Real-World Data Sovereignty Scenarios
From secret injection to client-side encryption, CloudTaser addresses the specific regulatory challenges EU enterprises face when using US cloud providers.
EU Data on US Cloud Infrastructure
The CLOUD Act, Schrems II ruling, and FISA Section 702 create a fundamental conflict for EU companies using US cloud providers. CloudTaser resolves it with cryptographic guarantees.
The Legal Conflict
Under the US CLOUD Act (2018), US authorities can compel any US-headquartered cloud provider to hand over customer data, regardless of where it is physically stored. The Schrems II ruling (2020) invalidated the Privacy Shield framework, and FISA Section 702 enables warrantless surveillance of non-US persons. EU companies using AWS, GCP, or Azure face an irreconcilable conflict between US and EU law.
Step-by-Step Deployment
Deploy EU Vault
Set up OpenBao or HashiCorp Vault in an EU region under your control. This is the root of trust for all secrets and encryption keys.
Install via Helm
Single Helm chart deploys the CloudTaser operator, mutating admission webhook, and eBPF enforcement agent to your cluster.
Annotate Workloads
Add cloudtaser.io/inject: "true" and specify vault paths. No application code changes required.
Secrets in Memory
The wrapper binary fetches secrets from your EU vault and launches your app with secrets available only in process memory.
Who Benefits Most
Financial Services
Banks, insurers, and payment processors subject to DORA, PSD2, and national financial regulators. Customer financial data and transaction records must stay under EU jurisdiction. CloudTaser ensures credentials for payment gateways, trading systems, and core banking never touch the cloud provider.
Healthcare
Hospitals, health-tech startups, and insurance carriers handling patient data under GDPR special category protections and national health data regulations. Database credentials for EHR systems, lab results, and diagnostic imaging are protected in memory.
SaaS & Government
B2B SaaS companies serving EU customers who require contractual data residency guarantees, and government digital services processing citizen data. CloudTaser provides the technical measures needed to satisfy procurement requirements.
Client-Side S3 Encryption
Server-side encryption (SSE-S3, SSE-KMS) leaves the cloud provider with access to your encryption keys. A court order or insider threat can decrypt everything.
The Problem with Server-Side Encryption
AWS SSE-S3, GCS CMEK, and Azure CMK all perform encryption at the provider side. The provider generates, stores, and manages the keys. "Encryption at rest" is a compliance checkbox, not a security boundary. The provider can decrypt your data at any time.
Envelope Encryption with Transient DEKs
CloudTaser S3 Proxy sits between your application and cloud storage as a transparent proxy. For each object, it generates a unique Data Encryption Key (DEK), encrypts the object with AES-256-GCM, wraps the DEK with a Key Encryption Key (KEK) from your EU vault, and uploads only ciphertext. The DEK is transient and never persisted. The KEK never leaves your EU vault.
Provider Sees Only Ciphertext
A CLOUD Act subpoena against your cloud provider yields encrypted blobs and wrapped key material. Without access to your EU-hosted vault, the data is cryptographically useless. This is what the EDPB calls an "effective supplementary technical measure."
Securing AI Agents
As AI agents gain access to tools and execute code, they become a new vector for secret exfiltration. Malicious or compromised agent skills can steal API tokens, SSH keys, and database credentials.
Agent Skills as Attack Vectors
AI agents with tool-use capabilities execute third-party "skills" or "plugins" that have access to the agent's runtime environment. A malicious skill can read environment variables containing API keys, scan the filesystem for SSH keys and credentials files, exfiltrate secrets over network connections, or dump process memory. Traditional secrets management stores credentials in environment variables or files — exactly where a compromised agent skill would look.
Secrets Never in Reach
CloudTaser keeps secrets in kernel-isolated memory (memfd_secret), inaccessible through environment variables or filesystem. eBPF enforcement prevents unauthorized network exfiltration and core dumps. Agent skills never see the actual credentials.
Regulatory Landscape
A timeline of the regulatory events that make technical data sovereignty measures essential for EU enterprises.
| Year | Event | Impact | Status |
|---|---|---|---|
| 2018 | US CLOUD Act enacted | US authorities can compel US-headquartered providers to hand over data regardless of storage location | Active |
| 2018 | GDPR enforcement begins | Articles 44-49 restrict international data transfers; up to 4% global revenue fines | Active |
| 2019 | FISA Section 702 reauthorized | Warrantless surveillance of non-US persons' communications continues | Active |
| 2020 | Schrems II ruling (CJEU C-311/18) | Invalidated Privacy Shield; requires "effective supplementary measures" for US transfers | Active |
| 2021 | EDPB Supplementary Measures guidance | Recommends encryption where provider cannot access keys as a valid technical measure | Active |
| 2023 | EU-US Data Privacy Framework adopted | New adequacy decision, but challenged by NOYB; legal experts expect "Schrems III" | Challenged |
| 2023 | NIS2 Directive transposition deadline | Expanded cybersecurity obligations for essential and important entities across EU | Active |
| 2024 | DORA enters force | Digital Operational Resilience Act requires financial entities to manage ICT third-party risk | Active |
| 2024 | FISA Section 702 expanded | Broader definition of "electronic communications service provider" increases surveillance scope | Active |
| 2024 | Danish DPA: Google Workspace ban | Danish municipalities ordered to stop using Google Workspace due to transfer risks | Active |
| 2025 | NOYB files DPF challenges | Formal complaints challenge the Data Privacy Framework adequacy decision | Pending |
| 2025 | EU AI Act obligations begin | High-risk AI systems require data governance measures including data residency considerations | Active |
Framework Mapping
How CloudTaser features map to the specific requirements of major compliance frameworks.
| Framework | Requirement | CloudTaser Feature |
|---|---|---|
| GDPR (Arts. 25, 32, 44-49) | Data protection by design; appropriate technical measures for international transfers | Client-side encryption, EU-jurisdiction key management, in-memory secret handling |
| NIS2 (Art. 21) | Cryptography and encryption policies; supply chain security; incident handling | AES-256-GCM encryption, Cosign image signing, SBOM generation, eBPF audit trail |
| DORA (Arts. 6-12) | ICT risk management; third-party provider risk; encryption of data in transit and at rest | Client-side encryption independent of cloud provider, mTLS token delivery, protection score |
| PCI DSS (Req. 3, 4, 8) | Protect stored cardholder data; encrypt transmission; strong access controls | memfd_secret isolation, no-disk secret handling, Kubernetes RBAC integration, audit logging |
| ISO 27001 (A.8, A.10) | Asset management; cryptographic controls; key management | Centralized EU vault, envelope encryption, key rotation, secret lifecycle management |
| SOC 2 (CC6, CC7) | Logical access controls; system operations monitoring | eBPF runtime enforcement, Prometheus metrics, core dump prevention, ptrace blocking |