Data Sovereignty
Enterprise Data Control
For security-conscious organizations, EchelonGraph offers full control over where your data lives, how it's encrypted, and who can access it — including a fully self-hosted option with zero data egress.
Addressing Enterprise Concerns
| Concern | EchelonGraph's Answer |
|---|---|
| "Why should I give you access to my cloud?" | Read-only, API-only scanning. We never request write permissions, disk snapshots, or agent installation. You control the scope of access and can revoke it instantly. |
| "Why should I share my credentials?" | You don't have to. Use Workload Identity Federation for zero-secret access, or deploy a self-hosted scanner where credentials never leave your environment. |
| "My data can't leave my network" | Self-hosted deployment. EchelonGraph runs entirely inside your VPC with zero data egress and zero phone-home. |
Credential Models
Workload Identity Federation (Recommended)
The most secure integration model. Your cloud provider's native identity federation lets EchelonGraph's scanner operate without any exchanged keys or stored secrets. You control the trust relationship and can revoke it instantly.
Customer-Managed Keys
You create a read-only service account, generate credentials, and upload them to EchelonGraph. Credentials are encrypted at rest and you can rotate or revoke them at any time.
Self-Hosted Scanner (Zero Trust)
The scanner runs entirely inside your own infrastructure. Credentials never leave your environment. Your scanner pushes findings to your own EchelonGraph instance — nothing is transmitted externally.
Deployment Options
SaaS
Fully managed by EchelonGraph. Complete tenant isolation ensures your data is separated from every other customer. Best for teams that want to get started quickly without managing infrastructure.
Dedicated Instance
An isolated environment managed by EchelonGraph exclusively for your organization. Dedicated encryption keys and infrastructure separation. Best for regulated industries that need isolation without operational overhead.
Self-Hosted (Enterprise)
Runs entirely inside your own network boundary:
- Zero data egress — nothing leaves your infrastructure
- BYOK encryption — your own encryption keys protect everything
- Air-gapped support — pull security updates on your own schedule
- Full control — you manage networking, backups, retention, and access logging
In a self-hosted deployment, every component — scanning, data storage, processing, and dashboards — runs inside your boundary. We deliver the software; you own the data.
What You Control (Self-Hosted)
- All encryption keys via your own key management system
- All network policies and firewall rules
- Data retention periods for every data type
- Access logging and security monitoring
- Backup and disaster recovery procedures
- Software update cadence (pull-based, on your schedule)
Data We Process
EchelonGraph only processes data necessary for cloud security analysis:
| Data Category | Purpose |
|---|---|
| Account information | Email and name for authentication and authorization |
| Audit events | Login, API access, and configuration changes for security accountability |
| Cloud infrastructure metadata | Resource configurations, network topology, and IAM policies for security assessment |
| Security findings | Vulnerabilities, misconfigurations, and compliance scores |
Configurable Retention
All data retention periods are configurable to meet your compliance requirements. Automated purge ensures data is not retained beyond your defined policies. Self-hosted customers have full control over all data lifecycle management.