Format-preserving encryption depth
Voltage essentially invented FPE as a regulated-industry technique. Two decades of operational depth in payment, healthcare, and financial-services workloads.
OpenText • Data management
OpenText Data Privacy and Protection Foundation
Data Privacy and Protection Foundation carries the Voltage SecureData lineage, with format-preserving encryption (FPE), tokenization, and key management deep enough to handle regulated payment, healthcare, and financial workloads where data has to stay analytically usable while protected.
A Merito engagement maps the regulated data flows, designs the key-management infrastructure, and stands up Voltage SecureData tokenization and format-preserving encryption against the customer's actual application and analytics workloads, with FPE-versus-tokenization decisions made per data class rather than blanket.
- Best for
- Data security architects designing tokenization and FPE policy for regulated workloads, Compliance leaders subject to PCI DSS, HIPAA, GDPR, and sector-specific data-protection mandates, Application architects integrating data protection into payment, healthcare, and financial-services flows
- Hosting
- Hybrid
- Time to value
- First protect-and-unprotect flow live in two to four weeks. Production-scope protection across regulated workloads in six to twelve weeks. Enterprise rollout typically runs six to twelve months.
- Security posture
- GDPR, HIPAA-aligned design, PCI DSS-aligned design
- Last reviewed
- 2026-04-26
What it is
OpenText Data Privacy and Protection Foundation in the enterprise stack
Data Privacy and Protection Foundation is the data-protection product carrying the Voltage SecureData lineage. Voltage SecureData is what Voltage Security spent two decades building: format-preserving encryption (FPE) that keeps tokenized data the same shape as the original (a 16-digit credit card stays 16 digits, a SSN stays a SSN), tokenization for non-reversible protection, and enterprise-grade key management. Voltage essentially invented FPE as a regulated-industry technique, and the depth of the implementation is one of the unique strengths of the OpenText AppSec line.
FPE matters because tokenization that changes data shape breaks downstream applications. A traditional cipher takes a 16-digit credit card number and produces 32 hex characters; the database column, the validation logic, the analytics pipeline, and the UI all break. FPE produces a 16-digit ciphertext that passes Luhn validation and fits the existing schema. Programs running regulated data (PCI, PHI, financial transactions) use FPE because it is the only way to protect data without re-architecting every consumer of the data.
Tokenization for non-reversible protection covers the other half of the use case. Where FPE preserves analytic utility (the protected data is statistically useful for analysis), tokenization replaces sensitive values with random tokens that have no analytical relationship to the original. Programs use tokenization for data that is being protected for storage but does not need to be analyzed, and FPE for data that needs to remain analytically meaningful while being protected. The same product covers both shapes.
What derails Data Privacy and Protection Foundation adoption is operational complexity. Voltage SecureData is technically deep and operationally substantial: key management has to be done correctly, the protection-and-unprotection flow has to be wired into every consumer of the data, and the policy has to be designed against the actual regulated workflows. Programs that adopt the product without operational discipline end up with tokenization in some flows, FPE in others, and gaps where data crosses boundaries unprotected. Merito's engagement starts with regulated-data-flow mapping, key-management design, and operational integration so the protection actually covers the regulated surface.
Ideal use cases
- PCI DSS-compliant payment-data tokenization with format-preserving encryption
- HIPAA-compliant PHI protection across clinical and analytics workloads
- Financial-services tokenization for regulated transaction data
- Analytics-preserving FPE that keeps data shape and statistical utility
- Regulated data protection across application and analytics surfaces
What it is best at
Where OpenText Data Privacy and Protection Foundation earns its seat
Tokenization plus FPE in one product
Programs use tokenization for non-reversible protection and FPE for analytics-preserving protection. Same product, same key management, both modes.
Enterprise key management
Mature key-management infrastructure with HSM integration, key rotation, and audit logging. Programs subject to regulated data audits get the key-handling rigor required.
Native handoff from Core Data Discovery
Discovery output (the Voltage SecureData Discovery lineage) feeds protection policy. Programs run discovery and protection as one operational pattern.
Hybrid deployment for regulated programs
SaaS, on-prem, and BYOC editions. Programs with regulatory constraints that rule out cloud key management run on-prem; modern programs run SaaS.
Core capabilities
OpenText Data Privacy and Protection Foundation capabilities, grouped by outcome
Encryption and tokenization
What Voltage SecureData actually does on regulated data.
Format-preserving encryption (FPE)
Encryption that keeps protected data the same shape as the original. Credit card numbers stay 16 digits, SSNs stay SSN-shaped, dates stay valid dates.
Tokenization
Non-reversible replacement of sensitive values with random tokens for storage protection where analytical utility is not needed.
Stateless and stateful tokenization
Stateless tokenization for high-volume transaction protection; stateful tokenization for cases requiring vault-based token management.
Encryption at rest and in motion
Protection across data flows: at rest in databases, in motion across application and analytics pipelines, and in use within authorized applications.
Key management
Where regulated key handling lives.
Enterprise key management
Centralized key management with HSM integration, automated rotation, and lifecycle policy.
Audit logging
Every key operation logged with author, timestamp, and rationale for regulated audit trails.
Compliance-aligned key handling
Key-management practices aligned with PCI DSS, HIPAA, GDPR, and FIPS 140-2/3.
Integration and operations
Voltage SecureData inside the application and analytics surface.
Application SDK integration
SDKs for Java, .NET, Python, and other application platforms so protect-and-unprotect calls fit into existing application code.
Database integration
Native integration with Oracle, SQL Server, PostgreSQL, and other major databases.
Analytics platform integration
Integration with Snowflake, Redshift, BigQuery, and Databricks so protected data is analytically usable downstream.
Compliance reporting
Audit-ready evidence for PCI DSS, HIPAA, GDPR, and sector-specific data-protection mandates.
Where it fits in the stack
How OpenText Data Privacy and Protection Foundation connects to the rest of your landscape
OpenText Cybersecurity (native)
Native- OpenText Core Data Discovery and Risk InsightsDiscovery output feeds protection policy on classified data.
- OpenText Structured Data ManagerDatabase lifecycle and masking on regulated content.
- OpenText Identity ManagerIdentity-aware protect-and-unprotect policy aligned with provisioning.
- OpenText Core Threat Detection and ResponseProtection events feed SOC correlation on data exposure incidents.
Application and analytics ecosystems (certified)
Certified- Java, .NET, Python, Node.js application SDKsApplication-side protect-and-unprotect SDKs for major platforms.
- Oracle, SQL Server, PostgreSQL, MySQL, DB2Database integration for at-rest protection.
- Snowflake, Redshift, BigQuery, DatabricksAnalytics platform integration for analytics-preserving FPE.
- AWS KMS, Azure Key Vault, Google Cloud KMSCloud KMS integration for key management.
Custom integrations
Custom- Internal HSM and key-management infrastructureIntegration with internal HSM deployments and proprietary key-management systems.
- Custom application protect-and-unprotect flowsBespoke integration for proprietary application platforms.
- Federal compliance reportingFederal-aligned compliance evidence packages.
Deployment and implementation
How it rolls out
- Hosting
- Hybrid (North America, EMEA, APJ)
- Implementation complexity
- High
- Typical time to value
- First protect-and-unprotect flow live in two to four weeks. Production-scope protection across regulated workloads in six to twelve weeks. Enterprise rollout typically runs six to twelve months.
- Prerequisites
- Regulated data flow mapping (PCI, PHI, financial, proprietary)
- Key-management infrastructure decision (HSM, cloud KMS, on-prem)
- Named data security architect
- Application and analytics integration plan
- Compliance-evidence requirements (PCI DSS, HIPAA, GDPR)
- What Merito usually handles
- Data Privacy and Protection Foundation runs as SaaS, on-prem, or BYOC. Merito handles regulated-data-flow mapping, key-management design, application and analytics integration, and the operational discipline that turns Voltage SecureData into real protection rather than partial coverage.
Licensing and packaging
How it is bought
- Model
- Subscription
- What to expect
- OpenText Data Privacy and Protection Foundation is licensed by data volume protected, transaction count, and deployment shape (SaaS, on-prem, BYOC). Pricing depends on FPE versus tokenization scope, key-management posture, and edition. Merito holds the partner relationship and scopes the data-protection program separately.
- Editions and modules
Data Privacy and Protection Foundation SaaS
Cloud-hosted Voltage SecureData with cloud KMS integration.
Best for: Programs adopting cloud-native data protection without regulatory constraints requiring on-prem.
Data Privacy and Protection Foundation on-prem
Customer-hosted Voltage SecureData with internal HSM and key management.
Best for: Regulated programs with constraints requiring on-prem key handling.
Hybrid (SaaS + on-prem)
Hybrid deployment with cloud-native protection for some workloads and on-prem for regulated.
Best for: Programs with mixed regulatory constraints across workloads.
- Common expansion areas
- Add Core Data Discovery and Risk Insights for upstream data inventory feeding protection policy
- Add Structured Data Manager for database lifecycle and masking
- Add Data Access Governance for unstructured-data permission review
- Layer Core Threat Detection and Response for SOC correlation on data exposure events
Merito services
How Merito helps you win with OpenText Data Privacy and Protection Foundation
Merito sells licenses and the delivery work around them. Pick the service that matches where you are in the lifecycle.
01
Data Privacy and Protection Foundation Implementation
Regulated-data-flow mapping, key-management design, application and analytics integration, FPE-versus-tokenization policy.
Explore service02MAPS Assessment
Data-protection program scoping for Voltage SecureData alongside Imperva DSF, Thales CipherTrust, and BigID.
Explore service03DevOps Consulting
Application and analytics integration with protect-and-unprotect flows.
Explore service04Premium Support
Named engineer, priority SLAs, and release-time coverage for Voltage SecureData.
Explore service05Managed Services
Long-term run support including key-management operation, FPE policy maintenance, and integration evolution.
Explore service06Training and Enablement
Role-based training for data security architects, application developers, and compliance leads.
Explore service07Staff Augmentation
Merito-placed data security engineers and OpenText specialists embedded on long-running programs.
Explore serviceOpenText Data Privacy and Protection Foundation licensing
License Voltage SecureData. Map the regulated data flow. Same engagement.
Voltage SecureData pricing arrives with regulated-data-flow mapping, key-management design, application and analytics integration, and FPE-versus-tokenization policy that turn two decades of Voltage encryption depth into real protection rather than partial coverage.
Merito point of view
FPE depth is what makes Voltage SecureData unique. Use it on the workloads that need analytical utility preserved.
Merito has worked with programs running tokenization that changed the shape of credit card numbers and broke every downstream application that consumed the data. FPE is the answer when protection has to preserve format and validation, and Voltage's two decades of FPE depth is the reason the line exists. Programs picking Data Privacy and Protection Foundation specifically pick the FPE strength.
Merito recommends Data Privacy and Protection Foundation when programs handle regulated data at scale (PCI, PHI, financial transactions), when analytics-preserving protection matters, and when the operational discipline to run enterprise key management is real. For programs needing database activity monitoring as the lead capability, Imperva is often stronger; for programs needing data discovery breadth across modern SaaS sources, BigID is often stronger. Merito surfaces those alternatives honestly.
Operational discipline is the binding constraint. Voltage SecureData is technically deep and operationally substantial. Programs that adopt the product without rigorous regulated-data-flow mapping end up with tokenization in some flows, FPE in others, and gaps where data crosses boundaries unprotected. Merito treats data-flow mapping as the central work of the implementation rather than a checkbox.
What buyers usually underestimate
- Adopting Data Privacy and Protection Foundation without regulated-data-flow mapping, leaving gaps where data crosses boundaries unprotected.
- Picking tokenization for workloads that need analytical utility (use FPE) or FPE for workloads that need non-reversibility (use tokenization).
- Skipping enterprise key-management discipline, creating audit exposure on key handling.
- Treating Voltage SecureData as a one-application protection rather than a data-protection program covering the full regulated surface.
- Comparing Voltage SecureData to point-tool encryption on price alone, ignoring the FPE depth and key-management rigor.
Related from Merito
Continue exploring OpenText Data Privacy and Protection Foundation on Merito
Related solutions
Related services
Related products
- OpenText Core Data Discovery and Risk InsightsVoltage SecureData Discovery lineage feeding protection policy.
- OpenText Structured Data ManagerDatabase lifecycle and masking on regulated database content.
- OpenText Identity ManagerIdentity-aware protect-and-unprotect policy aligned with provisioning.
- OpenText Core Threat Detection and ResponseSOC correlation on data exposure events.
- OpenText Cybersecurity (vendor portfolio)Full OpenText Cybersecurity catalog across AppSec, IAM, SecOps, Data Security, and DFIR.
Frequently Asked Questions
OpenText Data Privacy and Protection Foundation FAQs
Consultation request
Talk to Merito about OpenText Data Privacy and Protection Foundation
Share your regulated data classes, deployment posture, and compliance landscape. A Merito OpenText specialist follows up within one business day.
Voltage FPE depth
Format-preserving encryption that works
Voltage essentially invented FPE. Two decades of operational depth in regulated industries.
Enterprise key management
Audit-ready key handling
HSM integration, automated rotation, audit logging. Programs subject to PCI DSS, HIPAA, GDPR audits get the rigor required.
Next step
Map the regulated data flow before tokenizing the easy half.
A Merito Data Privacy and Protection Foundation engagement starts with regulated-data-flow mapping and key-management design. Programs that adopt the product without operational discipline end up with partial protection.