Sovereign DataVault is built for environments where data security is a legal obligation, not a product feature. Every encryption key is hardware-anchored. Every access is audited. And the platform already implements the post-quantum algorithms that regulators are beginning to require.
Sovereign DataVault's pluggable crypto layer supports every major key management approach — from software-based AES-GCM to full FIPS-validated HSM integration. All providers implement the same interface; switching is a configuration change, not a code change. Key rotation triggers a rewrap migration that re-encrypts all DEKs without touching the data.
Software-based authenticated encryption. All keys derived via HKDF from the master ENCRYPTION_KEY. Nonce is 12 bytes random (os.urandom). Tag is 128 bits. Envelope format: v2|p=aesgcm_256|k=<kid>|a=AES-256-GCM|<payload>.
Connects to any PKCS#11 v2.40+ HSM. Supports Thales Luna, Entrust nShield, AWS CloudHSM, YubiHSM, and SoftHSM2 (dev). AES-GCM operations run entirely inside the HSM. Key material never leaves the hardware boundary.
ML-KEM-768 + X25519 (X-Wing KEM combiner) for encryption. ML-DSA-65 + Ed25519 for signatures — both must verify. Defends against harvest-now-decrypt-later threats mandated under PCI DSS 4.0.1, DORA, and NIST IR 8547.
NIST SP 800-38G Format-Preserving Encryption. Encrypt PAN, Aadhaar, national IDs, phone numbers, account numbers — the ciphertext has the same format and length as the plaintext. Downstream systems require no schema changes.
AWS Key Management Service integration for organisations running workloads in AWS. Customer master keys remain in AWS KMS; data encryption keys are wrapped/unwrapped via the KMS API and never persisted unwrapped.
Azure Key Vault integration with Managed HSM support. Entra ID authentication. Supports RSA and EC key types. Ideal for organisations standardised on Microsoft Azure with a need for compliant key management.
Google Cloud KMS integration for GCP-based deployments. Key ring and key version management with automatic rotation scheduling. Supports CMEK (Customer Managed Encryption Keys) patterns.
Vault Transit secrets engine for on-premises key management. AES-GCM key wrapping with named key versioning. Vault HA deployment with snapshot/restore and auto-unseal via HSM or cloud KMS.
OpenSSL 3.x with the FIPS module enabled. For regulated environments that mandate FIPS 140-2 validated cryptographic primitives at the OS level, without deploying a hardware HSM.
Data governance in Sovereign DataVault is not a reporting feature — it is a runtime enforcement layer. Every query, every restore, every export passes through the governance engine before data is returned. Masking rules, classification policies, and access decisions are evaluated in milliseconds.
Define data classifications with default encryption algorithm, masking mode, and masking config per class. Classifications cascade from a global system taxonomy; organisations can create shadow overrides without touching the global definition.
The masking engine intercepts every data retrieval from Trino and PostgreSQL via the governance decide endpoint. The response specifies the masking mode; the engine applies it transparently before data reaches the caller.
Define canonical business terms with descriptions, owners, and linked classifications. The glossary powers AI query context — helping the model understand domain language when generating SQL.
Apply legal holds to specific archives or record sets. Held archives cannot be decommissioned or purged, regardless of retention policy. Holds are audited with requester, reason, and timestamp.
Security Data Roles map roles to allowed schemas and tables. Pending access requests flow through an approvals queue — users see only what they are authorised for, and no more.
Configure retention periods per archive or per table category. When retention expires, a decommission workflow is triggered — with approval gates and notification to affected stakeholders.
Configurable notification templates alert administrators and data owners when archives approach expiry. Pending decommissions appear in the control plane dashboard with one-click approve/defer actions.
Organise tables into logical categories (e.g. FINANCIAL, PII, OPERATIONAL). Categories drive access request workflows — users request access to a category, not individual tables.
The DSAR module implements Article 15 (access) and Article 17 (erasure) of GDPR — and equivalent provisions in DORA, PDPA, and other data protection regulations. A 3-phase automated search finds data subjects across both structured and unstructured archives simultaneously.
LEGAL_COMPLIANCE or COMPLIANCE_OFFICER role creates the DSAR with subject identifier (email, national ID, account number). Deadline tracking and SLA breach alerts are built in.
Phase 1: NER-indexed entity lookup (fast, exact match). Phase 2: SQL query over structured archives. Phase 3: Semantic vector search over unstructured documents. All phases run in parallel.
Every match is surfaced with provenance — which archive, which table or document, which field, and the matched entity value (masked). Compliance officer reviews before acting.
Apply erasure (remove records) or redaction (null/mask fields) in-place across structured and unstructured archives. Every action is written to the DSAR audit log and forwarded to SIEM.
Every erasure or redaction records: who requested it, who approved it, which records were affected, what the erasure method was, and when it was executed. The audit entry itself cannot be modified or deleted.
Every administrative action, data access, job execution, and configuration change is written to an append-only audit table. Each row includes a cryptographic hash of the previous row — forming a chain that cannot be silently modified. Audit Viewer role provides read-only access to compliance teams without any ability to mutate data.
The built-in SIEM forwarder pushes every audit event to your security operations platform in real time. Supports UDP, TCP, and TLS syslog transports. CEF and JSON formats. Configurable facility and severity mapping. Per-target cursor tracking ensures no events are lost on restart. One-click backfill to replay historical events to a new SIEM target.
Sovereign DataVault generates and stores a Software Bill of Materials (SBOM) for each deployed version. The Security Health page shows posture chips for each component, attestation badges, and a full SBOM viewer. Aligned with NIST SSDF and Executive Order 14028 requirements for software supply chain transparency.
Every archive decommission goes through a controlled workflow: retention check, legal hold check, notification to stakeholders, approval gate, and final purge — all logged. The decommission registry provides a permanent record of what was destroyed, when, and with whose authority.
bcrypt-hashed passwords with configurable complexity requirements. Account lockout after 5 failed attempts (15-minute cooldown). Forced password change on first login.
TOTP-based MFA (RFC 6238) compatible with standard authenticator apps. TOTP secret envelope-encrypted at rest — never stored plaintext. Backup codes (bcrypt-hashed, then envelope-encrypted — two-layer protection).
Hardware security keys (YubiKey, Titan Key, etc.) and platform authenticators (Touch ID, Windows Hello). WebAuthn registration and assertion fully implemented. Resistant to phishing.
OAuth2 + OIDC integration with Microsoft Entra (Azure AD). Users authenticated via Entra can access Sovereign DataVault with their corporate credentials. Entra Object ID is the immutable identity anchor.
On-premises Active Directory integration via LDAP/LDAPS. Group-based role assignment. Supports multi-domain environments with configurable search base and bind credentials.
Just-in-time credential generation for Stratum agent connections — short-lived, scoped, and automatically rotated. Never long-lived shared secrets stored on Stratum nodes.
Five built-in system roles define the permission boundary for each user type. Custom roles extend the model with granular permission trees that control access down to individual menu items, tabs, and API endpoints.
Custom roles extend the built-in model with permission path strings that control access at the top-nav, sub-menu, and tab level. Examples: MANAGE.MetaDB.Backup & Restore, ARCHIVE.LVS Archive, STRATUM. Org admins define and assign custom roles within their organisation — system admins enforce the outer boundary.