Use AWS, GCP, and Azure while keeping encryption keys under EU jurisdiction. The cloud provider stores only ciphertext.
EU companies face a fundamental conflict when using US cloud providers.
GDPR, Schrems II, and sector regulations require that sensitive data stays under EU jurisdiction. US law (CLOUD Act, FISA) can compel access — even for EU-region data.
Standard cloud encryption means the provider holds the keys. Customer-managed keys still pass through provider infrastructure. They can decrypt your data.
A cryptographic boundary between your data and the cloud provider.
Database passwords, API keys, and encryption keys are stored in an EU-hosted secret store. Fetched directly into process memory — never written to Kubernetes Secrets, etcd, or disk.
A Kubernetes admission webhook automatically injects a lightweight sidecar into your pods. No application code changes required.
An S3-compatible proxy encrypts data before it leaves your cluster. Each object gets a unique AES-256-GCM key, wrapped through your EU vault. The cloud provider stores only ciphertext.
eBPF-based monitoring detects attempts to access secrets through side channels — process environment reads, unexpected network exfiltration, and more.
Interactive demos running on real infrastructure. No signup required.
Each component handles one part of the sovereignty stack.
Mutating admission webhook that automatically injects the CloudTaser wrapper into annotated pods. Resolves original container entrypoints from the registry, rewrites the command to launch through the wrapper, and mounts a shared volume for the wrapper binary.
Process wrapper that fetches secrets from your EU-hosted vault and injects them as environment variables into the target process. Secrets exist only in process memory — never on disk, never in Kubernetes Secrets. Supports token and Kubernetes auth methods.
S3-compatible reverse proxy that encrypts objects with AES-256-GCM before uploading. Each object gets a unique DEK, wrapped via Vault Transit — the cloud provider never sees plaintext or keys. Transparent to applications.
Kernel-level monitoring using eBPF tracepoints. Detects when processes attempt to read secrets through side channels like /proc/pid/environ, or when secret material appears in network write buffers.
Command-line tool for discovering existing secrets in a Kubernetes cluster and planning migration to CloudTaser. Scans for secrets referenced in pod specs and helps map them to vault paths.
Centralized management for access policies, audit logs, and observability across clusters. Web interface for managing vault connections, viewing secret access patterns, and configuring alerting.
Standard cloud encryption vs. client-side encryption with EU key sovereignty.
| Capability | Cloud-Native Encryption | CloudTaser |
|---|---|---|
| Provider sees plaintext | Yes — they hold the keys | No — ciphertext only |
| Keys under EU jurisdiction | Keys in provider KMS | EU-hosted vault |
| CLOUD Act exposure | Provider can be compelled | No keys to surrender |
| Application changes | Varies | None — transparent |
| Secret rotation | Manual / provider-specific | Automatic via vault leases |