DCAP Platform SecuPi

SecuPi provides a single platform for protecting sensitive data, whether applied for compliance or security purposes (or both), SecuPi secures data on applications with no code changes.



Real-time monitoring and auditing of user activity applied for privacy requirements such as “Records of processing activities” and “Right of access”.

Protect your most valuable assets with SecuPi

SecuPi enables organizations to comply with regulatory requirements such as GDPR and ensure a secure use of sensitive data of all kinds, such as personal data, financial data, health data and many more. With SecuPi, the data-centric solution approach can be implemented easily and effectively, so that data in applications and the areas of data warehouse and big data are protected from unauthorized access and leakage.

Access to sensitive data is logged and alerts are created in the event of unusual behavior. The traceability of the data access is guaranteed (records of processing). In addition, the data is dynamically masked when it is retrieved or moved and encrypted when it is exported.

Data protection in Applications, Data Warehouse, Big Data

Today, the applications and their authorization concepts cannot keep up with data protection security measures. Although modern applications contain an RBAC(role based access control) model, there is no fine granular control related to “which user is allowed to see which data in which role”.

Hence, the control of the access rights is primarily based on the predefined authorizations of the application. This prompts users to engage in a variety of functions and view data within the same group of roles.

Our DCAP Showcases

Protect Business Applications: CRM

Showcase how to protect sensitive data in Business Applications from unwanted disclosure or loss without code changes of the application.

Protect Cloud-DWH: Snowflake

Showcase how to protect personal data in cloud-based human captial managemnt solutions for senstive data for employee, candidate and hr administration.

Protect Cloud-HCM: Success Factors

Showcase how to protect sensitive data in snowflake, a cloud-based data warehouse for data analytics, data quality assurance and more.

DCAP as the standard for data-centric security

Data Centric Audit and Protection or DCAP is an approach to protect sensitive data that combines comprehensive data security and audit functions with simplified detection, classification, policy management, user, and role-based access as well as real-time data and user activity monitoring, which help the Automate data security and legal compliance to the greatest possible extent.

As the name DCAP suggests, the term DCAP (developed by Gartner management and research consultancy) defines a security strategy that focuses on data and its content. The aim is to maintain data security by determining where critical data is located, who has access to it and whenever changes are made to the data and the surrounding systems.


Dynamic Masking & Encryption offer many possibilities

Dynamic Masking is transforming the defined data subjects from the moment of leaving the source also called “encryption in motion”. The data at source remains unchanged and in the clear. The real data objects are only provided if this is necessary for the user due to his function otherwise the data remains hidden, anonymized or pseudonymized.

For the data sets with confidential information “encryption at rest” is needed to encrypt the data subject at the source and decrypt the data only if required. The data cannot get read if there is no access to the master key to decrypt the data.


The all-in-one DCAP suite from SecuPi

The SecuPi platform brings data-centric security and compliance closer to application owners and business units and enables the detection, classification, anonymization and minimization of sensitive data throughout the company with centralized policy management and real-time monitoring of all data flows and user activities. Fine-tuned policy management with policy-based access control / attribute-based access control in combination with data protection options, integrated controls for managing user consent, anonymization and other data subject rights (e.g. the right to be forgotten) ensure that all applications comply with specifications such as GDPR EU or similar regulations can comply with compliance quickly and without adapting existing database structures.

SecuPi DCAP Functions

Data Classification and Discovery

The identification of the data subjects with special protection requirements is essential to the entire solution. It is crucial to understand which data is used or stored in which processes. SecuPi provides various classification options here. The resulting information is used in rule creation and masking. Data classification process in SecuPi can be automatized in combination with BigID solutions. Read more about BigID here

Data Security Policy Management

The technical measures to be implemented based on the security use cases are mapped as technical rules in SecuPi. The rules enforce the guidelines in the business processes directly as well as through any encryption or decryption steps.

Data Monitoring, User Privileges Monitoring, and Data Access Activity

Even if existing applications provide a role model for authorizations and access, more detailed governance specifications can be implemented and ensured with SecuPi, which go beyond the existing possibilities of the applications. Data streams of particularly sensitive data to control individually for each user and user group on the basis of the day-to-day business.

Auditing & Reporting

SecuPi provides various functions for tracking users accessing sensitive data and at what time. In addition to the report for processing records, other access reports and scans may be called. On this basis, reports on internal and external audits or inquiries are possible at all times.

Behavior Analysis, Alerting and Blocking

SecuPi enables the recording of behavior analytics of application users while accessing sensitive data over a longer observation period. On the basis of cases, these behavior patterns are compared against the norm and, in the event of deviations, logged as an alarm.

Data Protection Security Solution

Dynamic Masking

One of the primary data protection features of SecuPi is dynamic masking of sensitive data by policy. The actual data objects, such as Personal data, are dynamically encrypted using various options. Encryption means that the data is “hidden”, “anonymized” or “pseudonymized” from the database to the screen.

The data remains unchanged at the database management system but in its original form. The undesired access to data can be specifically prevented. If higher security requirements have to be implemented, these attributes (column, field) can be encrypted directly at the source. If exports are triggered directly from the application (e.g. as a CSV file), the data is also exported masked in the case of dynamic masking. SecuPi integrates this process with various Hardware Security Modules (HSM).

Data Encryption/Decryption

SecuPi data can be encrypted at source by policy. Instead of encrypting the whole data source, the sensitive data subject can be encrypted. The data encrypted in the database is physically changed at the source. Decryption points need to be defined among the business processes to ensure the correct data leads to a high availability of the encryption/decryption service.

In the event of a data extraction and data loss, the sensitive data is protected as encrypted and not usable without the key. SecuPi also integrates with various vault systems such as Hardware Security Modules (HSM).

File Encryption

File Encryption is the ideal supplement for the general protection purpose of data. Many applications provide an “Export to” function where the data displayed on the screen can be exported to a file like CSV, XLS or PDF. Exporting structured data from an application to a file creates an additional set as unstructured data which might be duplicated across the organization.

SecuPi is able to integrate with file encryption solutions like Microsoft Azure Information Protection. While exporting the data from the application, the file will be encrypted with the predefined policy from the encryption solution.

DCAP Architecture

The SecuPi platform is installed in the customer environment -
regardless of whether it is an internal data center, a cloud infrastructure, or a hybrid deployment.


Let’s Collaborate

Visit our products pages to read more about the capabilities and features of products:

Get more information

Download our Factsheets Here German English
SecuPi is a product/service from SecuPi Inc. 450 Park Ave S, NY, NY 10016, USA

Sign Up for Our Newsletter!