v0.9.4-beta · Apache 2.0 · Rust
Open-source data loss prevention for SaaS apps. The scanning binary runs in your environment. Document content never crosses our boundary — only metadata. 5 connectors, 123 detectors, single binary, 10-minute setup.
No credit card for OSS. Team plan from $99/seat/month →
OAuth tokens live in your secret store. nanodlp reads them at scan time. We never see them.
Regex + proximity checks + mathematical validators (Luhn, MOD-97, Verhoeff). Not ML — fast, auditable, and predictable. Extensible via TOML pattern overlays.
AWS, GCP, Azure credentials. Access keys, service account JSON, storage keys.
GitHub PATs, Slack tokens, Stripe keys, Twilio, Sendgrid, and 25 more.
OpenAI, Anthropic, HuggingFace, Groq, Cohere, Mistral, Replicate, Together.
RSA, EC, OpenSSH, PGP, PKCS8, DSA, PuTTY private key blocks.
SSN, EIN, ITIN, phone, passport, driver's license, email address.
UK NIN, India Aadhaar + PAN, Brazil CPF + CNPJ, France INSEE, Germany, Canada SIN.
Credit cards (BIN + Luhn), IBAN (MOD-97), US bank routing, SWIFT BIC.
Bitcoin addresses, Ethereum addresses, WIF private keys.
Three pillars. Not a marketing claim — a technical contract you can verify by reading the source.
The open-source Rust binary runs inside your AWS account, your Azure tenant, your data center, or your laptop. It reads files from your SaaS apps via OAuth, runs detection locally, and discards the content. We never receive it.
The FindingsBatch we receive contains: document IDs, owner emails, pattern names, severity levels, match counts, and SHA-256 hashes of matched values. No matched values. No document text. No snippets. Verifiable in the source.
Every line of the data plane is on GitHub under Apache 2.0. Rebuild the binary yourself. Verify the SHA-256 matches our release. Run it in a network-isolated environment and inspect outbound traffic. We encourage this.
One binary. No agents. No Kubernetes. No professional services.
# 1. Install
curl -fsSL https://nanodlp.io/install.sh | sh
# 2. Authenticate to your SaaS apps
nanodlp auth google
nanodlp auth microsoft
nanodlp auth slack
nanodlp auth dropbox
nanodlp auth github
# 3. Run your first full scan
nanodlp scan --all
# 4. View results locally
nanodlp dashboard
# Output:
✓ Scanned 14,832 files across 5 connectors in 4m 12s
✓ Found 47 critical findings, 203 medium, 891 low
✓ Dashboard at http://localhost:7777
# Pull the official image
docker pull ghcr.io/nanodlp/nanodlp:latest
# Run with your secret store mounted
docker run -d \
--name nanodlp \
-v ~/.nanodlp:/home/nanodlp/.nanodlp \
-p 7777:7777 \
-e NANODLP_SECRET_BACKEND=vault \
-e VAULT_ADDR=https://vault.internal:8200 \
-e VAULT_TOKEN_FILE=/run/secrets/vault_token \
ghcr.io/nanodlp/nanodlp:latest scan --schedule="0 2 * * *"
# View logs
docker logs -f nanodlp
# Install via Helm
helm repo add nanodlp https://charts.nanodlp.io
helm repo update
helm install nanodlp nanodlp/nanodlp \
--namespace security \
--create-namespace \
--set secretBackend=aws-secrets-manager \
--set schedule="0 2 * * *" \
--set controlPlane.tenantId=YOUR_TENANT_ID
# Check status
kubectl get pods -n security
NAME READY STATUS RESTARTS AGE
nanodlp-scanner-7f9b4 1/1 Running 0 2m
# nanodlp.toml — full example
[general]
tenant_id = "acme-corp"
schedule = "0 2 * * *" # daily at 2am UTC
log_level = "info"
[secret_backend]
type = "vault"
addr = "https://vault.internal:8200"
path = "secret/nanodlp"
[connectors]
enabled = ["google", "microsoft", "slack", "dropbox", "github"]
[connectors.github]
org = "acme-corp"
scan_all_branches = false # default branch only
[detectors]
# Override severity for a built-in detector
[[detectors.override]]
name = "email_address"
severity = "low" # was "medium"
# Add a custom detector
[[detectors.custom]]
name = "internal_employee_id"
pattern = "EMP-[0-9]{6}"
severity = "medium"
keywords = ["employee", "staff", "hr"]
[control_plane]
endpoint = "https://api.nanodlp.io"
# private key auto-generated at nanodlp init
The Team and Enterprise tiers auto-generate quarterly compliance reports. Because the data plane runs in your environment, we are not a HIPAA Business Associate — no BAA required.
$ nanodlp report --quarter=2026-Q1 --format=hitrust
Generating HITRUST i1 evidence package...
✓ Control 07.a — Asset inventory: 14,832 documents catalogued
✓ Control 09.ab — Monitoring: 47 critical findings detected, 47 remediated
✓ Control 09.aa — Audit logging: 2,847,291 scan events logged
✓ Control 01.a — Information security policy: policy bundle v2.4.1 applied
Report saved: hitrust-evidence-2026-Q1.pdf
SHA-256: 3a7f9c2e1b4d8f6a...
Compliance frameworks covered (Team/Enterprise):
The core question: does the vendor's scanning infrastructure process your document content? If yes, they're a subprocessor. If no, they're not.
| Tool | nanodlp | Microsoft Purview | Nightfall AI | Symantec DLP | Google Workspace DLP |
|---|---|---|---|---|---|
| Document content stays in your env | ✅ Yes | ❌ No | ❌ No | ❌ No | ❌ No |
| BAA required (HIPAA) | ❌ Not needed | ✅ Required | ✅ Required | ✅ Required | ✅ Required |
| Open source data plane | ✅ Apache 2.0 | ❌ | ❌ | ❌ | ❌ |
| Cross-SaaS coverage (5+ apps) | ✅ | ❌ M365 only | ✅ | ✅ | ❌ Google only |
| Time to first scan | 10 minutes | Days (E5 setup) | Hours | Weeks | Hours |
| OSS pricing | Free forever | Bundled with E5 | Per-event | Enterprise contract | Bundled with Workspace |
| Runs air-gapped | ✅ | ❌ | ❌ | Partial | ❌ |
We'd rather tell you now than have you discover it after a two-week evaluation.
nanodlp scans and alerts. It does not intercept file uploads or block sharing in real time. If you need inline DLP enforcement, you need a proxy-based tool (and we'll tell you which ones).
Detection is regex + proximity + validators. This is fast and auditable but won't catch "confidential" documents without structured patterns. If you need ML classification, Nightfall or BigID may be better fits.
nanodlp scans SaaS apps, not local machines. It won't catch data on USB drives or local file systems. For endpoint DLP, you need a different product category.
Gmail and Outlook message bodies are not scanned in V1. Attachments uploaded to Drive or SharePoint are covered. Native email scanning is on the roadmap for V2.
Pay for the hosted control plane when you need multi-org dashboards, alerting, and compliance reporting.