Safeguard
FAQ

Cloud Security Deployment: FAQ

How the multi-tenant and dedicated-VPC cloud deployments work: tenant isolation, data handling, key ownership, latency, and when cloud is the right choice versus self-hosting.

Safeguard Team
Platform
5 min read

The cloud deployment is the fastest way to get software supply chain scanning running: you connect a source-control integration, and the multi-tenant platform handles hosting, updates, and always-current vulnerability data for you. For teams that want cloud convenience with stronger isolation, a dedicated single-tenant VPC deployment runs the same platform in an isolated environment. This FAQ covers how tenant isolation works, what happens to your code and findings, who holds the keys, and how to decide between shared cloud, dedicated VPC, and self-hosting.

Frequently Asked Questions

What deployment shapes does the cloud offer? There are two: a multi-tenant cloud where customers share managed infrastructure with logical isolation, and a dedicated VPC where your instance runs single-tenant in an isolated environment. Both are fully managed, so we run the upgrades and keep vulnerability data current. If you need the platform inside your own boundary instead, that is the on-premise or air-gapped tier.

How are tenants isolated in the multi-tenant cloud? Every request carries a tenant context that scopes all data access, and storage is partitioned per tenant so one customer's projects, SBOMs, and findings are never queryable by another. Isolation is enforced at the data-access layer, not merely in the UI. Customers who require physical rather than logical separation choose the dedicated VPC option.

Is my source code stored in the cloud? Scanning operates on dependency manifests, SBOMs, and metadata rather than retaining your full source tree, and analysis artifacts are scoped to your tenant. Software composition analysis needs your dependency graph, not a permanent copy of your repository. What is retained and for how long is documented and configurable.

Who controls the encryption keys in the cloud? Data is encrypted in transit and at rest by default, and customer-managed keys are available so you can control the key lifecycle through your own KMS. With customer-managed keys, you can revoke access on your terms. If your requirement is that the vendor must never hold keys at all, that is a property of the self-hosted tiers rather than the shared cloud.

Where is cloud data physically located? You choose a region at onboarding, and your tenant's data stays in that region, which lets EU or other jurisdiction-bound customers keep data in-region. For deeper residency guarantees, a dedicated VPC pins everything to a single region and account. Residency specifics and the full regional list are covered in the data-residency documentation.

Does the AI triage engine send my code to a third-party model? No. Griffin AI runs on infrastructure Safeguard controls within your tenant's boundary and does not forward your code or findings to an external model provider. Reachability and exploitability analysis stay within the platform. This holds across cloud, dedicated VPC, and self-hosted deployments.

How current is vulnerability data in the cloud? It is continuously updated, so the cloud reflects new CVE, GHSA, and advisory data as it is published without any action on your part. This is the main convenience advantage over air-gapped, where freshness depends on your import cadence. You never run a manual data refresh in the cloud.

How fast can I be scanning? Onboarding is measured in minutes: connect an SCM integration, point it at your repositories, and the first scan runs. There is no cluster to stand up and no infrastructure to size. This speed to value is the core reason teams start in the cloud even when they later move sensitive workloads on-prem.

What is the difference between dedicated VPC and multi-tenant? A dedicated VPC gives you a single-tenant instance in an isolated environment with its own compute and storage, versus shared managed infrastructure in multi-tenant. You still get managed upgrades and current data, but with hard isolation and region pinning. It is the right step when compliance requires single-tenancy but you do not want to operate the platform yourself.

Is the cloud suitable for regulated workloads? For many it is, and the architecture is built toward FedRAMP HIGH and DoD Impact Level control sets with SOC 2 Type II in progress. To be honest about posture: those are architectural targets and an in-progress certification, not completed authorizations, and highly regulated or classified workloads typically belong in a dedicated VPC, on-prem, or air-gapped deployment. The compliance page states what is certified versus underway.

What happens to my data if I stop using the platform? Your data is exportable while your account is active, and it is deleted according to the retention terms after termination. You are not locked in: SBOMs and findings export in standard formats. The offboarding and deletion process is documented rather than ad hoc.

When should I choose cloud over self-hosting? Choose cloud when you want speed, zero operational overhead, and always-current data, and when logical or dedicated-VPC isolation meets your requirements. Choose on-prem or air-gapped when policy requires the platform inside your own boundary or forbids any outbound connection. The deployment comparison lays the options side by side.

What does the cloud cost? The cloud has published self-serve tiers, so you can see the structure without a sales call, while the dedicated VPC is quoted because it provisions isolated infrastructure. Capabilities are consistent across tiers; the difference is isolation and management, not features. See pricing for current details.

To evaluate the cloud, start with the software composition analysis and Griffin AI capability pages, check what is certified on the compliance page, review options on the deployment comparison, and contact us if you need a dedicated VPC. Full documentation lives at https://docs.safeguard.sh.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.