Region and environment
Each Dedicated Cloud customer gets a separate AWS account with its own VPC, EKS cluster, RDS instance, Amazon MQ broker, S3 buckets, and secret store. Nothing is shared with any other customer. Unlike Cloud SaaS, which defaults to the United States, the customer chooses the region at deployment time, so data residency requirements (EU, and other regions on request) are met by where the environment is provisioned. Regions BonData validates by default: US East (Virginia), US West (Oregon), and EU West (Ireland); other regions, including EU Central (Frankfurt), are available on request.Tenancy and isolation
The environment is single-tenant by construction: there is exactly one tenant in the account, and isolation comes from the account and VPC boundary rather than only from application-layer filtering.- The operational database, data lake, object storage, and message broker are dedicated to the one customer. No data path crosses into another customer’s environment because no other customer exists in the account.
- The user-facing application and the management application still run as separate Kubernetes Deployments behind separate Descope projects, so a user with administrative permissions inside the tenant cannot reach the platform-management surface.
Encryption
Customer-managed encryption keys (BYOK) are not available in Dedicated Cloud, because the AWS account is owned by BonData. Customers who require BYOK should choose Cloud-Prem on AWS, which supports customer-managed AWS KMS keys for RDS, S3, EBS, and application-layer encryption inside the customer’s own account.
Public surface
Public access is fronted by Cloudflare (DNS, TLS, WAF, DDoS protection) on a dedicated
{customer}.app.bondata.ai subdomain; the customer does not configure DNS. An ALB-fronted ingress is available where customer policy requires it.
Operational ownership
Operator access and audit
BonData operator access is SSO-gated through BonData’s internal identity provider, uses short-lived AssumeRole credentials with session-bound names, and is outbound-only - no inbound access from the public internet to operator tooling. Because the environment is dedicated, every operator action against it is recorded in a CloudTrail dedicated to that environment, and BonData provisions a dedicated Descope project and SSO configuration to the customer’s IdP. Audit extracts for the environment are available to the customer, and application logs can be forwarded to the customer’s own SIEM (Splunk, Datadog, Panther, and similar). Customers who require continuous, customer-owned CloudTrail of every operator action in an account they control should use Cloud-Prem on AWS.AI and embedding providers
LLM calls and embedding generation use the same default AI providers documented on the Application architecture page. The AWS Bedrock Titan embedding option, which keeps the embedding call inside the deployment’s AWS region, is available on Cloud-Prem on AWS.Backups and disaster recovery
- Backups. RDS automated backups with point-in-time recovery. S3 versioning enabled on internal buckets. Iceberg snapshots provide time-travel on the data lake.
- Disaster recovery. Multi-AZ within the chosen region by default; cross-region DR is available on request.
- RPO and RTO. Specific recovery-point and recovery-time objectives are documented in the engagement contract.
Upgrade cadence
Every change goes through the same release pipeline as the rest of the platform: a passing CI suite (unit, integration, and tenancy-isolation tests), peer-reviewed pull-request approval, and manual dispatch by an authorized release operator. Deploys are rolling updates; the API tier runs with multiple replicas across availability zones so customer requests are not interrupted during a deploy. Because the environment is dedicated, the upgrade window can be scheduled with the customer where contractually required. Helm rollback to the previous chart revision is available if a regression surfaces post-deploy.When to choose a different model
- Choose Cloud SaaS if you are running a proof of concept or are on a lower-tier package and do not need single-tenant isolation or region choice.
- Choose Cloud-Prem on AWS if you need the environment to run inside an AWS account you own, require customer-managed encryption keys (BYOK), or require continuous CloudTrail logging in your own account.
Ready to scope a Dedicated Cloud environment?
Contact us to scope your dedicated environment. We’ll confirm the region, isolation, and audit requirements with your security team and agree an onboarding schedule.