Data Sovereignty

EU/UK Data Sovereignty on US Cloud Infrastructure

Use AWS, GCP, and Azure while keeping encryption keys under EU/UK jurisdiction. The cloud provider stores only ciphertext.

Open source · Kubernetes-native · Zero app changes

Secrets in etcd

Keys held by provider

Protection layers

<1m

Time to protect a workload

The Problem

Your EU/UK data is one court order away

EU and UK companies face a fundamental conflict when using US cloud providers.

Provider has full access to your data

Under the US CLOUD Act and FISA Section 702, US authorities can compel any US-headquartered cloud provider to hand over data — regardless of where it's stored. The provider holds the encryption keys, database credentials, and storage access.

⚠Provider holds encryption keys — SSE-S3, GCS CMEK, and Azure CMK all allow provider decryption

⚠Database credentials in K8s Secrets / etcd — base64-encoded, readable by anyone with cluster access

⚠Object storage — provider has full access to plaintext files, even with "encryption at rest"

⚠GDPR Articles 44-49 require adequate protection — EDPB recommends "effective technical supplementary measures"

Provider stores only ciphertext

CloudTaser implements what the EDPB calls "effective supplementary technical measures." The cloud provider physically cannot access your data in plaintext. A court order yields only ciphertext and no keys to decrypt it.

✓Encryption keys held in EU-jurisdiction OpenBao/Vault — you control the instance

✓Credentials injected into process memory — never written to disk, etcd, or K8s Secrets

✓S3 objects encrypted client-side before upload — provider stores only ciphertext

✓eBPF runtime enforcement — kernel-level prevention of secret leakage

Architecture

How It Works

A mutating admission webhook injects a lightweight sidecar into your pods. The sidecar authenticates to your EU-hosted vault, fetches secrets, and launches your application with secrets available only in process memory.

etcd secrets: 0 disk writes: 0 provider key access: none

EU Jurisdiction US Cloud Provider ┌────────────────────┐ ┌────────────────────┐ │ │ │ │ │ OpenBao / Vault │◄─mTLS─│ Managed Kubernetes │ │ (secrets at rest) │ │ │ │ │ │ ┌──────────────┐ │ └────────────────────┘ │ │ wrapper │ │ │ │ (memory only) │ │ │ │ │ │ │ │ │ application │ │ │ └──────────────┘ │ │ │ │ etcd: no secrets │ │ disk: no secrets │ └────────────────────┘

Protection

Three Layers of Defense

Each layer addresses a distinct attack vector. Together, they provide defense-in-depth that satisfies EDPB supplementary measures.

Layer 1

Secret Injection

Operator watches for annotated pods and injects the wrapper binary via init container. The wrapper authenticates to your EU vault using K8s service account tokens, fetches secrets, and launches your app with secrets in memory only.

✓memfd_secret kernel isolation

✓mlock prevents swap

✓Zero config via annotations

Layer 2

Client-Side Encryption

Transparent S3 proxy sits between your app and cloud storage. Data is encrypted with keys from your EU vault before reaching the provider. Per-object envelope encryption with transient DEKs. Zero application changes.

✓AES-256-GCM per object

✓Transient data encryption keys

✓S3-compatible API

Layer 3

eBPF Enforcement

DaemonSet deploys eBPF programs on every node. Kernel-level enforcement detects and prevents secret leakage through file writes, network exfiltration, core dumps, and process tracing at runtime.

✓kprobes + tracepoints

✓Core dump prevention

✓ptrace blocking

Get Started

Deploy in Under a Minute

Single Helm chart. Annotate your pods. Secrets are protected.

Deploy EU Vault

Set up OpenBao or HashiCorp Vault in an EU region under your control.

Install Operator

Single Helm chart deploys the operator, webhook, and eBPF agent.

Annotate Pods

Add cloudtaser.io/inject: "true" to your pod specs.

Done

Secrets are fetched from EU vault into process memory. Provider sees nothing.

Install via Helm

$ helm repo add cloudtaser https://charts.cloudtaser.io $ helm install cloudtaser cloudtaser/cloudtaser \ --set vault.address=https://vault.eu.example.com \ --set vault.role=cloudtaser

Comparison

CloudTaser vs Traditional Approaches

Capability	CloudTaser	K8s Secrets	External Secrets Operator	Vault Agent
Secrets bypass etcd	✓	✕	✕	✓
In-memory only (no disk)	✓	✕	✕	Partial
memfd_secret isolation	✓	✕	✕	✕
eBPF enforcement	✓	✕	✕	✕
Client-side S3 encryption	✓	✕	✕	✕
Zero app code changes	✓	✓	✓	Partial
EU jurisdiction keys	✓	✕	Depends	✓
Schrems II compliant	✓	✕	✕	Partial
Protection score	✓	✕	✕	✕

Target

Built for Regulated EU Enterprises

500-10,000 employees running production workloads on managed Kubernetes.

Primary

Financial Services

Banks, insurers, and payment processors subject to DORA, PSD2, and national financial regulators. Customer financial data must stay under EU jurisdiction.

Expanding

Healthcare

Hospitals, health-tech, and insurance carriers handling patient data under GDPR special category protections and national health data regulations.