Case Study: How ZenBusiness Protects Sensitive Data While Scaling Safely
Read Now
Customers
Pomelo

How LATAM's Rising FinTech Star Pomelo Protects Payment Data for Millions

Pomelo chose Nightfall AI: the only DLP solution built for how modern FinTech companies actually work.
Industry
Financial technology
Integrations
No items found.
Region
Latin America
On this page

Key Results

  • 300+ employees protected across LATAM operations
  • 8 enterprise applications secured (Slack, Gmail, Jira, Google Drive, ChatGPT, Gemini, Github, Cursor)
  • Proactive AI security intercepting sensitive data before submission to LLM platforms
  • PCI compliance confidence with comprehensive data lineage tracking
  • Real secrets discovered in internal Slack channels and Github during initial deployment
  • Automated user remediation reducing security team workload by enabling self-service data redaction

The Challenge: Rapid Growth Demands Enterprise-Grade Data Protection

Pomelo, a rapidly growing payment processor serving the LATAM market, reached a critical inflection point as digital payments transformed financial access for millions across Latin America. Pomelo's exponential growth brought intensifying regulatory scrutiny and security requirements.

As a PCI-compliant FinTech handling sensitive financial transactions, customer payment data, and proprietary financial information, the company launched a comprehensive "security wave" initiative to reinforce their security posture and support their aggressive expansion plans.

But Ezequiel Virun, Pomelo Cybersecurity Technical Manager, discovered that traditional security tools were fundamentally inadequate for their modern threat landscape.

"Before using Nightfall, we struggled with a lack of visibility into sensitive file sharing, which made it difficult to prevent data leaks," says Virun.

The problems were systemic:

Legacy DLP Was Actively Harmful

Pomelo's existing Gmail DLP solution generated too many false positives and created alert fatigue that trained their security team to ignore alerts. When they tested competing enterprise solutions, they found the DLP accuracy wasn’t good enough for what they needed as a regulated financial institution.

The Generative AI Blind Spot

Employees were adopting AI tools like ChatGPT, Gemini, and Cursor to boost productivity and compete with larger competitors. But each interaction represented a potential data exfiltration event. Traditional CASB solutions couldn't see what happened on local machines before data was submitted to AI platforms.

Fragmented Coverage Across Critical Systems

As a growing fintech, Pomelo needed comprehensive DLP coverage across their entire SaaS ecosystem—Slack, Gmail, Jira, and Google Drive—plus endpoints where employees worked with sensitive data daily. Point solutions created gaps. Enterprise tools were too complex to operate with their lean security team.

Compliance Without Visibility

As a payment processor, Pomelo needed to demonstrate proactive data protection for PCI-DSS compliance, GDPR, and SOC 2 audits to support partnerships with banks and enterprise customers. But how do you prove protection when you can't see where sensitive data is going?

Pomelo needed a unified solution that could secure the AI tools driving their business forward, not block them. They needed accuracy that wouldn't drown their lean security team in false alerts. They needed comprehensive coverage across SaaS, email, and endpoints without operational complexity. And they needed forensic capabilities to understand not just if data was at risk, but how it got there.

The Solution: AI-Native DLP Built for Modern FinTech

Nightfall provided Pomelo with a unified platform delivering real-time detection across Slack, email, endpoints, and AI applications, with the accuracy, flexibility, and intelligence required for a regulated financial institution supporting rapid growth.

Use Case 1: Superior Detection Accuracy Over Enterprise Alternatives

The Problem: Pomelo had tested enterprise DLP solutions, but encountered critical limitations. Their previous Gmail DLP generated false positives that eroded security team efficiency and user trust. When evaluating traditional competitors Pomelo found that its DLP accuracy fell short of their needs to provide reliable protection of customer payment data and PCI information.

The Nightfall Advantage: Nightfall's AI-powered detection engine delivered less than 5% false positive rate while maintaining comprehensive coverage across financial data types, secrets, API keys, and PII. The platform's flexible policy management allowed Pomelo to customize detection rules for their specific use cases without sacrificing accuracy.

Real Result: During the proof of value, Nightfall immediately surfaced genuine risks that other tools had missed:

  • Secrets and API keys discovered in internal Slack channels
  • Two credit card numbers detected in separate Jira attachments: a critical PCI compliance finding
  • Customer payment information at risk across multiple platforms
"Nightfall works really well across different integrations. It offers a lot of possibilities for customizing detections, which is very helpful for us. I'm impressed with Nightfall's functionality and the wide range of use cases it covers.”

The combination of superior accuracy, comprehensive coverage, and operational simplicity made Nightfall the obvious choice over other enterprise alternatives.

Use Case 2: Unified Platform Replacing Fragmented Point Solutions

The Risk: Growing a security stack organically means piecing together platforms one by one: one for email, another for cloud storage, a third for collaboration platforms. This fragmentation creates visibility gaps, operational overhead, and policy inconsistencies that attackers exploit.

Nightfall's Unified Approach: Nightfall's single platform provided real-time detection and protection across Pomelo's entire ecosystem:

  • Slack: Monitoring internal channels and direct messages for sensitive data sharing
  • Gmail: Protecting email communications with automated encryption for sensitive content
  • Google Drive: Scanning stored documents and tracking file downloads
  • Jira: Detecting sensitive data in tickets and attachments
  • Endpoints: Monitoring local file operations and copy/paste activities
  • AI Applications: Intercepting prompts to ChatGPT, Gemini, and Cursor

The Impact: Instead of managing multiple consoles, policy engines, and vendor relationships, Pomelo's lean security team operates from a single platform with consistent policies and unified reporting. The flexible policy management means they can customize detection rules for different data types and applications without requiring vendor support.

"Once we started using Nightfall, it helped us by automatically classifying confidential information across various platforms and endpoints. This meant we could finally address exposure risks before they became incidents.”

Use Case 3: Proactive Generative AI Security

The Risk: Employees were using ChatGPT, Gemini, and Cursor to analyze data, write code, and accelerate workflows. Each prompt could expose customer payment information, API keys, or proprietary financial data—and once submitted to an AI model, that data is already compromised.

Traditional DLP solutions can only detect data after it reaches cloud services. By that point, sensitive information has already been transmitted to the AI model and potentially incorporated into training data or exposed to unauthorized parties.

Nightfall's Protection: Nightfall's browser plugin and endpoint agent intercept sensitive data at the prompt level, before it's submitted to the AI platform. This application control and filtering capability works directly on local machines, catching risky copy/paste actions and file uploads in real-time.

The Impact: Nightfall blocks sensitive copy/paste operations which makes new AI tools safe to use. The protection scales automatically without requiring policy updates for every new platform.

The Competitive Advantage: This endpoint-level interception is something legacy DLP tools or CASBs simply can’t provide. Similar solutions lack the endpoint visibility and proactive blocking capabilities required to protect data before it reaches AI platforms.

For a growing FinTech like Pomelo, this means employees can leverage AI productivity tools to compete with larger competitors, without creating unacceptable data exposure risks.

“Nightfall provides a sense of empowerment to our team by automatically classifying confidential information across various platforms and endpoints. This meant we could finally address exposure risks before they became incidents.”

Use Case 4: Deep Data Lineage and Exfiltration Prevention

The Risk: Insider threats and accidental data leakage are nearly impossible to investigate without understanding how sensitive data moves through an organization. Did an employee download a customer database from Google Drive and upload it to a personal cloud storage service? Was a file shared to unauthorized AI tools after being extracted from Jira?

Nightfall's Advantage: Nightfall's asset history and data lineage capabilities track files from origin to every subsequent action. The system records when a file is downloaded from Google Drive, tracks attempts to upload it to file-sharing sites like file.io, and logs copy/paste attempts into generative AI tools.

The endpoint protection doesn't just track sensitive data movement—it prevents any loss or other security incidents. Nightfall blocks file uploads and copy/paste operations containing sensitive content to prohibited domains, providing real-time defense against both malicious exfiltration and accidental exposure.

Why This Matters for Growth: As Pomelo scales across LATAM markets, this forensic capability supports insider risk programs, regulatory investigations, and executive reporting on data security posture, each one critical for enterprise partnerships and fundraising conversations.

"The data lineage feature is very powerful. It helps me sell the tool internally by showing exactly how sensitive data moves through our organization.”

Use Case 5: Empowering Users While Reducing Security Team Workload

The Problem: Legacy DLP creates a bottleneck: security teams manually investigate every alert, remediate every violation, and become the friction point between employees and productivity. For a fast-growing fintech with a lean security team, this model is unsustainable.

Nightfall's Approach: Automated user remediation allows employees to self-correct when they accidentally share sensitive data. When Nightfall detects a policy violation in Slack, the Pomelo user receives an immediate notification with the option to redact or delete the message themselves.

Real Result: The self-remediation capability is now a must-have feature for Pomelo. It trains employee behavior in real-time, reduces repeat violations, and means less work for the Pomelo team to do.

The automated decision-making engine also dramatically reduced false positives, improving the triage workflow and allowing Pomelo's lean security team to focus on genuine threats rather than sorting through noise.

"Nightfall's automated decision-making has reduced false positives and improved our triage response workflow. Now, our team can easily demonstrate data protection measures for PCI compliance and SOC 2, and we feel much more confident about our overall data security posture, without any additional workload," says Ezequiel.

Bonus Use Case: Automated Secure Email Communication

The Hidden Need: Pomelo was using third-party tools like SendSafely to encrypt sensitive email communications with external partners. This meant adding a tool to their security stack that needed to be managed, licensed, and integrated.

Nightfall's Built-In Solution: Nightfall's automated Gmail encryption feature secures sensitive emails and their reply threads, requiring external recipients to authenticate via a secure portal before accessing protected information.

The Value: The extra value of Nightfall addressed an existing need with a capability already included in their deployment: reducing tool sprawl and operational complexity.

The Results: Enterprise Security Without Enterprise Complexity

Immediate Risk Discovery

Nightfall detected real secrets, credentials, and payment card data within days of deployment, including risks that had existed undetected in internal systems for months or years, even while other DLP tools were deployed.

Unified Platform Simplicity

Pomelo replaced fragmented point solutions and ineffective enterprise tools with a single platform covering Slack, Gmail, Jira, Google Drive, endpoints, and AI applications, all managed through intuitive policy controls and flexible customization options.

Compliance Confidence for Growth

Pomelo can now demonstrate proactive data protection to auditors, regulators, banking partners, and enterprise customers with detailed reporting, data lineage forensics, and comprehensive coverage across cloud, SaaS, and endpoint environments: critical for PCI compliance, GDPR, and SOC 2.

Strategic Visibility for Leadership

Nightfall’s Actionable Insights Report and risk dashboards (showing Highest Risk Users and Detector activity) provide executive leadership with clear data visualization to understand risk exposure and justify security investments. These advanced insights are essential when sharing security outcomes in board conversations and fundraising discussions.

Why This Matters for FinTech

"Before using Nightfall, we struggled with a lack of visibility into sensitive file sharing. Now we can finally address exposure risks before they become incidents, and demonstrate data protection for PCI compliance without any additional workload. Nightfall has truly been a strategic technology for us.”

For payment processors and FinTech companies operating under PCI compliance, GDPR, and other regulatory frameworks across multiple jurisdictions, a single data breach doesn't just cost millions in fines. It destroys the customer trust that is the foundation of financial services and can terminate critical banking partnerships overnight.

Legacy DLP solutions were built for a world of perimeter security and on-premise email servers. Enterprise CASB platforms offer broad coverage but struggle with detection accuracy and can't see inside AI interactions happening on local machines. They generate more noise than signal, and they require dedicated security teams to operate. That doesn't work for growing fintechs competing to win on speed and efficiency.

Pomelo chose Nightfall because it's the only DLP solution that:

  • Delivers superior detection accuracy over enterprise alternatives  with <5% false positives
  • Provides unified platform simplicity across SaaS, email, endpoints, and AI applications
  • Intercepts data before AI submission, not after it's too late
  • Offers forensic data lineage to understand insider risk and accidental exposure
  • Empowers users to self-remediate, reducing security team workload
  • Scales automatically to new AI platforms without policy rewrites
  • Enables flexible customization for diverse use cases without vendor dependency

The Bottom Line

Pomelo eliminated their biggest compliance risk—shadow AI, uncontrolled data exfiltration, and visibility gaps across their SaaS ecosystem—while enabling the AI-powered productivity driving their rapid growth across Latin America.

In a region where digital payments are transforming financial access for millions, and where competition requires leveraging cutting-edge technology, Pomelo chose the only DLP solution built for how modern FinTech companies actually work.

Security shouldn't slow down innovation. With Nightfall, it doesn't have to.

Read more Customer Stories

We want to allow our folks to use the power of generative AI but in a safe and approved way. Nightfall gently redirects our people to the safe gen AI sites and helps us by blocking attempts from folks putting PII or customer data into ChatGPT and other tools.
Jay Crumb
Jay Crumb
Head of Security
Read case study

"Any type of system that requires constant babysitting or manual intervention is an automatic no for us. We needed a solution that we don’t need to constantly check on. Nightfall is perfect in that regard. If we didn't have it, we would need a full-time security person just to do DLP. That's headcount we just don’t have.”
Chris Chipman
Chris Chipman
Enterprise IT Architect
Read case study

Read more Customer Stories

"Any type of system that requires constant babysitting or manual intervention is an automatic no for us. We needed a solution that we don’t need to constantly check on. Nightfall is perfect in that regard. If we didn't have it, we would need a full-time security person just to do DLP. That's headcount we just don’t have.”
Chris Chipman
Chris Chipman
Enterprise IT Architect
Chris Chipman
Read case study

"Nightfall has been instrumental in strengthening Onbe's security posture. With Nightfall, we can confidently demonstrate PCI compliance while effectively managing risk, vulnerabilities, and threats."
Theresa Branch
Theresa Branch
Information Security Governance Risk and Compliance Analyst
Theresa Branch
Read case study

We want to allow our folks to use the power of generative AI but in a safe and approved way. Nightfall gently redirects our people to the safe gen AI sites and helps us by blocking attempts from folks putting PII or customer data into ChatGPT and other tools.
Jay Crumb
Jay Crumb
Head of Security
Jay Crumb
Read case study
See All Use Cases

Schedule a live demo

Tell us a little about yourself and we'll connect you with a Nightfall expert who can share more about the product and answer any questions you have.
<1---->

© 2025 Nightfall AI. All rights reserved.

Terms of ServicePrivacy PolicySecuritySecurity
Twitter X LogoFacebook LogoLinkedIn LogoLinkedIn LogoYoutube Logo