Getting Started with PastWipe
Stand up RepSec™ in minutes: create your tenant, issue keys, install the Gateway or SDKs, and enforce post-exfiltration data neutralization with signed, audit-ready telemetry.
Who this guide is for
This page orients Admins, Security, and Developers to get PastWipe running in your environment. If you just joined as a user, see Seats & Access.
Prerequisites
- An active tenant (created at first login). Check Licenses for entitlements.
- At least one Owner or Admin seat in Seats & Access.
- Outbound HTTPS to
api.pastwipe.comand your selected region endpoint. - Optional: Docker (for Gateway), language runtime for SDKs, SIEM credentials if forwarding telemetry.
Create API keys & assign roles
- Go to Licenses → Keys → New Key.
- Choose a scope (Gateway, SDK, or Admin API) and environment (Sandbox or Production).
- Store the key securely. For servers, use a secrets manager (e.g., AWS Secrets Manager, Azure Key Vault).
- Invite users in Seats & Access and assign Owner, Admin, Security, or Developer roles.
# Example: verify a key
curl -H "Authorization: Bearer <PW_API_KEY>" \
https://api.pastwipe.com/v1/ping
Gateway quickstart (Docker)
The PastWipe Gateway enforces post-exfiltration data neutralization and emits signed telemetry. Run it adjacent to your apps or as a sidecar.
- Download the latest image from Downloads.
- Set your environment variables and mount the policy file.
- Start the container and point your app to the Gateway endpoint.
# docker run (sandbox)
docker run -d --name pastwipe-gw --restart unless-stopped \
-p 127.0.0.1:9443:9443 \
-e PW_ENV=sandbox \
-e PW_TENANT_ID=<YOUR_TENANT_ID> \
-e PW_API_KEY=<YOUR_GATEWAY_KEY> \
-v $(pwd)/policy.yaml:/etc/pastwipe/policy.yaml \
ghcr.io/pastwipe/gateway:latest
# policy.yaml
version: 1
policy_id: default
rules:
- match: pii, phi, customer_export
require: [ attestation.valid, context.ok, keybound.true ]
on_violation:
- action: neutralize # make exfiltrated data non-reusable
- action: redact: { fields: [email, phone, ssn] }
- action: log_signed # tamper-evident telemetry
- action: block_if_remote # adaptive block on remote pulls
SDK quickstarts
Use SDKs when you need in-process enforcement or batch/ETL coverage. Choose your language:
npm install @pastwipe/sdk --save
import { PastWipe } from "@pastwipe/sdk";
const pw = new PastWipe({
env: "sandbox",
apiKey: process.env.PW_API_KEY,
});
// classify + enforce before egress
const result = await pw.enforce({
data: customerRecord,
policy: "default",
context: { user: "svc-export", purpose: "reporting" }
});
if (result.neutralized) {
console.log("Neutralized copy issued:", result.token);
}
pip install pastwipe-sdk
from pastwipe import Client
pw = Client(env="sandbox", api_key=os.environ["PW_API_KEY"])
res = pw.enforce(
data=customer_record,
policy="default",
context={"user":"etl-job","purpose":"export"}
)
if res.neutralized:
print("Issued non-reusable copy:", res.token)
// Maven
<dependency>
<groupId>com.pastwipe</groupId>
<artifactId>sdk</artifactId>
<version>1.0.0</version>
</dependency>
PastWipe pw = new PastWipe.Builder()
.env("sandbox")
.apiKey(System.getenv("PW_API_KEY"))
.build();
EnforceResult r = pw.enforce(new Payload(customerRecord))
.policy("default")
.context("user","svc-app")
.context("purpose","export")
.execute();
dotnet add package PastWipe.Sdk --version 1.0.0
var pw = new PastWipe.Client(new Config{
Env = "sandbox",
ApiKey = Environment.GetEnvironmentVariable("PW_API_KEY")
});
var res = await pw.Enforce(new {
data = customerRecord,
policy = "default",
context = new { user = "svc", purpose = "export" }
});
Connectors
Microsoft Entra ID (Azure AD)
- In Integrations → Entra ID, register a new app.
- Grant scopes:
openid,profile, and any required directory read. - Map claims to context:
groups→context.roles,department→context.domain.
# Sample OIDC context mapping
claims:
groups: context.roles
department: context.domain
acr: context.mfa
require:
- context.mfa >= 2
AWS KMS (Key Binding)
- In Integrations → AWS KMS, link your key ARN.
- Enable Key-Bound Tokens so neutralized copies validate only with your KMS.
- Add the IAM role to allow
kms:Decryptfrom PastWipe verifier.
# Example IAM policy
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {"AWS": "arn:aws:iam::YOUR_ACCT:role/PastWipeVerifier"},
"Action": ["kms:Decrypt"],
"Resource": "arn:aws:kms:REGION:ACCT:key/KEYID"
}]
}
Splunk (Signed Telemetry)
- Create an HEC token and endpoint in Splunk.
- In Integrations → Splunk, paste the HEC URL and token.
- Choose Raw or JSON format; enable signature verification.
# Example telemetry record
{
"ts": "2025-10-19T09:41:22Z",
"tenant": "acme",
"policy": "default",
"event": "neutralize",
"class": "pii",
"actor": "svc-export",
"sig": "jws:eyJ..."
}
Policies & Proof
Policies declare what must be true before data can be used or exported (e.g., attestation, context, key-binding). If conditions fail, PastWipe neutralizes the copy and emits signed proof.
- Define classes (PII, PHI, source-code, finance) under Runbooks.
- Author policies in YAML or via UI. Attach policies to apps, jobs, or paths.
- Enable Breach-Triggered Neutralization to revoke copies issued before discovery.
# breach-triggered neutralization (BTN)
btn:
trigger: incident.created
scope: class in [pii, finance]
action: revoke_tokens & notify: [ siem, soc-email ]
Test vs Production
Sandbox mirrors production features with rate and scope limits. Use separate keys and telemetry streams.
- Separate keys (
PW_ENV=sandboxvsproduction) - Non-repudiation signatures still verifiable
- Use sample data sets in Downloads
Production rollout checklist
- Rotate final keys and store in a secrets manager
- Enable SIEM forwarding and alerting on neutralize and revoke events
- Turn on region lock & dedicated KMS (regulated tenants)
- Run a simulated exfiltration drill and sign the attestation
Security & Compliance
- Data handling: tokenized neutralized copies are cryptographically non-reusable outside policy.
- Proof: all enforcement emits signed JWS/COSE telemetry for audit.
- Frameworks: supports GDPR Art.5/25, NIS2 reporting, HIPAA §164.312, PCI DSS 4.0 controls.
- See Security Overview and Release Notes.
Troubleshooting
Gateway starts but no telemetry
- Verify egress to
api.pastwipe.comand your SIEM endpoint. - Run
curl /healthzon port9443. - Check time sync (NTP) for signature validity.
Policy never neutralizes
- Ensure classification matches your test data classes.
- Set
on_violation: neutralizein policy. - Enable sandbox strict in Settings to surface violations.
SDK key rejected
- Confirm key scope is SDK and environment matches (
sandbox/production). - Rotate the key and re-deploy. Keys created before 2025-07 require migration.
FAQ
What happens if the Gateway is offline?
SDKs can enforce in-process with cached policy. Gateways fail-closed (configurable) and emit backlog telemetry when back online.
Latency impact?
Median p95 < 20ms for enforce paths in-region. Use sidecar mode for lowest latency.
Does PastWipe store our raw data?
No. Enforcement operates on your data stream; PastWipe stores only minimal metadata and signed telemetry necessary for audit.