LGPD for Self-Hosted Models: A Compliance Guide

Why LGPD matters for self‑hosted deployments

A data‑science contractor departs, yet a CI job that the contractor configured still holds a static token capable of querying the customer database. The token can run arbitrary SQL against the self‑hosted PostgreSQL cluster, returning names, addresses, and payment details of Brazilian citizens. When the security team discovers the lingering credential, they realize that every query executed by that job is invisible to auditors, and any accidental data exposure would be a direct violation of the Lei Geral de Proteção de Dados (LGPD). The incident highlights a fundamental tension: self‑hosted models give teams full control over infrastructure, but that control often lacks the centralized guardrails required by privacy law.

LGPD’s core technical requirements

LGPD obliges organizations that process personal data of Brazilian residents to demonstrate:

Accountability: documented policies and technical measures that show how data is handled.
Purpose limitation and data minimization: only collect and retain data needed for a defined purpose.
Security of processing: protect data against unauthorized access, alteration, and disclosure.
Transparency and auditability: maintain records of who accessed what data, when, and why.
Data subject rights support: be able to locate, correct, or delete personal data on request.

Regulators expect concrete evidence, logs, approvals, and proof of masking, rather than abstract policies.

Where the gap appears in typical self‑hosted stacks

Most self‑hosted environments rely on static credentials stored in configuration files or secret managers that are accessed directly by applications. Access control is often enforced at the identity provider level, while the actual database or Kubernetes API sees the request as coming from a service account with broad privileges. This architecture creates three blind spots:

No unified audit trail. Each component writes its own logs, making it hard to reconstruct a complete picture of a user’s activity.
No real‑time data protection. Sensitive fields travel in clear text from the database to the client, so any compromised client can exfiltrate personal data.
No just‑in‑time approval. Long‑lived credentials allow any command, even dangerous ones, without a human review.

Because the enforcement points sit inside the target services, removing a credential or revoking a role does not retroactively protect data that has already been read.

How hoop.dev fills the gap

hoop.dev is a Layer 7 gateway that sits between identities and the self‑hosted resources you need to protect. It intercepts traffic at the protocol level, whether the client is psql, kubectl, or ssh, and applies policy before the request reaches the target. By placing the enforcement layer in the data path, hoop.dev becomes the sole place where masking, approval, and recording can be guaranteed.

Continue reading? Get the full guide.

Self-Service Access Portals + LGPD (Brazil): Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.

Key enforcement capabilities provided by hoop.dev

Session recording. hoop.dev records each interaction, capturing the identity, timestamp, and full command or query. This log satisfies LGPD’s auditability requirement.
Inline data masking. hoop.dev can redact personal fields such as CPF numbers or email addresses in real time, ensuring that only authorized viewers see raw data.
Just‑in‑time access. Before a high‑risk operation is executed, hoop.dev routes the request to an approver. The approval is stored alongside the session record.
Command blocking. hoop.dev can reject dangerous statements, e.g., DROP DATABASE or mass DELETE, based on policy, preventing accidental data loss.
Scoped credentials. The gateway holds the backend credential; users never see it, reducing credential sprawl and the risk of leakage.

All of these outcomes exist only because hoop.dev sits in the data path. If the gateway were removed, the underlying services would revert to the insecure baseline described earlier.

Implementing hoop.dev for LGPD evidence

Start by deploying the gateway in the same network segment as your databases and Kubernetes clusters. The official getting‑started guide walks you through a Docker‑Compose deployment that includes OIDC authentication, masking rules, and guardrails out of the box. Once the gateway is running, register each self‑hosted resource, PostgreSQL, MySQL, or a Kubernetes API server, so that hoop.dev can proxy connections. Define masking policies for fields that contain personal data, and configure approval workflows for privileged commands. After the gateway is in place, every session automatically becomes part of the evidence you can present to auditors.

Because hoop.dev is open source, you retain full control over the code that enforces LGPD‑related policies. The learn section provides deeper examples of policy definitions, audit‑log retention, and integration with existing SIEM solutions.

FAQ

Does hoop.dev make my self‑hosted deployment LGPD‑compliant?
hoop.dev generates the technical evidence required by LGPD, session logs, masked data streams, and approval records, but compliance also depends on organizational processes and legal interpretation.

Can I use hoop.dev with existing CI pipelines?
Yes. CI jobs authenticate through OIDC, then connect to databases via the gateway. The same masking and approval policies apply to automated runs.

What happens to credentials stored in the gateway?
The gateway holds the backend credential in memory and never exposes it to the client. This reduces the attack surface and satisfies the principle of least privilege.

Ready to start building LGPD‑ready evidence? View the open‑source repository on GitHub and follow the quick‑start instructions.