Data Tokenization

Simplified secure tokenization with no code changes

Tokenization is a data de-identification process of replacing sensitive data fields with a non-sensitive value, i.e. a token, thus mitigating the risk of data exposure. This is commonly used to protect sensitive information such as credit card numbers, social security numbers, bank accounts, medical records, driver's licenses, and much more. Tokenization is often mandated by major regulations such as PCI DSS and HIPAA.

Baffle Data Protection Services (DPS) provides a modern data security platform that is easy to deploy, is highly secure and performant, and does not require the use of token vaults. Its innovative "no code" approach eliminates the need for any application changes. Baffle supports multiple database and file encryption modes including NIST certified and FIPS validated AES modes.

Key Benefits

    • De-identify data sets whether in the cloud, on-premises, or in hybrid environments
    • Tokenize data inside data lakes, databases, objects, and files
    • Highly performant and highly secure using Format Preserving Encryption (FPE) algorithm
    • Easily tokenize data with "no code" changes
    • Accelerate compliance with data privacy regulations such as PCI, HIPAA, GDPR, and CCPA
    • Safe harbor from accidental data leaks from key privacy and compliance regulations
    • Mitigate insider threat and privileged access user risk
    • Maintains protected data's referential integrity
    • Meet Luhn check requirements for credit card data

Data Protection in the Cloud

Enterprise data growth has continued exponentially, and the migration to cloud data lakes has become a major trend, allowing big data environments to expand flexibly and without limit. As more organizations use cloud data lakes for business analytics, machine learning and artificial intelligence, specific data privacy challenges are emerging.

Shared Responsibility Model

Baffle Data Protection vs Legacy Tokenization Solutions

Legacy Tokenization Baffle Data Protection Service
Data Transformation Data replaced with a token Data tokenized with AES-256 bit keys for Format-Preserving Encryption (FPE)
Security Vaulted tokenization is vulnerable to frequency attacks like Chosen Plaintext Attack (CPA) and is heavily dependent on the cardinality of the data fields. Baffle offers FPE which is a mathematical transformation that is accelerated by the AES-NI instruction set and is proven to be cryptographically secure with no data dependence whatsoever
Application Impact Requires applications to access a cloud-based API which implies that the source code has to be available or being developed in-house and manage keys required for encryption Requires a network layer connection only eliminating the need to change an existing application completely relieving application developers of the burden of integrating a service or managing keys
Storage Requirements Vaulted would require a lookup table that is the same size as the database doubling the storage needed. Vaultless requires a smaller table but sacrifices security FPE does not add any storage needs since it preserves the format of the original data
Performance Every entry into the data store requires a lookup to ensure that each token is unique. The same process is repeated for incremental additions to the data store as well. FPE is a mathematical transformation accelerated by AES-NI instructions on a processor so executes a factor of magnitude faster than vaulted or vaultless tokenization.

Our Solution

Baffle delivers an enterprise-level transparent data security platform that secures databases via a "no code" model at the field or file level. The solution supports tokenization, format-preserving encryption (FPE), database and file AES-256 encryption, and role-based access control. As a transparent solution, cloud-native services are easily supported with almost no performance or functionality impact.

Icon Cubes


No application code modification required

Icon Stopwatch


Deploy in hours
not weeks

Icon Bolt


No impact to user

Icon Command


Bring your own key

Icon Padlock


AES cryptographic

How It Works

SQL Proxy

SQL Proxy

SQL Proxy DiagramBaffle's SQL Proxy offers a transparent "no code" approach to enable field or row level encryption of data.  The solution appears to applications and clients as the original database and always presents the original data schema to the application.  It functions by creating a key mapping to data fields and performing encrypt and decrypt operations on-the-fly for any application query.

Applications or entire app tiers are redirected to the SQL proxy via a simple connection string change.  This can also be implemented by a DNS hostname change.  Application connections are proxied to the database on a one-to-one basis and the solution is deployed inline with several Fortune 100 organizations at scale.  

Baffle DPS provides a key virtualization layer (KVL) to allow for integration with virtually any key management solution. The KVL enables orchestration of key generation, key rotation and mapping to application fields without embedding SDKs or figuring out key exchange and storage protocols. Baffle supports a two tier key management hierarchy with a master key (e.g. CMK, KEK) and a data encryption key (DEK).  The DEKs are encrypted with the master key for protection and simplified key rotation.  

At no time are any keys or data persisted by the Baffle solution.

Data Proxy
REST API Service

Schedule a live demo with one of our solutions experts to get answers to your questions