EU Data Sovereignty
on US Cloud Infrastructure
Use AWS, GCP, and Azure while keeping secrets under EU jurisdiction. Encryption keys never leave your European vault. The cloud provider stores only ciphertext.
The Problem
EU companies face a fundamental conflict when using US cloud providers.
Regulatory Pressure
GDPR, Schrems II, and sector regulations require that sensitive data stays under EU jurisdiction. Using US cloud providers creates compliance risk — even if data is stored in EU regions, US law (CLOUD Act, FISA) can compel access.
Key Management Gap
Standard cloud encryption (SSE-S3, GCS CMEK, Azure CMK) means the provider holds the keys. They can decrypt your data. Customer-managed keys still pass through provider infrastructure during encryption and decryption.
The Solution
CloudTaser puts a cryptographic boundary between your data and the cloud provider.
Secrets stay in EU vault
Database passwords, API keys, and encryption keys are stored in an EU-hosted OpenBao/Vault instance. They are fetched directly into process memory — never written to Kubernetes Secrets, etcd, or disk.
Transparent sidecar injection
A Kubernetes admission webhook automatically injects a lightweight sidecar into your pods. No application code changes required — existing workloads work as-is.
Client-side encryption for storage
An S3-compatible proxy encrypts data before it leaves your cluster. Each object gets a unique AES-256-GCM key, wrapped through your EU vault. The cloud provider stores only ciphertext.
Runtime monitoring
eBPF-based monitoring detects attempts to access secrets through side channels — process environment reads, unexpected network exfiltration, and more.
See it in action
Interactive demos running on real infrastructure. No signup required.
Components
Each component handles one part of the sovereignty stack. Click to learn more.
Operator — Kubernetes sidecar injection Pre-MVP
Mutating admission webhook that automatically injects the CloudTaser wrapper into annotated pods. Add annotations to your deployment, and the operator handles the rest — no Helm template changes or init containers to manage manually.
Resolves original container entrypoints from the registry, rewrites the command to launch through the wrapper, and mounts a shared volume for the wrapper binary.
Wrapper — Secret fetching into process memory Alpha
Process wrapper (similar to envconsul) that fetches secrets from your EU-hosted vault and injects them as environment variables into the target process. Secrets exist only in process memory — never on disk, never in Kubernetes Secrets.
Supports token and Kubernetes auth methods. Handles lease renewal and token refresh automatically.
S3 Proxy — Client-side encryption for object storage Beta
S3-compatible reverse proxy that encrypts objects with AES-256-GCM before uploading to any S3-compatible storage. Each object gets a unique data encryption key (DEK), wrapped via Vault Transit — the cloud provider never sees plaintext or keys.
Transparent to applications: point your S3 client at the proxy instead of the provider endpoint. Decryption is automatic on download.
eBPF Agent — Runtime secret monitoring Alpha
Kernel-level monitoring using eBPF tracepoints. Detects when processes attempt to read secrets through side channels like /proc/pid/environ, or when secret material appears in network write buffers.
Currently focused on detection and alerting. Enforcement capabilities (blocking unauthorized access) are in development.
CLI — Discovery and deployment Alpha
Command-line tool for discovering existing secrets in a Kubernetes cluster and planning migration to CloudTaser. Connects to clusters, scans for secrets referenced in pod specs, and helps map them to vault paths.
Platform — SaaS control plane Planned
Centralized management for access policies, audit logs, and observability across clusters. Will provide a web interface for managing vault connections, viewing secret access patterns, and configuring alerting.
How CloudTaser Compares
Standard cloud encryption vs. client-side encryption with EU key sovereignty.
| Capability | Cloud-Native Encryption | CloudTaser |
|---|---|---|
| Provider sees plaintext | Yes — they hold the keys | No — ciphertext only |
| Keys under EU jurisdiction | Keys in provider KMS | EU-hosted vault |
| CLOUD Act exposure | Provider can be compelled | Provider has no keys to surrender |
| Application changes | Varies | None — transparent proxy/sidecar |
| Secret rotation | Manual or provider-specific | Automatic via vault leases |