CloudLock is the egress mirror of CloudGate. Where CloudGate inspects what enters your environment, CloudLock controls what leaves — scanning for sensitive data, enforcing approval policies, and delivering an immutable audit trail for every release.
Organisations spend enormous effort controlling what comes in — firewalls, CloudGate, VPN. Almost nobody has equivalent controls on what leaves. Data exits through a dozen informal channels every day: SFTP uploads, S3 copies, email attachments, CI pipeline artefacts. None of it is inspected, approved, or recorded.
A data scientist exports a CSV to share with an external partner. A pipeline copies model outputs to an S3 bucket. A developer sends a log file to a consultant. These happen dozens of times a day. Nobody knows if any of those files contained personal data, credentials, or information that shouldn't have left. There is no record they happened at all.
GDPR, HIPAA, PCI-DSS, and ISO 27001 all require you to demonstrate control over where personal data goes. When an auditor asks "show me every transfer of customer data in the last 12 months and who approved each one," the honest answer for most organisations is a spreadsheet that someone assembled after the fact. That is not a compliance posture. It is a liability.
Perimeter security stops external attackers. It does nothing about the legitimate user who copies a customer database to their personal cloud storage before resigning, or the pipeline that silently leaks training data to an external endpoint. The threat model for regulated data is overwhelmingly internal — and most environments have zero egress visibility to detect it.
Every egress request passes through the same four-stage pipeline regardless of source, destination, or file type. The result is binary: it exits through a verified, logged channel — or it doesn't exit at all.
Files, datasets, and artefacts are submitted to CloudLock before leaving — from a Backstage self-service form, a CLI command, or an automated pipeline hook. Nothing goes directly to an external destination. CloudLock is the only egress path.
The file is scanned by the data loss prevention engine — PII detection, credential patterns, classification labels, internal IP ranges, source code, and AI-powered sensitive content analysis. Findings are categorised by severity. Clean files proceed automatically. Findings are flagged for review or trigger automatic block depending on policy.
Requests that pass DLP but require human sign-off are routed to configured approvers via Backstage and — optionally — Slack or email. Approvers see the DLP report, the requester's stated purpose, the destination, and the file contents summary. One-click approve or reject with mandatory reason. Policy determines which requests require approval and who can give it.
Approved files are delivered through a verified channel — SFTP, S3, HTTPS webhook, or signed download link — with a cryptographic receipt attached. The release event is written to an immutable audit log with the full DLP report, approver identity, timestamp, destination hash, and file checksum. The requester receives a confirmation with the receipt. The record cannot be altered or deleted.
no-pii-to-external-sftp. Requester notified.Pattern-matching catches obvious PII. CloudLock's DLP engine goes further — understanding the semantic meaning of data, not just its format. A column called "ref_id" containing NI numbers looks like an identifier until you read the values.
ref_id contains UK NI numbers despite non-descriptive column name. Destination is external SFTP — policy blocks NI numbers leaving regulated boundary.
contact column contains personal email addresses. Classified as personal data under GDPR Article 4. External transfer requires explicit consent record — none found.
postcode column. Redactable — not required for stated analytical purpose. Auto-redaction available if block policy is overridden by approver.
churn_prob, segment) contain no PII and could be released independently. Consider requesting a filtered export.
Names, emails, phone numbers, NI numbers, NHS numbers, passport numbers, dates of birth, IP addresses, device identifiers. Detected by value pattern and semantic context — not just column name. Catches PII hiding in badly named columns.
API keys, private keys, database connection strings, AWS access keys, JWT tokens, and password patterns detected across CSV, JSON, PDF, and binary formats. A model export containing a hardcoded secret is blocked before it reaches the partner.
Respects data classification labels applied by DataHub or manual tagging. A dataset marked CONFIDENTIAL cannot be released to an external destination regardless of DLP findings. Policy and classification work together.
Where policy allows, CloudLock can automatically redact identified sensitive fields and release the cleaned version — without requiring the requester to manually scrub the data first. Redactions are logged and the original is retained internally.
Detects source code, internal architecture diagrams, internal hostnames and IP ranges, and proprietary schema definitions leaving the environment. Catches the accidental export of internal tooling and infrastructure details to external parties.
CloudLock's policy engine is declarative and human-readable. Your data governance team defines what can leave, where it can go, under what conditions, and who can approve exceptions — without writing code or raising infrastructure tickets.
Compliance posture is only as good as the evidence you can produce. CloudLock generates it automatically — not a spreadsheet assembled after the fact, but an immutable, cryptographically signed record of every egress event.
Every release, block, and redaction event is written to an append-only log in MinIO with a cryptographic hash chain. Individual records cannot be altered or deleted without detection. The log is the evidence.
Every released file comes with a cryptographically signed receipt — file checksum, DLP report summary, approver identity, timestamp, and destination. Recipients can verify the receipt against CloudLock's public key.
One-click generation of GDPR Article 30 records of processing, PCI-DSS data transfer logs, and ISO 27001 evidence packs covering any time window. Formatted for auditors, not engineers.
Unusual egress patterns — a user transferring 10× their normal data volume, a new external destination appearing, a pipeline exfiltrating data outside business hours — trigger alerts to your security team before they become incidents.
CloudGate controls what enters. CloudLock controls what leaves. Together with Cloudyard managing what runs inside, you have complete, auditable control over every boundary in your regulated environment.
CloudGate inspects every artefact before it enters your cluster. Cloudyard provides the self-service platform where your engineers build and run workloads. CloudLock ensures nothing leaves without DLP inspection, policy enforcement, and an auditable approval record. The three products share your OIDC identity, your MinIO storage, and your Grafana observability stack — no separate deployments, no separate user management, no gaps between them.
Basic egress logging and DLP scanning is open source. Subscribe for the full policy engine, compliance reporting, anomaly detection, and SLA-backed support.
CloudLock is in private development. If you operate in a regulated or air-gapped environment and have a data egress problem, we'd like to talk to you — especially if you're already running Cloudyard or CloudGate.