You agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

Building vs. Buying a Data Privacy Vault to Protect Sensitive Data

Privacy Engineering
Table of content:
Join our newsletter

Your privacy is important to us, privacy policy.

As organizations focus on data privacy and security as a core part of their privacy regime, the decision to secure PII, PHI, PCI, and KYC data comes down to either building an in-house solution or buying a vendor solution to meet privacy requirements. The decision must come after considering various factors discussed in this article. The nature of data privacy is contextual and highly complex in today's changing times.

The techniques required by an enterprise to ensure adequate data privacy vary according to each business use case. It is ideal for a business to employ a variety of privacy-enhancing technologies (PET) and control measures to achieve the right balance between data utility and data privacy requirements of the user whose data is collected.

Such methods range from encryption, tokenization, and masking to more advanced techniques, such as auto-tagged data, data integrity, automation of data retention/expiration, cascading deletion requests, and others to protect sensitive personal information. Many organizations build something on their own (DIY) and can’t maintain it and keep up with privacy and security best practices as they go forward.

Data Protection Is a Complicated Engineering Problem

There's a range of solutions for handling and storing sensitive user data. The more sophisticated and secure solution, the more complicated the implementation. In the illustration below, multiple privacy-preserving techniques will include access control, de-identification, tokenization, encryption, and key management. On the left side, organizations will store everything in plaintext.

Data may be duplicated and scattered, and everyone can access it—a simple approach but without privacy. Enterprises lie somewhere in the middle of the two extremes. Unfortunately, too many lean to the left, hence we keep hearing about data breach news almost daily. Designing these technologies yourself from the ground up is probably more complex than you can imagine and it will shift your R&D focus to deal with infrastructure rather than focus on your organization's unique needs.

data protection infographics

Building In-house Solutions: What Aspects Should Organizations Consider?

  1. Strategic: If you're going to build it, does this project align with the enterprise's core business objectives and long-term strategies?
  2. Total cost of ownership (TCO): When building a solution in-house, you need to consider the building aspect and maintenance costs (and focus) and compare them to the TCO of buying a product.
  3. Focus: When building an in-house data privacy solution, organizations need to focus on a few crucial questions, such as:
    - Can you afford to dedicate the resources required for such a project, and at what expense?
    - Do you have the time and resources? When can you expect to get a fully functional system?
  4. Economies of scale: Vendors that service many customers can allegedly distribute the maintenance and software operations costs across their clients. Thus, these economies of scale allow them to charge less for a service or product than you will achieve by building it yourself. You may consider asking yourself the following questions:
    - Is there such a shelf product out there?
    - Does it fit your needs in terms of functionality, scalability, performance, and playing well with your existing tech stack and various integrations?
  5. Competitiveness: When building an in-house solution, do you have the needed compliance knowledge, experience, and expertise to build a better solution than the ones already out there on the market?
  6. Engineering complexity:
    - Building security features like encryption and key management or even just using an open-source encryption library requires expertise. It is a highly error-prone task and many fail to do it well.
    - Complexity of building a tokenization engine: Building a tokenization engine is complicated. It has to be robust and secure and reduce privacy risks to data, requiring effort and expertise. It’s not just a mapping table. There’s so much more to it, like scopes, format-preserving tokens, convergence, uniqueness, determinism, rotations, etc.

Reasons to Go with a Third-Party Vendor

The leading technology businesses out there are solving the data privacy problem with zero-trust data privacy vault architecture. They are pioneering privacy engineering, they have big budgets and unique engineering power, and they shaped how it’s done today. You can just procure one without going through the hassle of building it. The following list discusses the primary advantages of outsourcing a data privacy vault:

  1. Compliance: The vault helps implement some of the GDPR and CCPA functionality easily. The vendors translate the popular privacy regulations’ requirements into software requirements so you don’t have to, and the vault is SOC2-compliant too.
  2. Continuous support for changing regulations: We’ve all already seen that the regulations continue to evolve; thus it will require more work to support additional requirements. The vendors cover that for you.
  3. Trusted dedicated vendor: The biggest advantage is that your customers will feel more secure knowing that you use a tested and trusted vendor’s solution and that their sole function is building the best vault.
  4. Dev-first approach: Modern vaults are first built for developers to adopt. Everything is fully documented (always up to date), including code samples and tutorials. It makes the APIs easy to use.
  5. Supported use cases: The vaults allow you to safeguard any type of sensitive data, including files.
  6. Enterprise-grade reliability: Because it is critical infrastructure for a business, it meets high availability, scalability, and throughput requirements.

What Makes Piiano Privacy Vault an Ideal Choice?

Piiano sees the world differently, placing PII and sensitive data in the center without you having to compromise. Here’s why you should choose the Piiano Vault:

  1. SaaS: The vault is hosted by us, so you don't need to deploy it. This can be good for storing credit card numbers of your customers, which will require you to go through an official PCI-DSS Compliance auditing that takes months to go through. We did it for you, so you can start working with it immediately.
  2. Self-Hosted (including on-prem): Alternatively, the vault can also be easily deployed into your own cloud account, whether it’s AWS, GCP, or Azure. It can even run on your proprietary on-prem environment. Either way, no one can see your data except you. You are in complete control of your data. Piiano’s vault is also built to run on your machine if you want to play with it.
  3. Piiano-Managed: Piiano believes that in case you alone own your data, we can manage the vault for you, and we can never access your data by design.
  4. Vault Adoption: Even if you built or bought a vault, you would still need to migrate data into it and change the code accordingly. That’s a very hard task and Piiano specializes in doing it with its unique know-how and toolsets.
  5. Data Privacy Integrity:  Our vault supports a proprietary privacy-based data model that keeps the data organized with high integrity at all times. Everything is semantically tagged and natively understood by the system.
  6. Data Security: Easy-to-use features like tokenization, advanced seamless encryption schemes (field level, key rotation, re-keying, etc.), SQLI prevention, IDOR prevention, data maskingת and many more are all native to the vault’s infrastructure to ensure sensitive data is appropriately secured.
  7. PCI-DSS-Ready & SOC2-Compliant: Our vault is PCI-ready. Your PCI scope can be only the vault itself, so your application stays out of it, making it much easier to pass audits (by a QSA).
  8. Performance: We built our vault to scale based on your needs, allowing tens of thousands of requests per second with stateless containers.


Let's be frank, by the time you finish reading this article, you can already be protecting sensitive data with our Piiano-hosted Vault and simple APIs. Create a free account, give it a quick shot.

When building in-house data privacy solutions, one needs to consider whether they have the required resources to build a better solution than the ones out there. The biggest technological challenge is building it for scale, performance, and resiliency. It truly sounds easy to implement, but software engineers are smarter than that, and the fact that the regulatory landscape is exceedingly dynamic makes it harder over time.

Piiano will help you implement privacy and security controls. We will also help you remediate existing applications by carrying out efficient data migrations and code changes, so adopting a vault is becoming easier than ever before. Your organization can focus on your core competency, leaving data privacy in the hands of experts!

Share article

Powering Data Protection

Skip PCI compliance with our tokenization APIs

Skip PCI compliance with our tokenization APIs




It all begins with the cloud, where applications are accessible to everyone. Therefore, a user or an attacker makes no difference per se. Technically, encrypting all data at rest and in transit might seem like a comprehensive approach, but these methods are not enough anymore. For cloud hosted applications, data-at-rest encryption does not provide the coverage one might expect.

John Marcus

Senior Product Owner

const protectedForm = 
pvault.createProtectedForm(payment Div, 
Thank you! Your submission has been received!

We care about your data in our privacy policy

Oops! Something went wrong while submitting the form.