No PII custody
Matching runs on salted, normalized hashes. Raw names, emails, phones, and VINs never leave your database — only hashes, statuses, and metadata cross any boundary.
The whole point of a deletion law is to reduce the personal data sloshing around. A tool that answers it by copying consumer lists everywhere defeats the purpose. DROP Privacy is engineered so the act of complying is itself low-risk.
Matching runs on salted, normalized hashes. Raw names, emails, phones, and VINs never leave your database — only hashes, statuses, and metadata cross any boundary.
Run the engine inside your own perimeter. The agent indexes and matches locally and reports only non-PII results to the coordination plane — ideal when data can't move.
Every state-changing and administrative action is written to a hash-chained log — each row signed against the previous (row_chk = sha256(prev | …)). Records can't be quietly rewritten.
Each broker's data lives in its own isolated database — never a shared schema. One tenant can't reach another's records, by construction.
Tenant isolation and role-based access are enforced centrally in middleware — not re-implemented per controller — and every impersonation or admin action is itself audited.
API keys, certificates, and the engine's working directory live outside the document root. The web server only ever exposes public/.
The single most important property: the data that crosses between your systems and the coordination plane is never raw PII.
We'll walk through the data-flow boundary, the audit chain, and the on-premise deployment option in detail. Security questions or responsible disclosure: security@dropprivacy.com.