Deployment
Deployment Models
EchelonGraph supports three deployment models to meet different security, compliance, and data residency requirements:
| SaaS | Dedicated | Self-Hosted | |
|---|---|---|---|
| Data location | EchelonGraph-managed cloud | Isolated project for your organization | Your own infrastructure |
| Data egress | To our managed environment | To your dedicated instance | None — zero egress |
| Who manages | EchelonGraph | EchelonGraph | Your team (with our support) |
| Encryption keys | EchelonGraph-managed | Dedicated keys | Customer-managed (BYOK) |
| Compliance | SOC 2, GDPR | SOC 2, GDPR, HIPAA | Any framework — you control the environment |
| Best for | Startups, small teams | Mid-market, regulated industries | Enterprise, government, finance, healthcare |
SaaS (Managed)
Sign up at echelongraph.io/signup — no infrastructure to manage. Your data is stored with complete tenant isolation, and we handle all operations, scaling, and updates.
Dedicated Instance
For organizations that need infrastructure isolation without managing it themselves. You get a dedicated environment with your own encryption keys while EchelonGraph handles operations and maintenance.
Self-Hosted (Enterprise)
For organizations with strict data sovereignty requirements, EchelonGraph can be deployed entirely inside your own infrastructure:
- All scanning runs in your cloud, authenticating with your own service accounts
- All data stays in your databases inside your network boundary
- All dashboards are served behind your internal load balancer
- Zero egress — nothing leaves your network
- BYOK encryption — your encryption keys protect everything
- Air-gapped support — pull CVE feed and rule pack updates on your own schedule
Self-hosted deployments use the exact same product as the SaaS offering. See Data Sovereignty for details.
Kubernetes Support
EchelonGraph provides a Helm chart for Kubernetes-native deployments, packaging all services and dependencies for easy installation and management within your cluster. Contact our team for access.
Configuration
All services are configured via environment variables — no secrets are embedded in container images. For production deployments, we recommend using a secrets manager (such as GCP Secret Manager, AWS Secrets Manager, or HashiCorp Vault) for all sensitive configuration values.
Detailed configuration guides are provided to Enterprise customers as part of onboarding.