DATUM · Data security and privacy

Secure data isn't controlled. It's governed.

DATUM integrates identity, classification, traceability and privacy within the operating model. Security stops being an added layer — it becomes a property of the data.

The framework covers
  • GDPR by design
  • RBAC + ABAC + dynamic masking
  • Immutable audit log and continuous traceability
Why it matters

Controls exist, but data remains exposed.

Four problems we see in organizations with mature analytics platforms — and still: breaches, fines and reactive audits.

01
Accumulated access never reviewed

Roles unaudited for years, privileges inherited from old reorgs. The internal attack surface grows without measurement.

80% of internal breaches come from excessive access. · Verizon DBIR 2023
02
Data is not classified

Without sensitivity labels, all data gets the same level of control: too much or too little. Impossible to apply judgment.

Organizations without classification take 4× longer to respond to a GDPR audit. · DAMA Industry Report 2023
03
Traceability arrives too late

Knowing who accessed what is reconstructed after the incident, not before. Audit is forensic, not operational.

GDPR requires continuous traceability, not retrospective. · EU regulatory framework
04
Privacy as patch, not by design

GDPR is met through manual processes and point-in-time reviews, not integrated into the data model.

Over €4bn in GDPR fines accumulated in the EU since 2018. · DLA Piper / IAPP 2024
Positioning

Security isn't another layer. It's a property of the data model.

Where others add controls on top of the data, DATUM integrates them within the metadata itself.

Compliance stops being extra work and becomes a consequence of design.

GDPR
Four pillars

The model operates on four indivisible principles.

Remove one and the rest break. That's why DATUM integrates them from the first datum.

01
RBAC + ABAC
Identity and access

Every access responds to a role, a function and a sensitivity level. No default privileges, no silent accumulation.

02
4 operational levels
Classification and sensitivity

Each asset has a label — public, internal, confidential, restricted — that determines applicable controls.

03
Immutable audit log
Continuous traceability and audit

Who accesses what, queries, exports and under what justification — recorded in real time, not reconstructed later.

04
GDPR by design
Privacy by design

Anonymization, pseudonymization and minimization integrated into the model, not added as an external layer.

Concrete capabilities

What DATUM actually does.

From principles to product. Six capabilities the platform puts into production from day one.

01
Active identity catalog

Continuous inventory of roles, groups and privileges synced with the IdP. Detects orphan access and pending reviews.

02
Automatic sensitivity labeling

Classification based on metadata, patterns and data context. No manual tagging required.

03
Immutable audit log

Every operation on the data, signed and tamper-proof. Ready for regulatory inspection.

04
Dynamic masking

Sensitive data is masked according to role and consumption context, without duplicating tables or breaking queries.

05
Reversible pseudonymization

Reversible tokens under key control to allow analytics without exposing real individual identity.

06
Anomalous PII detection

Alerts when personal data appears in zones not classified as sensitive, before it reaches consumption.

Operational classification

Four sensitivity levels, four sets of controls.

Not all data needs the same protection. Classification allows proportional controls — exactly what's needed for the data to flow when it should and stay protected when it must.

Public
Access
Open, no restriction
Retention
Indefinite
Encryption
Optional · TLS in transit
Audit
Read access not audited
Examples
Public catalogDocumentationPress releases
Internal
Access
Authenticated employees
Retention
Standard corporate policy
Encryption
TLS in transit · encryption at rest
Audit
Aggregated access logs
Examples
Org chartInternal processesData catalog
Confidential
Access
Role + business need (ABAC)
Retention
Per regulatory policy
Encryption
TLS + at rest · KMS
Audit
Audit log per individual access
Examples
Customer dataPricingCommercial information
Restricted
Access
Explicit approval + dynamic masking
Retention
Minimum necessary · verifiable deletion
Encryption
Double layer · KMS + per-domain keys
Audit
Immutable audit log + alerts
Examples
Clinical dataSensitive financial dataRegulated PII
Industry contexts

We ground the model in sectors where data demands traceability, semantics and operational control.

Not all organisations face the same regulatory, operational or analytical pressure. We adapt our approach to each sector's context and the client's real maturity.

What this layer activates

Well-integrated security protects data without blocking business capacity.

What gets unlocked when security stops being a brake and becomes an enabler.

01
Lower operational risk

Integrated security removes default access and reduces the internal attack surface.

Less exposure · more control
02
Verifiable compliance

GDPR requires continuous evidence — not point-in-time inspections. DATUM produces it automatically.

Continuous evidence · audit without surprises
03
Confidence to scale

Data can be consumed, shared and used to train AI knowing the control lives in the platform.

AI-ready · partner-ready
Who leads this in your organisation?

A specific profile, a real question.

Si lidera dato, riesgo o cumplimiento
CDO · CISO · DPO · Responsable de Cumplimiento
«¿Cómo garantizamos que el dato está protegido sin bloquear el uso legítimo?»

Demasiados accesos sin revisar, clasificación manual o inexistente y auditorías que requieren reconstruir el linaje a mano. En entornos regulados esto no es un riesgo menor — es un hallazgo de auditoría.

El 80% de las brechas de datos internas provienen de accesos excesivos no revisados periódicamente.Verizon DBIR — Data Breach Investigations Report 2023
Banca regulada
BCBS 239
conformidad alcanzada

Modelo de seguridad del dato con clasificación activa, control de acceso por roles y trazabilidad de uso para cumplimiento regulatorio bancario.

BCBS 239DORAClasificación del dato
Connects with

Security is transversal — it's implemented in every layer of the model.

Keep exploring

Security, in context

datum_security_page.related.lead

Next step

Do you know where your data security stands?

A 60-minute session to map your situation against the DATUM framework and evaluate next steps.