| Administration & Management |
|---|
| System Configuration | Headless / Config-as-Code
Configuration requires editing YAML/JSON files, Helm charts, or making direct API calls. No visual interface. | Unified Web Console
Comprehensive graphical interface for managing system settings, platform configurations, and service integrations. |
| Policy Management | CLI / API only | Visual Policy Builder
No-code, drag-and-drop web UI for defining attributes, creating rules, and managing access logic.
Import / Export Policy
Support for import and export of atomic policy bundles with the ability to run the platform backed by a read-only policy backbone. |
| Standards & Interoperability |
|---|
| TDF Formats Supported | Base TDF Only
Reference implementation of the standard JSON-based Trusted Data Format. | Multi-Format Support
Support for Base TDF, IC-TDF (US Intelligence Community), ACP 240 ZTDF, and proprietary Binary TDF for high-volume data streaming and IoT applications. |
| Data Tag Extraction and Processing | None
No native tagging service; developers must build their own solution to extract attributes from raw data and normalize across multiple data tagging regimes. | Extensible Tagging Service
Fully supported Tagging Service with out-of-the-box support for CCEB STANAGs, US Intelligence Community Handling Metadata , and Fortra tags. Extensible via API. |
| Data Integrity | Hooks Only
API stubs for assertions, but no direct support for Organizational PKI. Default implementation requires data entitlement to verify metadata signatures. | Signed Assertions
Native integration with Organizational PKI to cryptographically sign metadata for non-repudiation and provenance. |
| Integrations & Ecosystem |
|---|
| Policy Enforcement Points (PEPs) | Build Your Own
SDKs provided; you must write the code to integrate policy enforcement into applications. | Full Collaboration and Data Analytics Suites
Ready-to-deploy PEPs for Microsoft Outlook, Exchange, SharePoint, SMTP Gateway, Windows Desktops, Secure Share Enclave; S3 Object Storage, Apache Trino, and Apache NiFi. Proprietary SDKs for advanced features like data tagging. |
| Centralized Configuration Service | N/A | Consolidated Service Management
Allowing for streamlined administration of deployed PEP solutions |
| Search Capabilities | N/A | Encrypted Search
Proprietary technology enabling search over encrypted data without decrypting the payload. |
| Authorization Extensibility | N/A | Integration With Authorization Systems
Allows extension of the base authorization system |
| Identity Provider Support | Limited
Reference implementation tightly coupled with Keycloak. | Universal Identity Support
Agnostic integration with any OIDC/OAuth2 provider, including Ping Federate, Okta, Azure AD, and Keycloak. |
| Key Management |
|---|
| HSM Support | Software Only
Basic Key Access Service (KAS) implementation without hardware bindings. | Enterprise HSM & Cloud KMS
Native support for Thales Luna, Entrust nShield, AWS KMS, and Google Cloud KMS. |
| Cryptography | Standard
Base AES encryption for data Encryption with support for RSA or ECC-based key encryption . | Advanced & Future-Proof
FIPS-validated options and support for FIPS-203/204 Post-Quantum Cryptography. |
| Enterprise Security |
|---|
| Audit Logs | No | Yes |
| SSO with SAML 2.0 support | No | Yes |
| Compliance (HIPAA, SOC-2 Type 2, FedRAMP Moderate, PCI-DSS) | No | Yes |
| Deployment |
|---|
| Self-Hosted / DIY
You define the architecture, scaling, and reliability engineering. | SaaS / Hybrid / Private
Managed SaaS or customer-hosted private cloud options with SLA guarantees. |
| Support |
|---|
| Open source community-based support (no SLA) | Help and support from the creators and maintainers of OpenTDF. |
