eXate is a UK-based data privacy and security company that helps organisations protect sensitive data consistently across systems and borders, without slowing down how that data is used. Built by former HSBC executives who experienced the challenge first-hand, the platform unifies data classification, privacy, sovereignty and fine-grained access control into a single, policy-driven layer. Now, eXate has joined the Bramble Hub partner network in order to access government procurement frameworks and extend its reach into the public sector.
From financial services to the public sector
eXate was founded in 2015 by Sonal Rattan and Peter Lancos, who had previously held senior technology and digital roles at HSBC. Working inside large, highly regulated institutions, they saw that most tools focused on a single slice of the problem – such as encryption, masking or access control – but did not provide an end-to-end way to manage how data is classified, protected and accessed across complex ecosystems. That experience led them to design a platform that centrally defines data policies and then enforces them wherever data is stored or moves, bringing together controls for data in motion, data at rest and cross-border distribution. The timing aligned with rapid growth in data volumes and tightening regulations globally, meaning banks, insurers and other regulated organisations needed to unlock data value without losing control of privacy, sovereignty or compliance obligations.
Following the company’s original focus on financial services, it has diversified across multiple sectors, including the public sector. Their UK base provides a hub for global delivery, with the technology designed to be deployed wherever customers operate, without geographic restrictions on where the platform can run.
How eXate works
At its core, eXate is a distributed software platform that sits at the intersection of data classification, data privacy, data sovereignty and attribute-based access control (ABAC). Rather than bolting privacy controls onto individual applications, it embeds centralised policies at common data ingestion and distribution points – APIs, data pipelines, databases and analytic platforms – so the same rules apply consistently across the organisation.
eXate offers a hybrid deployment model combining SaaS and on-premises options, which is critical for regulated industries that must tightly control where data and keys reside. Central policy management ensures that internal policies, regulatory requirements and third-party constraints are captured once and distributed across services, while audit and reporting components track how those policies are applied in practice.
Product set: from APIs to databases
eXate’s product family protects data in motion and data at rest. APIgator secures data as it moves through APIs and streaming platforms, intercepting requests and responses to classify fields and apply privacy controls in real time. It enforces least-privilege access at attribute level, so different consumers of the same API only see the data they are entitled to access, with every interaction fully logged for audit. It can be deployed as an interceptor or sidecar, allowing existing applications to be enabled without heavy code changes.
For data at rest, Datagator applies the same granular protection to databases and data platforms, de-identifying or re-identifying data in real time as it is read or written. GatorSet extends this to large-scale environments, performing bulk transformations across large datasets using engines such as Apache Spark.
Where data crosses borders, gatorXB ensures the same policies are enforced consistently across jurisdictions, automatically tokenising, masking or retaining sensitive fields in line with local regulatory requirements. AggreGator provides centralised audit across all components, delivering clear visibility into who accessed what data, when and how.
At design time, GatorAId brings agent-driven intelligence to discovery and classification. It uses multiple AI agents to scan structured, semi-structured and unstructured data, automatically identifying sensitive attributes and mapping them to business terms. With a human-in-the-loop workflow to refine results, it produces high-quality manifests that drive downstream protection policies. Together, this creates a closed loop of discovery, protection and audit, enabling granular control at scale without forcing development teams to rebuild privacy logic themselves.
eXate in action
The impact of this approach is best illustrated through customer use cases. In one large institution, teams struggled to perform realistic end-to-end testing because they could not safely use production data in test environments, and inconsistent masking across different systems made multi-chain tests unreliable. By introducing eXate to apply uniform static and dynamic masking and pseudonymisation across more than 100 applications, the client was able to run multi-system tests on protected but coherent datasets, reducing data protection process time from around a week to minutes per application and saving an estimated 650 days of effort per year while closing high-risk audit points.
Another set of use cases focuses on data sovereignty, residency and localisation, where organisations operate across multiple jurisdictions but must ensure that certain data (or the encryption keys protecting it) never leaves a specific country. eXate distribution tooling automates the enforcement of jurisdictional rules so workloads only run in permitted regions and keys remain in-country (for example, keeping customer keys in Switzerland while still participating in a global architecture), lowering the barrier to entering markets with strict localisation laws. This “operate globally, comply locally” model is increasingly attractive as more regulators introduce sovereignty requirements that would otherwise force firms to maintain fragmented, bespoke solutions.
eXate is also used to protect data in SaaS banking and fintech platforms, by inserting a protection layer between bank-owned infrastructure and third-party systems. In this pattern, sensitive customer details are tokenised or encrypted before they leave the bank, meaning the SaaS provider only ever stores protected values, while authorised bank staff can see clear data on retrieval and any third-party integrations receive only de-identified information. Requests to reverse protection are handled by the bank and governed centrally through eXate policies, giving institutions a way to adopt modern SaaS solutions without surrendering control of raw customer data. Combined with a multi-channel go-to-market model – direct sales, OEM partnerships, referrals and consultancy alliances – this breadth of use cases positions eXate as a flexible privacy and security solution for organisations that need to share data with confidence. To contact eXate, see their partner page,
