CloudCondom / Phantom
EU data sovereignty on US cloud infrastructure
“Responsible consumption of US cloud resources”
The Problem
Every EU company on US cloud infrastructure faces an unresolved legal conflict: the CLOUD Act compels US providers to disclose data regardless of where it’s stored, while GDPR prohibits exactly that. Schrems III is expected to invalidate the current EU-US Data Privacy Framework — again.
EU sovereign clouds aren’t ready. Migration costs millions and takes years. Enterprises need a solution today, on the infrastructure they already use.
The Solution
Phantom is a Kubernetes operator that ensures secrets never enter the cloud provider’s infrastructure. A mutating webhook injects a sidecar that fetches secrets from an EU-hosted vault directly into process memory. The provider has nothing to hand over.
One Helm install. Zero code changes. Cryptographic proof of sovereignty.
No migration needed. No application rewrites. Just deploy a Helm chart and your secrets bypass Kubernetes entirely.
Why Not HYOK / Cloud EKM?
Cloud providers offer “Hold Your Own Key” but it doesn’t solve the problem: keys enter provider RAM during use, the provider controls compute, and K8s Secrets are plaintext on read. Phantom ensures secrets never enter provider infrastructure at all.
What Phantom Protects (and What It Doesn’t)
Phantom is a credential sovereignty tool. It’s precise about what it protects.
Protected by Phantom
- Database passwords, API keys, TLS certs — never in etcd
- K8s-deployed databases (PostgreSQL, MongoDB, MySQL, CockroachDB) — credentials + TLS certs + LUKS encryption keys from OpenBao. All SQL queries work. Cloud sees only ciphertext.
- Data in S3/GCS — app encrypts with Phantom-delivered key, cloud stores ciphertext it can’t read
- Encryption keys for client-side crypto
Not Protectable (by design)
- Managed DBs (RDS, Cloud SQL) — cloud runs the DB engine, must read data to query it. Use K8s-deployed DBs instead.
- S3/GCS without client-side encryption — provider can read it
- Process memory without TEE — use Phantom Hardened for hardware guarantee
Run your database in Kubernetes with Phantom-delivered keys — full SQL, full sovereignty. See the FAQ for detailed protection matrices per database.
Market Opportunity
Why Now
- DORA enforced Jan 2025 — EU financial sector must demonstrate ICT risk management
- NIS2 broadens cybersecurity to 18 sectors
- Schrems III expected — DPF governance already undermined (PCLOB quorum removed)
- AWS EU Sovereign Cloud launched Jan 2026 — validates market, doesn’t solve jurisdiction
- Denmark ditching Microsoft for sovereignty reasons
Competitive Positioning
No existing product combines: K8s-native + secrets never in etcd + no code changes + hardware attestation + EU sovereignty focus.
| Capability | CloudCondom | Thales | Fortanix | Anjuna | ESO |
|---|---|---|---|---|---|
| K8s-native | Yes | No | No | Partial | Yes |
| Secrets never in etcd | Yes | N/A | N/A | N/A | No |
| No code changes | Yes | No | No | Partial | Yes |
| Hardware attestation | Yes | No | Yes | Yes | No |
| EU sovereignty focus | Primary | Secondary | No | No | No |
Target Customers
EU enterprises (500–10,000 employees) on managed Kubernetes with regulated workloads.
| Industry | Pain | WTP | Priority |
|---|---|---|---|
| Financial services | Very High | Very High | 1 |
| Healthcare / pharma | High | High | 2 |
| Government | Very High | Medium | 3 |
| SaaS (EU customers) | High | Medium-High | 4 |
Business Model
Open-Core
Webhook + sidecar: open-source. Managed EU-hosted OpenBao, SaaS dashboard, compliance reporting: paid.
Pricing
$50–150/node/month. Standard (any instance) and Hardened (TEE required, premium).
B2C Funnel
Open-source consumer deployment (OpenClaw-style) creates adoption funnel: developers who use Phantom personally become advocates inside enterprises.
Revenue Timeline
MVP: webhook + sidecar + OpenBao integration + circuit breaker + caching
AMD SEV-SNP attestation on GKE — ready for design partners
Helm chart, docs, first design partner deployments
First paying customer
$1M ARR
$5M ARR