What LGPD Means for Non-Human Identities

An automated CI job that pushes database migrations continues to run after the contract of the developer who authored it expires. The service account it uses still holds a token that can read customer tables, and the job’s logs contain raw personal data such as names, email addresses, and CPF numbers. When auditors request proof that the organization respects Brazil’s LGPD, the team can point to the job’s existence but has no reliable, tamper‑evident record of what data was accessed, who triggered the request, or whether the operation received proper approval.

LGPD treats any processing of personal data as a regulated activity, regardless of whether the actor is a human user or an automated identity. Service accounts, CI pipelines, and AI agents all generate traffic that can expose personal information. Compliance programs therefore need to capture three things for each non‑human request: the exact data payload, the identity that initiated the request, and the policy decision that allowed it.

The first layer of control, identity federation, OIDC tokens, and role‑based permissions, decides which non‑human principal may start a session. It is essential for authentication, but on its own it cannot guarantee that the session will be logged, that sensitive fields will be redacted, or that an out‑of‑band approval will be enforced. Without a point of inspection on the traffic path, the organization lacks the continuous evidence LGPD auditors expect.

hoop.dev provides that inspection point. It sits as a Layer 7 gateway between the automated identity and the target infrastructure, whether the target is a PostgreSQL database, a Kubernetes API, or an SSH host. Every request passes through the gateway, where hoop.dev can apply just‑in‑time approval, mask configured columns such as email or CPF in real time, and record the full session for replay. Because the gateway holds the credential, the non‑human principal never sees the secret, and the organization gains an audit trail that aligns with LGPD’s requirement for continuous evidence.

hoop.dev records each session with timestamps, the identity claim extracted from the OIDC token, and the exact request and response payloads. The logs are stored outside the agent process, ensuring that even if the agent is compromised the evidence remains intact. Inline masking removes personal identifiers from response streams before they reach downstream consumers, so stored logs contain only masked values for regulated fields while preserving the rest of the data for troubleshooting. The just‑in‑time approval workflow forces a human reviewer to sign off on high‑risk operations, creating a signed approval record that appears alongside the session data.

For LGPD auditors, hoop.dev’s audit logs serve as the continuous evidence of data processing: they show who (the non‑human principal’s subject claim), what data was accessed, when the access occurred, and whether the access complied with the organization’s policy. Because the logs are retained and include masking decisions, the organization can demonstrate that personal data was protected in transit and at rest, satisfying the accountability and data‑minimization principles of the law.

In practice, deploying hoop.dev means the security team no longer relies on ad‑hoc log collection or manual ticketing to prove compliance. The gateway automates the capture of the exact evidence LGPD requires, while giving developers and automated pipelines the smooth, just‑in‑time access they need to move fast.

Why LGPD compliance matters for non‑human identities

Policy definition in hoop.dev is declarative. Administrators describe which commands or queries are considered high risk, which columns contain personal data, and which identities are allowed to run them. The gateway evaluates each request against this policy before it reaches the target. If the request matches a high‑risk rule, hoop.dev either blocks it outright or routes it to an approval queue. This fine‑grained control means that even a service account with broad database credentials cannot exfiltrate personal data without triggering the policy.

Mapping hoop.dev’s audit data to LGPD’s Art. 18 right of access and Art. 20 data‑protection impact assessments is straightforward. The timestamped session records can be exported in CSV or JSON, filtered by subject claim, and presented to regulators to demonstrate that every data‑processing event was authorized and logged. Because the masking rules guarantee that only the minimal necessary data appears in the export, the organization also respects the data‑minimization principle.

Because hoop.dev relies on standard OIDC or SAML flows, it can integrate with any existing identity provider, such as Okta, Azure AD, or Google Workspace. The IdP supplies the JWT that includes the service account’s subject and group claims. hoop.dev validates the token, extracts the subject claim, and uses it as the immutable identifier for every logged session. This decouples authentication from enforcement, allowing organizations to keep their existing identity investments while adding a dedicated data‑path control plane.

The audit logs generated by hoop.dev can be forwarded to any SIEM or log‑aggregation service, ensuring long‑term retention required by LGPD. By centralizing the logs, the organization avoids the fragmentation that typically occurs when each service writes its own audit trail. This unified view simplifies incident response and demonstrates to auditors that the company has a single source of truth for all data‑processing activities performed by non‑human identities.

Future releases of hoop.dev plan to add automated data‑subject‑request handling, where a regulator‑initiated request can trigger the gateway to extract only the records belonging to a specific individual, respecting the masking configuration. This capability will further reduce manual effort and ensure that LGPD’s right‑to‑access obligations are met directly from the access control layer.

In summary, by placing hoop.dev in the data path, organizations turn every automated interaction into a verifiable, policy‑enforced event, giving them the continuous evidence LGPD demands without disrupting development velocity.

FAQ

How does hoop.dev ensure that the recorded logs cannot be tampered with?

hoop.dev stores session data outside the agent process and writes it to a storage location configured by the administrator. Because the gateway is the sole point that creates the log entry, any attempt to alter the record would have to compromise the gateway itself, which is protected by its own authentication and runtime isolation.

Can hoop.dev mask only specific fields for LGPD?

Yes. Administrators define masking rules per connector, specifying which columns or response attributes contain personal data. hoop.dev applies those rules in real time, ensuring that the raw values never leave the gateway and that the stored audit record contains only masked placeholders for the regulated fields.

Does hoop.dev replace existing IAM policies?

No. Identity federation and role‑based permissions decide whether a non‑human principal may start a session. hoop.dev sits in the data path and adds enforcement outcomes, recording, masking, approval, on top of those existing policies, providing the evidence LGPD requires.

For a practical walkthrough, see the getting started guide. Detailed feature information is available in the feature documentation.

Explore the open‑source code on GitHub.