PastWipe Customer Portal · Getting Started
Docs

Getting Started with PastWipe

Stand up RepSec™ in minutes: create your tenant, issue keys, install the Gateway or SDKs, and enforce post-exfiltration data neutralization with signed, audit-ready telemetry.

Who this guide is for

This page orients Admins, Security, and Developers to get PastWipe running in your environment. If you just joined as a user, see Seats & Access.

Admins
Set up tenant, roles, billing, licenses
Security
Define policies, attestations, SIEM/SOAR routing
Developers
Install Gateway/SDKs, instrument apps & jobs

Prerequisites

  • An active tenant (created at first login). Check Licenses for entitlements.
  • At least one Owner or Admin seat in Seats & Access.
  • Outbound HTTPS to api.pastwipe.com and your selected region endpoint.
  • Optional: Docker (for Gateway), language runtime for SDKs, SIEM credentials if forwarding telemetry.
Tip: Government/regulated tenants may request region lock and Dedicated Key Services. Raise a ticket via Support.

Create API keys & assign roles

  1. Go to LicensesKeysNew Key.
  2. Choose a scope (Gateway, SDK, or Admin API) and environment (Sandbox or Production).
  3. Store the key securely. For servers, use a secrets manager (e.g., AWS Secrets Manager, Azure Key Vault).
  4. Invite users in Seats & Access and assign Owner, Admin, Security, or Developer roles.
# Example: verify a key
curl -H "Authorization: Bearer <PW_API_KEY>" \
  https://api.pastwipe.com/v1/ping

Gateway quickstart (Docker)

The PastWipe Gateway enforces post-exfiltration data neutralization and emits signed telemetry. Run it adjacent to your apps or as a sidecar.

  1. Download the latest image from Downloads.
  2. Set your environment variables and mount the policy file.
  3. Start the container and point your app to the Gateway endpoint.
# docker run (sandbox)
docker run -d --name pastwipe-gw --restart unless-stopped \
  -p 127.0.0.1:9443:9443 \
  -e PW_ENV=sandbox \
  -e PW_TENANT_ID=<YOUR_TENANT_ID> \
  -e PW_API_KEY=<YOUR_GATEWAY_KEY> \
  -v $(pwd)/policy.yaml:/etc/pastwipe/policy.yaml \
  ghcr.io/pastwipe/gateway:latest
# policy.yaml
version: 1
policy_id: default
rules:
  - match: pii, phi, customer_export
    require: [ attestation.valid, context.ok, keybound.true ]
    on_violation:
      - action: neutralize        # make exfiltrated data non-reusable
      - action: redact: { fields: [email, phone, ssn] }
      - action: log_signed        # tamper-evident telemetry
      - action: block_if_remote   # adaptive block on remote pulls

SDK quickstarts

Use SDKs when you need in-process enforcement or batch/ETL coverage. Choose your language:

npm install @pastwipe/sdk --save
import { PastWipe } from "@pastwipe/sdk";
const pw = new PastWipe({
  env: "sandbox",
  apiKey: process.env.PW_API_KEY,
});

// classify + enforce before egress
const result = await pw.enforce({
  data: customerRecord,
  policy: "default",
  context: { user: "svc-export", purpose: "reporting" }
});

if (result.neutralized) {
  console.log("Neutralized copy issued:", result.token);
}
pip install pastwipe-sdk
from pastwipe import Client
pw = Client(env="sandbox", api_key=os.environ["PW_API_KEY"]) 

res = pw.enforce(
  data=customer_record,
  policy="default",
  context={"user":"etl-job","purpose":"export"}
)

if res.neutralized:
    print("Issued non-reusable copy:", res.token)
// Maven
<dependency>
  <groupId>com.pastwipe</groupId>
  <artifactId>sdk</artifactId>
  <version>1.0.0</version>
</dependency>
PastWipe pw = new PastWipe.Builder()
  .env("sandbox")
  .apiKey(System.getenv("PW_API_KEY"))
  .build();

EnforceResult r = pw.enforce(new Payload(customerRecord))
  .policy("default")
  .context("user","svc-app")
  .context("purpose","export")
  .execute();
dotnet add package PastWipe.Sdk --version 1.0.0
var pw = new PastWipe.Client(new Config{
  Env = "sandbox",
  ApiKey = Environment.GetEnvironmentVariable("PW_API_KEY")
});
var res = await pw.Enforce(new {
  data = customerRecord,
  policy = "default",
  context = new { user = "svc", purpose = "export" }
});

Connectors

Microsoft Entra ID (Azure AD)

  1. In IntegrationsEntra ID, register a new app.
  2. Grant scopes: openid, profile, and any required directory read.
  3. Map claims to context: groupscontext.roles, departmentcontext.domain.
# Sample OIDC context mapping
claims:
  groups: context.roles
  department: context.domain
  acr: context.mfa
require:
  - context.mfa >= 2

AWS KMS (Key Binding)

  1. In IntegrationsAWS KMS, link your key ARN.
  2. Enable Key-Bound Tokens so neutralized copies validate only with your KMS.
  3. Add the IAM role to allow kms:Decrypt from PastWipe verifier.
# Example IAM policy
{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Principal": {"AWS": "arn:aws:iam::YOUR_ACCT:role/PastWipeVerifier"},
    "Action": ["kms:Decrypt"],
    "Resource": "arn:aws:kms:REGION:ACCT:key/KEYID"
  }]
}

Splunk (Signed Telemetry)

  1. Create an HEC token and endpoint in Splunk.
  2. In IntegrationsSplunk, paste the HEC URL and token.
  3. Choose Raw or JSON format; enable signature verification.
# Example telemetry record
{
  "ts": "2025-10-19T09:41:22Z",
  "tenant": "acme",
  "policy": "default",
  "event": "neutralize",
  "class": "pii",
  "actor": "svc-export",
  "sig": "jws:eyJ..."
}

Policies & Proof

Policies declare what must be true before data can be used or exported (e.g., attestation, context, key-binding). If conditions fail, PastWipe neutralizes the copy and emits signed proof.

  • Define classes (PII, PHI, source-code, finance) under Runbooks.
  • Author policies in YAML or via UI. Attach policies to apps, jobs, or paths.
  • Enable Breach-Triggered Neutralization to revoke copies issued before discovery.
# breach-triggered neutralization (BTN)
btn:
  trigger: incident.created
  scope: class in [pii, finance]
  action: revoke_tokens & notify: [ siem, soc-email ]

Test vs Production

Sandbox mirrors production features with rate and scope limits. Use separate keys and telemetry streams.

  • Separate keys (PW_ENV=sandbox vs production)
  • Non-repudiation signatures still verifiable
  • Use sample data sets in Downloads

Production rollout checklist

  • Rotate final keys and store in a secrets manager
  • Enable SIEM forwarding and alerting on neutralize and revoke events
  • Turn on region lock & dedicated KMS (regulated tenants)
  • Run a simulated exfiltration drill and sign the attestation

Security & Compliance

  • Data handling: tokenized neutralized copies are cryptographically non-reusable outside policy.
  • Proof: all enforcement emits signed JWS/COSE telemetry for audit.
  • Frameworks: supports GDPR Art.5/25, NIS2 reporting, HIPAA §164.312, PCI DSS 4.0 controls.
  • See Security Overview and Release Notes.

Troubleshooting

Gateway starts but no telemetry
  • Verify egress to api.pastwipe.com and your SIEM endpoint.
  • Run curl /healthz on port 9443.
  • Check time sync (NTP) for signature validity.
Policy never neutralizes
  • Ensure classification matches your test data classes.
  • Set on_violation: neutralize in policy.
  • Enable sandbox strict in Settings to surface violations.
SDK key rejected
  • Confirm key scope is SDK and environment matches (sandbox/production).
  • Rotate the key and re-deploy. Keys created before 2025-07 require migration.

FAQ

What happens if the Gateway is offline?

SDKs can enforce in-process with cached policy. Gateways fail-closed (configurable) and emit backlog telemetry when back online.

Latency impact?

Median p95 < 20ms for enforce paths in-region. Use sidecar mode for lowest latency.

Does PastWipe store our raw data?

No. Enforcement operates on your data stream; PastWipe stores only minimal metadata and signed telemetry necessary for audit.

Next steps