Secure vault and SDK to store customer records built to comply with GDPR.

Databunker provides strong, serious, real personal-data protection for your customer records without expensive custom coding.

  • Privacy by design compliance.
  • Open-source security.
  • Self-hosted service.

Get started Online demo

Tokenization is the process of turning sensitive data into nonsensitive data called “tokens” that can be used in a database or internal system.

The most known use-case of tokenization is the tokenization of credit card numbers.

In classical tokenization service, only one value is turned into a token. For example, if you have a user email address, social security number, and a credit card you will have 3 tokens. One token for email, one for SSN, and one for a credit card.

Databunker digram

Unlike classical tokenization service, Databunker gets the whole user profile and generates a unique user token. Databunker stores user JSON profiles in an encrypted format. Databunker builds a secure and quick search index to lookup user records for example by email address. This search index is also hashed on the disk. As a result, no personal data is saved in clear text in the Databunker backend database.

According to GDPR Article 32:

The controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk including the pseudonymization and encryption of personal data.

GDPR defines pseudonymization as:

‘pseudonymization’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

Databunker complies with the definition of pseudonymization. User personal data is encrypted and stored separately from the application database.

When saving a user object in Databunker you are getting a user token. This user token is a user pseudonymised identity.

Pseudonymized identity

So, now when performing a cross-border transfer or saving application logs, change user identity (email, name, etc…) with a Databunker user token.

This way you make the user not identifiable directly. This method is compatible with Schrems II.

According to “The GDPR made simple(r) for SMEs” book, published in 2021:

To comply with Data Protection by Design (DPbD) and Data Protection by Default (DPbDf), a company may consider implementing Privacy Enhancing Technologies (PETs).

PETs encompass a wide range of solutions, incorporating both traditional data security technologies (e.g. anonymization, encryption cryptography, for personal data both being stored or moved) and other tools aimed at a more general strengthening of data protection: for example, antitracking tools for web browsing, dashboards and other user interfaces for the management of consent can be considered, as well as tools that enable data subjects to audit the enforcement of the data protection policy of a controller or to customize the terms and conditions of privacy policies.

Databunker stands most requirements for Privacy Enhancing Technology. Databunker can serve as a cornerstone for your privacy by design compliance.

Databunker is a special encrypted database for sensitive personal records and Personally Identifiable Information (PII).

Since the GDPR has not made data encryption a mandatory method for imposing data security, not implementing data encryption is not a violation of GDPR compliance.

However, data breaches are a common occurrence, specifically with such a thriving cybercriminal landscape.

Amidst this, any organization falling victim to a data breach might be able to avoid GDPR fines if it implements data protection through encryption.

Upon an API request to create a new user record, Databunker performs the following operations:

  • Request sanity check and access validation check.
  • Normalize email address, phone number, login name.
  • Strict user schema validation if the schema is defined in the configuration. Generate an error if some fields are missing or error.
  • Securely encode email address, phone number, login name.
  • Check for duplicate email, phone, and login records. Generate an error in case of duplicates found.
  • Random generation of a user UUID token to be used as the main user index.
  • Encrypt the whole user JSON and save it in the backend database (MySQL, PostgreSQL, SQLite).
  • Return user token (UUID generated before) to the API caller.

Now, when Databunker returns a user token, you can store it in your existing database instead of storing personal records in clear text (PII).

This customer token is basically a user pseudonymised identity.

Pseudonymized identity

Afterward, you can query the Databunker service using the user token to receive user personal data, saving the audit trail. You can also perform user record lookup using the email address, login name, or phone number.

Upon user record creation request, Databunker knows to extract user email, phone, login name, and build an encrypted search index.

Databunker product gives your customers passwordless access to the Databunker user privacy portal. Upon login attempt, the product sends your customer a one-time access code. This code is sent by SMS or email.

Databunker login

Databunker gives the user temporary access to view his data, initiate personal information change (data rectification request), start the forget-me operation, manage privacy agreements, or view audit events.

Databunker User Profile

Upon any user action (depending on configuration), Databunker sends a notification email to Data Privacy Officer (DPO).

DPO can use Databunker to approve or reject user requests. For example, DPO can approve user forget-me requests.

Using the Databunker management portal, DPO or Data Privacy Officer can view all user requests, configure processing operations, and view audit events.

user requests

processing operationconfiguration

When creating web applications sometimes you need to save data in a session object. This data can include user email address, user permissions, last operation code, error messages. A session can be defined as server-side storage of information that is desired to persist throughout the user’s interaction with the website or web application.

Some of the information stored in the session is considered personal data or Personally Identifiable Information.

GDPR stands on a number of principles. Integrity and confidentiality are some of them. These principles tell that appropriate security measures should be in place to protect personal data.

Databunker has an API for secure storage on session objects inside Databunker’s encrypted store. Node.js modules and examples provided:

Databunker encrypts customer records

To comply with privacy regulations customer records must be encrypted.

Old style solution


"Select *" will return data in clear text even if you use database encryption. The data is encrypted only on disk. In the case of SQL Injection, the attacker will copy all your private data.

Databunker solution


"Select *" on backend SQL will return encrypted data. Personal data can be fetched only by using Databunker API after passing numerous security checks.

docker run -p 3000:3000 -d --rm --name dbunker securitybunker/databunker demo Unable to find image 'securitybunker/databunker:latest' locally latest: Pulling from securitybunker/databunker 1cb83b1b7b4e5bc0fd331f448e59ba3a69 curl -s http://localhost:3000/v1/user -X POST -H "X-Bunker-Token: DEMO" \ -H "Content-Type: application/json" \ -d '{"first":"John","last":"Doe","login":"john", "phone":"4444","email":""}' {"status":"ok","token":"31debb9e-64cf-616d-d8ae-c1b383c81e24"} curl -s -H "X-Bunker-Token: DEMO" -X GET http://localhost:3000/v1/user/email/ {"status":"ok","token":"31debb9e-64cf-616d-d8ae-c1b383c81e24", "data":{"email":"","first":"John","last":"Doe","login":"john","phone":"4444"}}


1. Node.js example implementing passwordless login using Databunker:

2. Node.js example with Passport.js, Magic.Link and Databunker:

3. Secure Session Storage for Node.js apps:

For developers, by developers


GDPR user rights

Databunker will help you to comply with the following GDPR user rights

Right to be informed

Right of access

Right to rectification

Right to erasure

Right to restrict processing

Right of data portability

Right related to automated decision making including profiling

Right to object

Why Databunker?

A special service to store personal data.

Secure from start

Databunker has a strong immune secure architecture to stand security attacks.

Using strong encryption

All records with customer personal information are encrypted using AES-256 or securely hashed in the internal database.

Instant request processing

The service code is written in go-lang that gives super-fast native code execution performance.

Made for cloud and on-premises

We built Docker containers for simple setup and work. You can deploy them in the cloud and on-premises.

Optional strict data modeling

Databunker supports schema validation and enforcement for user records with some advanced extensions.

Encrypted search index

From the user records, Databunker knows to extract email, phone, login name, and build an encrypted search index.

CRUD for personal records

We have a flexible API for that. You can also store application data.

Using standard database: MySQL / SQLite

User records are encrypted and saved in a standard database.

Personal records consolidation

You can move all personal records from your different systems into one place.

GDPR compliant personal data database

Databunker has a built-in user portal that gives your customers full visibility and control.

Practical GDPR Compliance Guide for Startup Heroes

With big data comes big responsibilities.

Sign up for Databunker Releases and Updates