Data Sovereignty
Enterprise Data Control
For security-conscious organizations, EchelonGraph offers full control over where your data lives, how it's encrypted, and who can access it — including a fully self-hosted option with zero data egress.
Addressing Enterprise Concerns
| Concern | EchelonGraph's Answer |
|---|---|
| "Why should I give you access to my cloud?" | Read-only, API-only scanning. We never request write permissions, disk snapshots, or agent installation. You control the scope of access and can revoke it instantly. |
| "Why should I share my credentials?" | You don't have to. For AWS, use a cross-account IAM role (AWS STS AssumeRole with an External ID) for keyless access, or deploy a self-hosted scanner where credentials never leave your environment. |
| "My data can't leave my network" | Self-hosted deployment. EchelonGraph runs entirely inside your VPC with zero data egress and zero phone-home. |
Credential Models
AWS Cross-Account Role (Recommended for AWS)
The most secure integration model for AWS. EchelonGraph's scanner assumes a read-only IAM role in your account via AWS STS AssumeRole, using a role ARN plus a customer-scoped External ID — no access keys are exchanged or stored. You control the role's trust policy and permissions and can revoke it instantly. (GCP connects with an uploaded, encrypted read-only service-account key and Azure with an encrypted App Registration client secret — see Customer-Managed Keys.)
Customer-Managed Keys
You create a read-only service account, generate credentials, and upload them to EchelonGraph. Credentials are encrypted at rest and you can rotate or revoke them at any time.
Self-Hosted Scanner (Zero Trust)
The scanner runs entirely inside your own infrastructure. Credentials never leave your environment. Your scanner pushes findings to your own EchelonGraph instance — nothing is transmitted externally.
Deployment Options
SaaS
Fully managed by EchelonGraph. Complete tenant isolation ensures your data is separated from every other customer. Best for teams that want to get started quickly without managing infrastructure.
Dedicated Instance
An isolated environment managed by EchelonGraph exclusively for your organization. Dedicated encryption keys and infrastructure separation. Best for regulated industries that need isolation without operational overhead.
Self-Hosted (Enterprise)
Runs entirely inside your own network boundary:
- Zero data egress — nothing leaves your infrastructure
- BYOK encryption — your own encryption keys protect everything
- Air-gapped support — pull security updates on your own schedule
- Full control — you manage networking, backups, retention, and access logging
In a self-hosted deployment, every component — scanning, data storage, processing, and dashboards — runs inside your boundary. We deliver the software; you own the data.
What You Control (Self-Hosted)
- All encryption keys via your own key management system
- All network policies and firewall rules
- Data retention periods for every data type
- Access logging and security monitoring
- Backup and disaster recovery procedures
- Software update cadence (pull-based, on your schedule)
Data We Process
EchelonGraph only processes data necessary for cloud security analysis:
| Data Category | Purpose |
|---|---|
| Account information | Email and name for authentication and authorization |
| Audit events | Login, API access, and configuration changes for security accountability |
| Cloud infrastructure metadata | Resource configurations, network topology, and IAM policies for security assessment |
| Security findings | Vulnerabilities, misconfigurations, and compliance scores |
Configurable Retention
All data retention periods are configurable to meet your compliance requirements. Automated purge ensures data is not retained beyond your defined policies. Self-hosted customers have full control over all data lifecycle management.