn how data can be easily de-identified as part of your data pipeline as it is staged for use in Snowflake or Amazon Redshift. Learn how to establish a fully de-identified cloud data lake and use adaptive security controls to secure data at rest, in motion, or in use while allowing analytics to run on protected data sets for authorized users.

How It Works

Baffle Data Privacy Cloud is deployed as serverless Amazon Lambda functions, typically placed behind an API gateway or layer inside your VPC. These functions provide a full suite of data protection APIs for de-identifying data, tokenization, data masking, privacy-enhanced computation, secure data sharing, and regulatory security measures.

Developers make simple API calls from within their applications, which dynamically instantiates Baffle DPC serverless instances and can scale horizontally as much as required. Since the services run within your own VPC, no data is ever sent or exposed externally.

The serverless functions interoperate with key management stores to support BYOK / HYOK via Baffle's key virtualization layer (KVL). This supports PKCS #11 for HSM integration, KMIP, and REST API support. Baffle's KVL integrates with AWS KMS, Thales, CloudHSM, IBM Key Protect, IBM Hyper Protect Crypto Services, Azure Key Vault, HashiCorp Vault, and others.

Your data always remains encrypted in cloud environments, multi cloud-based platforms, hybrid clouds, data lakes, and DBaaS solutions, with the encryption keys remaining fully under your control.

DPC How It Works

For developers and dev ops teams, this low-code approach simplifies data protection, eliminates overhead, reduces operational costs, and streamlines management. implementing a centralized data protection service ensures consistent support for any application and any data store.

Data Protection Services

Enterprises continue to battle cybersecurity threats such as ransomware, as well as breaches and losses of their data assets in public and private clouds. New data management restrictions and considerations on how it must be protected have changed how data is stored, retrieved and analyzed.

Baffle’s aim is to render data breaches and data losses irrelevant by assuming that breaches will happen. We provide a last line of defense by ensuring that unprotected data is never available to an attacker. Our data protection solutions protect data as soon as it is produced and keep it protected even while it is being processed.

Baffle's transparent data security mesh for both on-premises and cloud data offers several data protection modes. Capabilities include:

Protect data on the fly as it moves from a source data store to a cloud database or object storage, ensuring safe consumption of sensitive data by downstream applications


De-identify and tokenize data using Format Preserving Encryption (FPE) or deterministic encryption modes

Data-centric protection at the field or record level in data stores secures the actual data values

Simplified dynamic data masking plus role-based access control to control who can see what data. Irreversible static masking to devalue data for test/dev environments or production clones

No-code field or row-level encryption in Postgres, MySQL, Snowflake, Amazon Redshift, Microsoft SQL Server, Kafka, and more

Encrypt files and de-identify data in cloud data lakes to enable AI and privacy-preserving analytics

Provides an off-the-shelf BYOK service for SaaS vendors to support multiple customer-owned keys in multi-tenant environments

REST API Data Protection Services

Easily deploy tokenization and data protection service for virtually any application or data store

Define which systems, users or groups can access data stores and dynamically entitle who can see what data

Run AI and ML algorithms against encrypted data without ever decrypting the underlying values. Baffle DPS supports any mathematical operation on encrypted data in memory and in process

Multi-party data sharing without compromising privacy. Allow multiple parties to submit data with a HYOK model and allow aggregate analytics to execute on co-mingled data stores

Enable secure sharing of data across multiple parties without revealing private values to other participants

Schedule a live demo with one of our solutions experts to get answers to your questions

Additional Resources

AWS Lambda Data Protection

AWS Lambda is a serverless, event-based compute service that automatically manages underlying compute resources, without the need for provisioning hardware or learning a new computing language.

Snowflake Data De-Identification Demo

See how Baffle secures the data pipeline end-to-end to de-identify data on the fly and re-identify data for authorized users in Snowflake.

Amazon Redshift Data De-Identification Demo

Watch this demonstration of how Baffle DPS can de-identify data on-the-fly as it is migrated to a cloud data lake and staged in Amazon Redshift