• Cloud-based DLP can undermine data sovereignty by forcing sensitive content to leave your infrastructure for scanning, creating compliance and trust gaps.
• Symantec DDS keeps raw data in-tenant by scanning locally while policies and incident management stay centralized.
• This shifts DLP from cloud-only assumptions to distributed reality, making sovereignty part of architecture rather than a compliance workaround.

Your organization made a commitment: Customer data stays in your infrastructure. No exceptions. 

That commitment isn’t theoretical. It’s written into customer contracts. It shows up in audits. And it shapes internal governance policies. The rule is clear, yet your Data Loss Prevention (DLP) solution sends every file to an external cloud for scanning. Even if that cloud is in the same region, data still leaves your control. 

This is the data sovereignty paradox. Organizations commit to keeping sensitive data within specific boundaries, but traditional cloud-based DLP solutions undermine those commitments by forcing data to move outside of internal infrastructure.

For years, security teams with strict in-tenant requirements had no good options. Even cloud-delivered DLP meant data leaving their control.

Today, that changes.

A new approach to enterprise DLP

As of February 2026, Symantec has launched Distributed Detection Service (DDS)—a fundamentally different approach to enterprise DLP. 

DDS deploys scanning engines directly in your infrastructure, where data is processed locally and only metadata and incident reports flow to centralized management. This architectural shift unlocks new use cases that cloud DLP couldn't support, including real-time API scanning without latency penalties, AI safety guardrails, and compliance-by-design for high-scale machine learning (ML) pipelines.

Distributed infrastructure is now the norm. By FY27, Gartner predicts 90% of organizations will have adopted a hybrid cloud approach. As business-critical data spans cloud and on-premise environments, DLP needs to align to that reality.

Here’s what distributed detection changes—and what it makes possible.

The Sovereignty Challenge: When cloud DLP conflicts with data control requirements

Data control requirements rarely come from a single source. While regulations like GDPR, LGPD, and India's DPDP Act establish geographic residency baselines, many organizations face stricter constraints:

• Customer contracts that mandate data remain within the customer's own infrastructure—not just within a region
• Financial regulators that expect institutions to maintain direct control over sensitive data processing
• Internal governance policies driven by risk management and security posture
• Industry standards in sectors like banking, healthcare, and government that surpass regulatory minimums

For these organizations, regional cloud deployment isn't enough. The requirement is in-tenant processing—data must stay within infrastructure they directly control. When this requirement isn't met, organizations face consequences ranging from customer trust erosion to contract violations and operational disruption.

Consider a FinServ organization contractually obligated to retain customer data within its own cloud tenant—not just within a geographic region, but within infrastructure it directly controls. Cloud DLP solutions, even with regional edge locations, still require data to leave the customer's environment for scanning. For institutions subject to strict regulatory scrutiny or contractual mandates for in-tenant data processing, this creates a compliance gap that regional deployment alone cannot solve.

Organizations need a DLP solution that respects data sovereignty without sacrificing centralized management. 

Until now, that option didn't exist.

How Distributed Detection Service (DDS) changes the game

DDS is a cloud-native DLP scanning engine deployed in your infrastructure—on-premises, in your private cloud, or within your cloud region. Built on a containerized architecture, DDS deploys flexibly to match your workload demands.

Scanning happens locally using DLP REST APIs for both data-at-rest and data-in-motion. Raw content does not leave the tenant for inspection. Only metadata and incident reports flow to centralized management via Symantec CloudSOC or Enforce.

This architectural approach, commonly referred to as in-tenant scanning—means data is scanned within your own cloud tenant or data center, without sending the raw data to Broadcom's cloud for processing.

Note: While raw data is scanned locally, incident reports (including content that triggered policy violations) are transmitted to the centralized management console for review and response. This is necessary for security teams to investigate and act on incidents.

Local data scanning

Files are scanned on DDS nodes in your environment. Only findings, violations, and metadata are reported to your central management console. 

Think of it as running your metal detector at your entrance rather than routing everyone to an external screening facility.

Centralized policy management

Local scanning doesn’t mean fragmented governance. You maintain centralized policy management through Symantec DLP, with consistent incident reporting across deployment locations. A unified view across your organization. Whether DDS nodes run in your data center, AWS, GCP, or Azure, incidents flow to the same management console.

Flexible deployment

DDS is platform agnostic. Deploy where your data lives:

• On-premises data centers
• Google Cloud Platform (Compute Engine)
• Amazon Web Services (EC2)
• Microsoft Azure (VMs)
• Future: Kubernetes support

This flexibility supports hybrid and multi-cloud architectures. You're not locked into a single deployment model.

Cloud-native architecture

DDS uses a containerized deployment model designed for modern infrastructure. Multiple DDS nodes can be deployed and load-balanced across your environment. Horizontal scaling means performance can grow with your workloads. 

Local processing eliminates the network round-trip latency inherent in cloud-based scanning—critical for real-time API use cases where every millisecond matters.

Cost efficiency

Because scanning happens within your tenant:

• No egress costs for IaaS workloads—data doesn't leave your cloud environment for scanning
• Lower scanning latency due to proximity to data sources
• Reduced operational complexity compared to routing data to external services

The comparison below shows how DDS differs from Cloud Detection Service (CDS), Symantec's traditional cloud-based DLP scanning:

New Use Cases: AI safety, real-time APIs, and data control at scale

DDS isn't just about sovereignty—it enables architectural patterns that cloud DLP can’t support.

AI safety guardrails

GenAI adoption is accelerating, but organizations often underestimate data leakage risks. Users include PII and credentials in chatbot prompts. Models hallucinate sensitive information in responses. These aren't fringe cases—they're happening in production systems right now.

DDS offers a solution: Scan AI/LLM interactions at the application boundary:

• Scan user prompts before they reach the model (preventing data exfiltration into model training).
• Scan model responses before they return to users (preventing hallucinated PII from being disclosed).

The key advantage is latency. With DDS deployed close to the application, scanning adds minimal overhead per request. With cloud DLP, that overhead becomes unacceptable for real-time applications.

Real-time API security at scale

Cloud DLP introduces unacceptable latency for real-time API scanning. APIs designed for immediate responses can’t tolerate a cloud round-trip on every request. DDS deployed near API gateways solves this with:

• Low-latency scanning of requests and responses
• Real-time blocking of sensitive data exfiltration without a performance penalty
• Integration with existing API infrastructure

Data privacy for ML training

ML training datasets often contain PII, credentials, or sensitive information. This conflicts with data minimization requirements under regulations like GDPR.

DDS integrates into data pipelines (Apache Airflow, Kubernetes orchestrators, cloud schedulers) with:

• Automated detection of PII and credentials in training data
• Audit trails prove sensitive data was identified, creating compliance evidence for data minimization requirements

East-west traffic monitoring

Organizations need visibility into internal traffic flows—not just north-south perimeter traffic. DDS can inspect:

• Traffic between microservices within your cluster
• Data flowing through internal load balancers (e.g., Google Cloud Load Balancing)
• API calls between third-party applications in your environment

This closes visibility gaps that perimeter-focused DLP solutions miss.

High-scale data discovery

Organizations have massive cloud storage footprints—S3 buckets, GCS buckets, Azure Blob storage filled with sensitive data. Traditional cloud DLP discovery scans introduce latency and operational complexity. Many organizations skip discovery at scale because it’s disruptive.

DDS deployed locally within your cloud VPCs changes that.

• Discover sensitive data in legacy buckets and archive with local scanning.
• Enforce data governance policies at scale.
• No data egress required for discovery operations.

Why this matters: the future of enterprise DLP

The cloud-first mindset has dominated enterprise security for over a decade, in which traditional cloud DLP forced a trade-off between security visibility and data sovereignty. DDS reduces that trade off significantly—a shift toward a new reality that puts local processing and centralized management at the forefront. Data is inspected locally while your policies stay centralized, and infrastructure scales with demand. Data sovereignty is no longer a regulatory afterthought, but delivered by architecture.

For organizations with strict data control requirements, real-time performance demands, or high-scale scanning workloads, this unlocks a new capability category. One that Symantec is committed to supporting the proliferation of. February 2026 marks an important milestone of making data-sovereign DLP broadly accessible.

Getting started with DDS

DDS provides the infrastructure. The strategy is yours. As of February 2026, organizations can deploy Symantec DDS for immediate use cases:

• AI safety guardrails: Protect LLM applications from inadvertent PII disclosure in prompts and responses.
• Real-time API security: Deploy DDS at API gateways for low-latency scanning without performance impact.
• ML training data privacy: Integrate DDS into data pipelines for automated PII detection before model training.
• In-tenant compliance: Meet data residency requirements by scanning within your own cloud infrastructure.

Visit the Symantec DDS documentation for deployment guides and API references, or contact your account team to discuss your data sovereignty requirements.