Single-tenant model
Unlike Synthetiq Hosted, where apps from multiple organizations share underlying platform infrastructure, BYOI deployments are single-tenant. The compute cluster, network, load balancer, and all supporting resources exist exclusively in your account and serve only your organization’s apps. You retain full control over account-level security, network configuration, and compliance policies.Per-app isolation
Even within a single-tenant account, each app is isolated from other apps using the same IAM-based boundaries as Synthetiq Hosted.| Resource | Isolation | Details |
|---|---|---|
| Compute | Dedicated | Firecracker microVMs with hypervisor-level isolation — dedicated kernel, CPU, and memory per app |
| Database | Dedicated | Separate Postgres database per app with unique credentials |
| Data storage | Dedicated | Separate storage per app, access restricted by IAM |
| Credentials and secrets | Dedicated | Separate credential store per app containing database connections, OAuth config, and encryption keys |
| Logs | Dedicated | Separate log stream per app, access restricted by IAM |
| Builds and deployments | Dedicated | Untrusted steps run in ephemeral VMs with dedicated, narrowly scoped roles per app |
| Container registry | Scoped | Shared registry with per-app image tagging; push access scoped by IAM |
| Artifact storage | Scoped | Shared storage with per-app path isolation enforced by IAM |
| Metrics API | Scoped | Shared metrics endpoint with per-app namespace scoping enforced by IAM |
| Load balancer | Scoped | Shared load balancer with per-app routing rules; traffic routed to each app’s dedicated and physically isolated backend targets |
Cross-account trust boundary
The only connection between the Synthetiq platform and your account is the deploy role — a narrowly scoped IAM role that can trigger and monitor deployments. The deploy role cannot:- Access your application data or databases
- Read or modify secrets or credentials
- Access any resources outside the Synthetiq deployment pipeline
Encryption and credential management
Data encryption
- At rest: All stored data — including databases, credentials, artifacts, and logs — is encrypted at rest using AES-256.
- In transit: External traffic is encrypted via TLS 1.2 or higher. Internal traffic between the load balancer and application containers travels over a private network within the VPC.
User authentication
Apps authenticate users through SSO via OIDC-compliant identity providers — no passwords are stored in the application database. User sessions are managed via JWT access tokens signed with RSA-256.Service credentials
Credentials for third-party service integrations (API keys, OAuth tokens) are encrypted using AES-256-GCM envelope encryption with a per-app key. A unique data encryption key is generated for each credential, then encrypted with the app’s key encryption key. Credentials are never stored in plaintext. The framework supports both system-level credentials (shared across users) and user-level credentials (per-user), both encrypted with the same scheme.Your responsibilities
Synthetiq manages the deployment pipeline resources within your account (all namespaced undersynthetiq-*). You are responsible for:
- Account-level security — access controls, password policies, and identity management for your cloud account
- Audit and logging — enabling audit trails and threat detection at the account level
- Network policies — network configuration, firewall rules, and any additional network controls beyond the defaults provisioned by Synthetiq
- Compliance — ensuring your account meets your organization’s regulatory and compliance requirements
- Traffic protection — DDoS protection, bot mitigation, rate limiting, and web exploit filtering
- DNS and certificates — managing the domain and wildcard certificates used for your apps