EPG: Close the Email Compliance Gap With Automated Policy Controls
Most organizations leave email data protection to individual users, so a single misdirected message or unencrypted attachment can trigger a data breach, regulatory sanction, or reputational crisis.
Kiteworks Email Protection Gateway (EPG) puts your IT and compliance teams in control of every email entering and leaving your organization. The Data Policy Engine (DPE) automatically enforces your policies on every message: Encrypting, routing, rejecting, or blocking based on data content and user attributes, with no action required from staff.
Protect ALL email traffic with automatic policies
Your policies automatically govern every inbound and outbound message by sender, recipient, data content, classification label, and message attributes, with no user involvement required.
The Data Policy Engine (DPE) enforces the full spectrum of actions:
- Encryption
- Routing
- Quarantine
- Rejection
Policies are defined once and applied consistently on every message.
Enforce the right policy on every email with Kiteworks Email Protection Gateway
Kiteworks Email Protection Gateway (EPG) automatically enforces the appropriate policy, encryption, and compliance on every email — inbound and outbound — removing the risk of human error and giving security and compliance teams complete audit visibility across all email traffic.
Prevent human errors when sending emails
EPG applies your policies invisibly in the email stream, so users never decide which emails to encrypt or which recipients should receive sensitive data. Users work in their normal email clients with no new applications to learn and no compliance decisions to make. The risk of accidental misdirection is eliminated by design.
Prove compliance with logging of ALL email events
EPG logs every inbound and outbound message in the unified Kiteworks audit log with normalized, immutable records. Each entry captures the full policy decision context: the rule matched, the action taken, and the delivery outcome. Audit data feeds directly into your SIEM, giving you a defensible record for every regulatory inquiry.
Leverage your data classifications with MIP sensitivity label integration
EPG reads Microsoft Purview (MIP) sensitivity labels in attachments and messages and applies the correct policies to each class of data automatically. No duplicate configuration is required. Labels your team already applied become the policy trigger for the appropriate gateway action, extending your existing information protection program into the email stream.
Automate compliant handling of sensitive incoming emails
EPG scans inbound messages and automatically routes likely sensitive data, such as CUI from a defense contractor or PHI from a hospital, to a compliant path. Employees cannot accidentally receive and mishandle regulated data in a standard inbox. Sensitive inbound mail goes where your compliance program requires, without anyone making that call manually.
Provide encryption for external recipients that just works
EPG delivers compliance capabilities that work for your users, not against them:
- Encrypt for any recipient using Webmail/TLS, S/MIME, or OpenPGP, with optional FIPS 140-3 validated encryption
- Archive messages and attachments automatically for retention schedules and eDiscovery readiness
- Send attachments up to 16 TB via an authenticated web portal, bypassing standard email size limits
- Track whether recipients have opened emails and downloaded attachments
- Apply built-in DRM controls — view-only access, expiration, and forwarding restrictions — with replies automatically encrypted to continue the compliance chain
One control plane for all sensitive data exchanges
EPG shares a single policy engine, control plane, and audit log with Kiteworks file sharing, managed file transfer, SFTP, and forms. Compliance is consistent regardless of how sensitive data moves into, out of, or within your organization.
Your security and compliance teams get a single dashboard for visibility across every channel, with unified audit data feeding directly into your SIEM.
Frequently Asked Questions
The Data Policy Engine (DPE) automatically governs every inbound and outbound email by enforcing policies based on sender, recipient, data content, classification label, and message attributes. It applies actions such as encryption, routing, quarantine, and rejection consistently to every message without user involvement.
EPG applies policies invisibly within the email stream, ensuring users do not need to decide which emails to encrypt or which recipients should receive sensitive data. This eliminates the risk of accidental misdirection as users work in their normal email clients without needing to learn new applications or make compliance decisions.
EPG scans inbound messages and automatically routes sensitive data, such as Controlled Unclassified Information (CUI) or Protected Health Information (PHI), to a compliant path. This prevents employees from accidentally receiving and mishandling regulated data in a standard inbox by directing it to the appropriate location as per compliance requirements.
EPG offers multiple encryption options for external recipients, including Webmail/TLS, S/MIME, and OpenPGP, with optional FIPS 140-3 validated encryption. It also supports additional compliance features like automatic archiving for retention and eDiscovery, sending large attachments up to 16 TB via a secure web portal, tracking recipient actions, and applying DRM controls such as view-only access, expiration, and forwarding restrictions.
FEATURED RESOURCES
Kiteworks Data Policy Engine: Automated Protection That Adapts to How You Work 
Kiteworks Data Policy Engine: Automated Protection That Adapts to How You Work
Enhance Kiteworks Secure Email With the Email Protection Gateway (EPG) 
Enhance Kiteworks Secure Email With the Email Protection Gateway (EPG)
HIPAA Compliance in 2025: Navigating Enhanced Security Requirements and Rising Enforcement 