Endpoint DLP · Google Workspace + Notion

Stop exfiltration at the threshold.

MoonGate evaluates copy, paste, upload, share, and export actions inline in the managed browser — and decides locally, on the endpoint, before the action completes. Not an alert after the data is gone. A gate in front of it.

  • Manifest V3 extension
  • Rust native agent
  • Ed25519-signed policy
  • Keyed HMAC fingerprints
  • Enforces offline
  • Fail-closed
The problem

The leak looks like ordinary work.

Sensitive data rarely leaves through malware. It leaves through the browser, one unremarkable action at a time.

01

The paste

A page of confidential Notion strategy, pasted into a personal AI assistant for a “quick summary.”

02

The export

A Drive export downloaded to the desktop — then uploaded to personal cloud storage an hour later.

03

The public link

An external share, guest invite, or public link created on a document that was never meant to leave.

04

The upload

A protected file dropped into an unapproved site’s file picker — renamed, archived, or scripted along the way.

Network DLP can’t see inside TLS. SaaS audit logs report the action after it has completed. The only place a leak can still be stopped is the endpoint where it happens.

The difference

A verdict, not an alert.

Legacy DLP tells you what left. MoonGate decides whether it leaves — synchronously, in the moment, on the machine.

MoonGate
t = 0User pastes, uploads, or shares
+ the same instantAction held at the capture boundary
+ millisecondsLocal verdict: allow · audit · warn · block
thenThe action proceeds — or never happens
decided inline on the endpoint · no round-trip to a cloud service
Legacy DLP & audit logs
t = 0Action completes
minutesLogs ship to the SIEM
laterAn alert fires
too lateThe data is already gone
How it decides

Three questions at the gate.

Every intercepted action is evaluated against three things at once. No single answer is trusted on its own.

01

Source

Where is it from?

A protected Google Workspace tenant or Notion workspace? Which document, which label, which classification? Provenance follows content through copies, renames, and light edits — and unresolved metadata fails closed to restricted.

02

Content

Is it protected?

Keyed HMAC-SHA-256 fingerprints — exact, partial, and rolling — plus file hashes and canaries match protected content, including lightly edited excerpts. Raw content is fingerprinted on the endpoint and never persisted or uploaded.

03

Destination

Where is it going?

A corporate tenant, an allowlisted SaaS app, a personal account, or an unknown external site? Destinations are reclassified by the agent against signed policy. A page cannot mark itself approved.

Three answers. One verdict. Before the byte moves.

ALLOW AUDIT WARN BLOCK
Enforcement

The verdict ledger.

Copy, paste, drop, upload, download, export, share, publish, print — each held at the boundary and decided. Expand a row to see how the verdict was earned.

ActionDestinationVerdict
Paste two pages of a confidential design doc personal AI chat BLOCK
source      protected Notion workspace · classification: confidential
content     rolling fingerprint match · substantial protected text
destination unknown external origin · not allowlisted
Copy a short excerpt into personal notes unapproved web app WARN
source      protected Drive document · classification: internal
content     partial match · small excerpt below block threshold
destination unapproved · warn and require justification
Create a public link on a board document public link BLOCK
source      protected Drive document · classification: restricted
content     exact document identity · managed metadata
destination public link · block or require approval per policy
Download quarterly financials from Drive local file AUDIT
source      protected Drive document · classification: internal
content     download control held · hashed where the browser exposes bytes
destination local file on a managed endpoint · audited
Upload a protected file to a vendor portal allowlisted SaaS ALLOW
source      protected file · identified at the upload boundary
content     exact SHA-256 hash match against protected content
destination allowlisted corporate service · allowed
Upload that same file to personal storage personal cloud drive BLOCK
source      protected file · a rename doesn’t change the hash
content     exact SHA-256 hash match against protected content
destination personal account · outside approved boundaries

Illustrative default-policy scenarios. Every real verdict carries its policy version, correlation ID, and match strength — so an investigation can replay exactly why the gate opened or closed. Files too large to inspect fail closed rather than bypassing evaluation. Native browser-menu print is detect-only today.

Architecture

Context above. Enforcement below.

Cloud signals inform the policy — SaaS audit and EDR ingestion land on the integration roadmap. They never gate the decision; that happens on the endpoint, synchronously, even when the network is gone.

— context, not enforcement —

Google Workspaceaudit events
Notionaudit events
EDR / MDMendpoint telemetry
Control planeEd25519-signed policy ↓
the threshold
Managed browser extension Manifest V3 · force-installed
  • Source & destination context
  • Copy · paste · drag · drop
  • Upload · download · export
  • Share & public-link controls
MoonGate endpoint agent Rust · local & synchronous
  • Verified policy cache
  • Content fingerprint cache
  • Provenance & device identity
  • Privacy-bounded event delivery

— enforcement: local, synchronous, fail-closed —

Offline?

The gate holds. Policy is verified, cached, and enforced locally. Outages are observable and intentional — never a silent open door.

Tampered?

It shows. The toolbar badge is backed by native health checks, and any managed-policy change holds protected actions until every tab acknowledges the new configuration.

Privacy by architecture

Verdicts travel. Documents never do.

Enforcement that reads everything must be trusted with nothing. Raw content is evaluated on the endpoint and stays there.

What the control plane sees

  • decision + reason code
  • action + classification
  • policy version + correlation ID
  • device + actor identifiers
  • source / destination origins + tenant IDs
  • opaque source handles
  • timing + delivery health

What it never sees

  • raw document text
  • clipboard contents
  • file bytes
  • content fingerprints
  • keystrokes
  • centralized copies of your documents

Fingerprints are keyed HMACs, computed and kept on the endpoint. Even a match is reported as a decision — not as content. There is no central corpus of your documents to breach.

Principles

Built like it means it.

Six commitments, enforced in the architecture rather than the marketing.

Prevent first

An inline decision before an upload, paste, download, export, or share proceeds — not a report after.

Preserve provenance

Protected content stays identified by tenant, metadata, labels, hashes, and privacy-preserving fingerprints.

Browser-centric by default

The managed browser is the most reliable first control point for Docs, Drive, and Notion content.

Layer, don’t replace

MoonGate integrates with your EDR, MDM, SIEM, and SaaS audit logs. It doesn’t pretend to be them.

Minimize collection

Only the content identity needed for policy evaluation is retained — local caches and keyed fingerprints, never raw copies.

Fail safely

Cached policy and explicit operational modes make outages observable and intentional, not silently permissive.

Honest boundaries

What we don’t claim.

Security products earn trust by being precise about their limits. These are ours.

Cameras and screenshots are a hard boundary. MoonGate can deter, watermark, and limit some capture paths — it cannot guarantee prevention against a phone pointed at a screen.

Browser enforcement covers the browser. Native sync clients, CLI and API exports, removable media, and desktop apps need endpoint and SaaS-layer controls, which is why MoonGate layers with them.

Scripted egress is a separate layer. Page code can move data through asynchronous clipboard and filesystem APIs, direct network requests, and service workers that bypass trusted DOM events; closing those paths takes managed-browser API controls and endpoint enforcement.

It is not a replacement for your EDR, MDM, CASB, or SIEM — and doesn’t hook or inject into them. It integrates through supported APIs.

SaaS UIs change. Drive and Notion interception must be re-validated against real UI builds as they evolve; we treat coverage as something to prove, not assume.

Precision about limits is a security feature. Everything else on this page is the enforcement model we build and test against — verified today on synthetic Drive and Notion fixtures, validated with design partners next.

Early access

First through the gate.

MoonGate is pre-pilot. The enforcement foundation — managed extension, Rust endpoint agent, signed policy control plane — is built and verified against synthetic Drive and Notion fixtures, with a repeatable block-path demo.

We’re onboarding a small design-partner cohort: security teams on Google Workspace and Notion with managed macOS or Windows fleets, who want to shape inline DLP from the first policy onward.

Gate pass · design partner
COHORTdesign partner · early access
SOURCESGoogle Workspace · Notion
ENDPOINTSmanaged macOS · Windows
STAGEpre-pilot foundation
Request early access

No pricing theater, no fake logos. A conversation about your exfiltration paths and our roadmap.