Fundamentals

Deployment models

Skyflow supports three deployment models to meet different security, compliance, and infrastructure requirements. All three provide the same core capabilities: a zero-trust data privacy vault, tokenization, and policy-based access control. They differ in how infrastructure is isolated, managed, and integrated into your environment.

ModelInfrastructureIsolation
Multi-tenant SaaSShared, fully managedLogical isolation
Virtual Private SkyflowDedicated VPC (managed)Physical isolation
Bring Your Own Cloud (BYOC)Customer cloud accountFull infrastructure control

Skyflow also supports hybrid architectures where on-premises systems connect to Skyflow using private connectivity, allowing you to keep sensitive data within your network boundaries while leveraging vault capabilities in the cloud.

All three models support the same options for encryption key management, including Skyflow-managed keys, Bring Your Own Key (BYOK), and Bring Your Own KMS (BYOKMS).

Multi-tenant SaaS

Multi-tenant SaaS is the default Skyflow deployment model: fully managed on shared infrastructure. Your data is logically isolated within Skyflow’s infrastructure, and Skyflow manages all operations, scaling, and availability.

AttributeDetail
InfrastructureShared, fully managed by Skyflow
IsolationLogical (encryption and access controls)
Time to deployFastest of all models
Private connectivityOptional enhancement
Customer-managed keysOptional enhancement

Best for: Teams that want a fully managed experience with no infrastructure overhead.

Virtual Private Skyflow

Virtual Private Skyflow runs on dedicated, fully managed infrastructure. Skyflow deploys your environment in a dedicated Virtual Private Cloud (VPC), providing physical isolation while maintaining a fully managed experience.

AttributeDetail
InfrastructureDedicated VPC per customer
IsolationPhysical (dedicated compute, storage, and networking)
Managed bySkyflow
Private connectivitySupported
PerformancePredictable; no shared-resource contention

Best for: Organizations that need stronger isolation guarantees without taking on infrastructure management.

Bring Your Own Cloud (BYOC)

With BYOC, Skyflow runs inside your cloud environment. Skyflow is deployed into your cloud account (AWS or GCP), giving you full ownership of infrastructure while Skyflow operates and manages the platform. All traffic stays within your network boundaries.

AttributeDetail
InfrastructureYour AWS or GCP account
IsolationFull network control
Responsibility modelYou own the infrastructure; Skyflow operates the service
IAM controlFull. You manage roles and policies.
Data residencyCustomer-controlled
ArchitecturePrivate by default

Best for: Organizations with strict data residency requirements, or those that must keep all infrastructure within their own cloud environment.

Private connectivity

Private connectivity is available across all three deployment models. For workloads that cannot traverse the public internet, Skyflow supports:

  • AWS PrivateLink
  • GCP Private Service Connect
  • VPN or dedicated network connections
  • Hybrid connectivity for on-premises systems

These options keep traffic within private networks and allow on-premises systems to securely connect to Skyflow’s vault capabilities in the cloud.

How to choose

Most customers begin with a managed model and evolve as their security, compliance, and infrastructure requirements grow.

ModelChoose when…
Multi-tenant SaaSYou want minimal operational overhead, fast time to deploy, and strong logical isolation is sufficient.
Virtual Private SkyflowYou need dedicated infrastructure and physical isolation guarantees, but still want Skyflow to manage operations.
Bring Your Own Cloud (BYOC)You require maximum control over your cloud environment, networking, IAM, and data residency.