Coming Soon – .NET 8, 9 & 10

PII Data Protection GDPR Compliance
for .NET

Field-level encryption, HMAC blind indexes, and GDPR-compliant crypto-shredding. Declare which fields are personal data. Tayra handles the rest.

Request Early Access See the Code

Why Field-Level Encryption?

Full-disk encryption protects data at rest. TLS protects data in transit. But neither protects individual PII fields inside your database, event store, or message bus.

🛡

GDPR Article 17

The right to erasure requires you to delete personal data on request. In event-sourced systems, you can't delete events, but you can shred the encryption key.

🔒

Defense in Depth

A database breach exposes everything. Field-level encryption means PII stays encrypted even if your database is compromised.

Event Sourcing Ready

Events are immutable. You can't modify or delete them. Crypto-shredding lets you comply with GDPR while preserving your event history.

Declare. Encrypt. Query.

Annotate your model. Tayra encrypts, indexes, and shreds automatically.

Program.cs 
services.AddTayra(opts =>
{
    opts.LicenseKey = "...";
    opts.Entity<Customer>(e =>
    {
        e.BlindIndex(c => c.Email)
            .WithTransforms("lowercase", "trim");
    });
}).UsePostgreSqlKeyStore(connectionString);
Customer.cs 
public class Customer
{
    [DataSubjectId]
    public Guid Id { get; set; }

    [PersonalData]
    public string Name { get; set; }

    [PersonalData(Replacement = "redacted@example.com"),
     BlindIndex(Transforms = ["lowercase", "trim"])]
    public string Email { get; set; }

    // HMAC hash — auto-populated
    public string? EmailIndex { get; set; }
}
Usage 
// Encrypt + compute blind indexes in one call
await fieldEncrypter.EncryptAsync(customer);

// Query encrypted data by blind index
var hash = await blindIndexer.ComputeHashAsync(
    "alice@example.com", "EmailIndex",
    typeof(Customer));
var match = await db.Customers
    .Where(c => c.EmailIndex == hash).FirstAsync();

// GDPR erasure — delete the key, data is gone forever
await cryptoEngine.DeleteKeyAsync($"cust-{customer.Id}");
// Name → "", Email → "redacted@example.com"

How It Works

Four operations. One key per data subject. Full GDPR compliance.

1

Encrypt

Tayra scans your model for [PersonalData] attributes, generates a key per data subject, and encrypts each field with AES-256-GCM.

Name: "Alice" "AQz8x..."
Email: "a@b.com" "AQf3k..."
2

Query

Search encrypted fields using HMAC blind indexes. Same transforms applied to the search value produce the same hash.

Search: "alice@example.com"
HMAC: "a3f8c1..."
WHERE EmailIndex = "a3f8c1..."
3

Decrypt

Fetch the key, decrypt every field, and return the original values. Transparent to your application code.

Name: "AQz8x..." "Alice"
Email: "AQf3k..." "a@b.com"
4

Shred

GDPR erasure request? Delete the key. The data becomes permanently unreadable. Replacement values are returned instead.

Name: "AQz8x..." ""
Email: "AQf3k..." "redacted"

Everything You Need for PII Protection

Field-level encryption, searchable blind indexes, GDPR compliance, key management, and framework integrations. All in one library.

AES-256-GCM

Encryption Engine

Authenticated encryption with integrity guarantees and a versioned wire format.

  • AES-256-GCM with unique nonce per field
  • Automatic integrity verification on every decrypt
  • One encryption key per data subject
  • In-memory key caching for high throughput
  • Hardware-accelerated on modern CPUs
GDPR

GDPR Compliance

Built-in support for the GDPR articles that matter most for data protection.

  • Crypto-shredding (Art. 17) erase by deleting keys
  • Key rotation re-encrypt without downtime
  • PII Data Map Art. 30 processing records
  • Compliance Reports Art. 15, 30, 33/34
  • Breach notification (Art. 33/34) assessment
  • Partial redaction KeepPrefix, MaskEmail
[PersonalData]

Declarative Attributes

Annotate your models. Tayra discovers and encrypts PII fields automatically.

  • [PersonalData] mark fields for encryption
  • [DataSubjectId] identify data owners
  • [DeepPersonalData] encrypt nested objects
  • [SerializedPersonalData] non-string types
IKeyStore

Key Store Providers

Store encryption keys where your security policy requires. Bring your own with a simple interface.

  • PostgreSQL auto-migration, retry logic
  • HashiCorp Vault KV v2 with token auth
  • Azure Key Vault DefaultAzureCredential
  • AWS Parameter Store SecureString
  • In-Memory for dev and testing
[BlindIndex]

Blind Indexes

HMAC-based blind indexes let you query encrypted fields without exposing plaintext.

  • HMAC-SHA256 one-way hashes for queries
  • Transforms: lowercase, trim, digits, last4
  • Compound indexes across multiple fields
  • Separate HMAC keys from encryption keys
  • Configurable bit-length truncation
10 Integrations

Framework Integrations

Deep integrations across the entire .NET stack. Annotate once, protect everywhere.

  • EF Core · Marten · MongoDB data stores
  • MassTransit · Wolverine · NServiceBus messaging
  • MediatR CQRS pipeline encryption
  • Serilog · System.Text.Json · ASP.NET Core
dotnet tayra

CLI & Compliance Tooling

Operational commands and compliance artifacts that make Tayra a platform, not just a library.

  • PII Data Map Art. 30 processing records
  • Compliance Reports Art. 15, 30, 33/34 HTML
  • CLI Tool inventory, verify, rotate, shred
  • CI/CD gate dotnet tayra verify
OpenTelemetry + Roslyn

Observability & Quality

Production monitoring, compile-time validation, and audit trail across the full lifecycle.

  • 13 OTel metrics encrypt, decrypt, key ops
  • Grafana dashboards 20 panels + 9 Prometheus alerts
  • 6 Roslyn analyzers catch errors at compile time
  • Audit trail every encrypt, decrypt, shred logged
  • IHealthCheck key store connectivity

Layered Architecture

Use Tayra.Core standalone or with deep framework integrations.

Your Application
Framework Integrations
Tayra.EFCore
Interceptors
Tayra.Marten
Documents & Events
Tayra.MongoDB
Collection Wrapper
Tayra.MassTransit
Message Bus
Tayra.Wolverine
Message Pipeline
Tayra.NServiceBus
Pipeline Behaviors
Tayra.MediatR
CQRS Pipeline
Tayra.Serilog
Log Scrubbing
Tayra.Json
Serialization
Tayra.AspNetCore
Response Scrubbing
Compliance & Tooling
PII Data Map
Art. 30 Inventory
Compliance Reports
Art. 15, 30, 33/34
dotnet tayra CLI
Ops & CI/CD
Grafana Dashboards
Monitoring & Alerts
Tayra.Core
Attributes – AES-256-GCM – HMAC Blind Indexes – Fluent API – Roslyn Analyzers
Zero Dependencies net8.0 + net9.0 + net10.0 Standalone
Key Stores
PostgreSQL
HashiCorp Vault
Azure Key Vault
AWS Parameter Store
InMemory

Pricing

Essentials

Protect your data — encryption, shredding, and all integrations

Single Product Line
USD 1,500 /year

One cohesive product, its services and deployment

  • AES-256-GCM field-level encryption
  • Crypto-shredding (GDPR erasure)
  • Blind indexes for encrypted search
  • All key stores & integrations
  • Key rotation & multi-tenancy
  • OpenTelemetry & health checks
  • Unlimited developers & servers
  • 12 months software updates
  • Email support
Multiple Product Lines
USD 5,000 /year

Multiple products, services, and deployments across the organization

  • Everything in Single Essentials
  • Unlimited product lines under one license
  • 12 months software updates
  • Priority email support with next business day response

Compliance

Prove you're protecting your data — audit, inventory, and regulatory reporting

Single Product Line
USD 2,500 /year

One cohesive product, its services and deployment

  • Everything in Essentials
  • PII inventory & field discovery
  • Compliance reports (Art. 30)
  • Audit trail
  • Breach notification (Art. 33/34)
  • Data subject access & portability
  • Roslyn analyzers (6 rules)
  • Grafana dashboards
  • Email support
Multiple Product Lines
USD 8,000 /year

Multiple products, services, and deployments across the organization

  • Everything in Single Compliance
  • Unlimited product lines under one license
  • 12 months software updates
  • Priority email support with next business day response
  • Essentials features are free in development — no license key needed.
  • Compliance features require a license key in all environments. Contact us for a trial key.
  • Renewal extends software updates for an additional 12 months.
  • Perpetual license — your version works forever, even if you don't renew.

Tip: Running 1–3 product lines? Individual Single Product Line licenses are the best value. For 4 or more, the Multiple Product Lines license saves you more.

Built by the People Behind the Stack

Babu Annamalai

Founder, Radarleaf Technologies

JasperFx Critter Stack Co-Maintainer ReverseMarkdown Maintainer

Tayra is built and maintained by a maintainer of the JasperFx Critter Stack. Deep knowledge of Marten, Wolverine, Weasel, and the .NET ecosystem ensures first-class integration and long-term support.

What's in the Name?

The tayra is a tropical mustelid — agile, sharp, and fiercely protective. It fits right into the JasperFx Critter Stack family alongside Marten, Wolverine, and Weasel.

Just as the tayra guards its territory, this library guards your users' personal data.

Get Early Access

Be the first to know when Tayra launches. Early access members get priority onboarding.