DataStealth On-Premise is a data security platform deployed entirely within a customer's own infrastructure — on bare metal, virtual machines, containers, or Kubernetes — including air-gapped and disconnected environments. The platform performs tokenization, masking, and encryption of sensitive fields before data moves between applications, databases, or storage systems. It operates through multiple deployment models: - Inline Gateway/Proxy: Intercepts and transforms data in real-time between apps, users, or services without code changes. - Database & Data-Store Proxy: Enforces field-level protection on SQL or NoSQL database traffic. - Sidecar/Service Mesh: Runs alongside microservices to apply per-service data protection policies. - Batch & Streaming Workers: Discovers, classifies, and remediates sensitive data across files, data lakes, and event streams. The platform supports web and API traffic (HTTP/S, gRPC, GraphQL), databases and warehouses (SQL and JSON), file shares and object stores (CIFS, NFS, S3-compatible), messaging and streaming systems (Kafka, queues, ETL pipelines), and log/observability pipelines. Key operational capabilities include active-active high availability, horizontal scaling, policy-as-code with versioning and rollback, and SIEM-exportable audit logging. Security and key management features include BYOK (Bring Your Own Key), HSM/KMS integration, TLS/mTLS enforcement, role-based access controls with least-privilege detokenization, and full key usage audit logging. Dynamic masking tailors data visibility based on user roles. SDKs and sidecar deployments allow legacy systems to meet compliance requirements without application code changes.