The scanning engine runs entirely in your environment. Document content never crosses our boundary — only metadata findings reach the cloud. Open-source, single binary, 10-minute setup.
Connecting to the apps your team already uses
Traditional DLP tools require you to route all your data through a vendor's cloud. nanodlp flips the model — the scanner lives in your environment, and only cryptographic metadata ever leaves.
Document content never crosses our network boundary. We receive only hashed metadata — file IDs, owner, pattern type, severity, and a SHA-256 of the matched value.
Written in Rust with a custom document parser. No JVM, no garbage collection pauses. Scans tens of thousands of files in minutes on a single CPU core.
Single binary. No Kubernetes, no agents to manage, no professional services engagement. Connect your first SaaS app and see findings in under 10 minutes.
Apache 2.0 licensed. Read every line of code that touches your data. No black-box ML models, no opaque vendor decisions. Audit it, fork it, extend it.
Every detector is a named regex with optional proximity keywords and a mathematical validator. No ML black boxes. Override or extend any built-in pattern via a TOML overlay file.
HIPAA, PCI-DSS, GDPR, SOC 2, and HITRUST evidence packages generated automatically. Quarterly compliance reports with zero manual effort.
Most DLP vendors say "we protect your data" while routing it through their cloud. nanodlp makes an architectural guarantee: document content is discarded before the network call.
Regex + proximity checks + mathematical validators (Luhn, MOD-97, Verhoeff). Not ML — fast, auditable, and predictable. Extend with TOML overlays, no recompilation needed.
AWS, GCP, Azure keys and tokens. Validated against known entropy thresholds.
GitHub, Slack, Stripe, Twilio, SendGrid and dozens more. Format-validated.
OpenAI, Anthropic, HuggingFace, Groq, Mistral, Cohere and more.
RSA, EC, OpenSSH, PGP, PKCS8, DSA, PuTTY private key formats.
SSN, EIN, ITIN, phone, passport, driver's license, email address.
UK NIN, India Aadhaar/PAN, Brazil CPF/CNPJ, France INSEE, Germany, Canada SIN.
Credit cards (BIN + Luhn), IBAN (MOD-97), bank routing numbers, SWIFT/BIC.
Bitcoin addresses, Ethereum addresses, WIF private keys.
Single binary. No dependencies. No Kubernetes. No professional services.
# 1. Install curl -sSf https://get.nanodlp.io | sh # 2. Authenticate your first connector nanodlp auth google-drive # 3. Run a scan nanodlp scan --connector google-drive # Output: ✓ Scanned 14,832 files across all connectors in 4m 12s ✓ Found 47 critical findings, 203 medium, 891 low ✓ Dashboard at http://localhost:7777
docker run --rm \ -v ~/.nanodlp:/config \ -v /var/run/docker.sock:/var/run/docker.sock \ ghcr.io/nanodlp/nanodlp:latest \ scan --connector google-drive
helm repo add nanodlp https://charts.nanodlp.io helm install nanodlp nanodlp/nanodlp \ --set connector.googleDrive.enabled=true \ --set secrets.existingSecret=nanodlp-creds
# nanodlp.toml [connectors.google_drive] enabled = true credential_file = "/run/secrets/gdrive_token" [scan] schedule = "0 2 * * *" # daily at 2am severity_threshold = "medium" [output] endpoint = "https://app.nanodlp.io/ingest" api_key_env = "NANODLP_API_KEY"
Continuous scanning means your compliance evidence is always current. Generate auditor-ready reports in one command.
HIPAA §164.312(a)(2)(iv) — Encryption / Decryption Status: PASS Finding: 0 unencrypted PHI fields in transit (all connectors use TLS 1.3) Evidence: scan_run_id=sr_20260430_0200, connector=google-drive, files_scanned=14832 PCI-DSS Req 3.3 — Sensitive Authentication Data Status: FAIL — ACTION REQUIRED Finding: 3 files contain full PAN data (unmasked) Files: drive://Finance/Q1-2026/card-export.xlsx (owner: alice@example.com) Remediation: nanodlp remediate --finding-id f_8821a3
We win on privacy architecture, speed, and cost. We lose on breadth of integrations and enterprise support. Here's the full picture.
| Capability | nanodlp | Nightfall AI | Microsoft Purview | Symantec DLP |
|---|---|---|---|---|
| Data plane in customer env | ✓ | ✗ | ✗ | Partial |
| Open source | ✓ | ✗ | ✗ | ✗ |
| Setup time | 10 min | Hours | Days–weeks | Weeks |
| Scanning speed | 21× faster | Moderate | Slow | Slow |
| No content to vendor cloud | ✓ | ✗ | ✗ | Partial |
| Auditable detectors | ✓ | ML black box | Partial | Partial |
| Free tier | ✓ OSS | ✗ | ✗ | ✗ |
| Endpoint DLP | ✗ (roadmap) | ✓ | ✓ | ✓ |
| Email DLP | ✗ (roadmap) | ✓ | ✓ | ✓ |
We'd rather tell you upfront than have you discover it in a POC.
We scan SaaS apps, not laptops. If you need USB blocking or browser extension DLP, look at Nightfall or Purview for now. On our roadmap for v2.0.
Gmail and Outlook scanning is on the roadmap. Today we cover file storage and collaboration apps, not email bodies or attachments in transit.
nanodlp is a scanner and alerter, not an inline proxy. We detect and alert; we don't block uploads in real time. That requires a different architecture.
We use regex + validators, not LLMs. This means we're faster and auditable, but we won't catch "this document looks like an NDA" without explicit patterns.
The open-source binary, all connectors, all built-in detectors — free forever. Pay only for the hosted control plane when you need multi-org dashboards and compliance reporting.
For engineers who want to run DLP in their own environment.
For security teams that need shared dashboards, alerting, and compliance evidence.
For organisations with 1,000+ employees, air-gap, or FedRAMP requirements.