
Region and environment
Cloud SaaS is hosted on AWS in a dedicated production account with its own VPC, EKS cluster, RDS instance, message broker, and secret store. The United States is the default region; EU hosting is available on customer request.Tenancy and isolation
Tenant isolation is enforced at the application layer on every request, in three places:- Database queries against the operational database and the data lake are filtered by tenant. A query that does not carry a tenant identifier is rejected at the API boundary.
- Object-storage keys in the internal S3 bucket are namespaced by tenant. Cross-tenant key access is not possible because the API never issues a key for a tenant other than the caller’s.
- Integration credentials are stored per-tenant. A workflow runs as a specific user in a specific tenant, and the credentials used for any integration call are resolved from that tenant’s credential set.
Encryption
Customer-managed encryption keys (BYOK) are not available in Cloud SaaS. Customers who require BYOK should choose Cloud-Prem on AWS, which supports customer-managed AWS KMS keys for RDS, S3, EBS, and application-layer encryption.
Public surface
All public surface is fronted by Cloudflare (DNS, TLS, WAF, DDoS protection). Cloudflare terminates TLS and forwards to an AWS Application Load Balancer inside the cluster’s VPC. Published outputs at
outputs.bondata.ai are served through Amazon CloudFront. Both Cloudflare and CloudFront operate as global edge networks; customers with strict regional-residency requirements for ingress termination or published-output delivery should choose Cloud-Prem on AWS, which supports an ALB-only ingress mode inside the customer’s VPC.
Operational ownership
Operator access
BonData operator access to the Cloud SaaS environment is SSO-gated through BonData’s internal identity provider, uses short-lived AssumeRole credentials with session-bound names, and is outbound-only from BonData’s network - no inbound access from the public internet to operator tooling. All operator activity is recorded in BonData’s internal CloudTrail and SSO logs. Tenant-scoped operator-access extracts are available on request as part of enterprise-tier SaaS contracts, viasecurity@bondata.ai, within the SLA defined in the contract. Customers requiring continuous, customer-visible CloudTrail logging of every operator action should use Cloud-Prem on AWS, where every BonData action is recorded in the customer’s own CloudTrail in real time.
AI and embedding providers
LLM calls and embedding generation in Cloud SaaS use the same default AI providers documented on the Application architecture page. Customers requiring an embedding option that keeps the call inside their own AWS account (AWS Bedrock Titan) should choose Cloud-Prem on AWS.Backups and disaster recovery
- Backups. RDS automated backups with point-in-time recovery. S3 versioning enabled on internal buckets. Iceberg snapshots provide time-travel on the data lake.
- Disaster recovery. Multi-AZ within the deployment region by default; cross-region DR is available on request.
- RPO and RTO. Specific recovery-point and recovery-time objectives are documented in the engagement contract for enterprise-tier SaaS customers.