Data Isolation
Onvera provides flexible data isolation that evolves with your needs. Start with shared resources and increase isolation as requirements grow—all within the same operational model.
Flexible Isolation Model
Onvera's isolation model adapts to your needs. You can have different isolation levels for different Onvera environments:
- Shared Infrastructure - Start with shared resources for cost efficiency
- Dedicated Infrastructure - Move to dedicated resources per deployment for stronger isolation
- Dedicated Networking - Use dedicated network segments for compliance-sensitive workloads
- BYOC (Bring Your Own Cloud) - Run in your own cloud account while maintaining the same operational workflows
Example: You can have separate Onvera environments—staging on shared infrastructure, development on dedicated infrastructure, and production on BYOC—all managed through the same Onvera control plane.
Isolation Layers
Database Isolation
Each organization gets:
- Dedicated database tenant - Separate database per organization
- Per-deployment databases - Each deployment has its own database
- No cross-tenant access - Complete database isolation
- Encrypted storage - Data encrypted at rest
Infrastructure Isolation
Isolation level depends on your deployment configuration:
- Shared resources - Logical isolation with shared infrastructure
- Dedicated resources - Separate compute resources per deployment
- Dedicated networking - Network-level isolation per deployment
- BYOC - Complete infrastructure control in your own cloud account
Network Isolation
Network isolation scales with your needs:
- Shared networking - Logical network segmentation
- Dedicated networking - Isolated network segments per deployment
- Firewall rules - Network-level access controls
- Private networking - Deployments use private network segments
Secret Isolation
Secrets are stored per deployment:
- Per-deployment secrets - Secrets scoped to deployments
- Encrypted storage - Secrets encrypted at rest
- Access controls - Role-based access to secrets
- No cross-deployment access - Secrets isolated per deployment
Organization Boundaries
Organizations provide the tenant boundary:
- Organization-scoped resources - All resources belong to an organization
- User isolation - Users can only access their organization's resources
- API key isolation - API keys scoped to organizations
- Deployment isolation - Deployments isolated by organization
Access Controls
User Access
- Organization membership - Users belong to one organization
- Role-based access - Roles control what users can do
- Deployment access - Access controlled at organization level
API Key Access
- Organization-scoped - API keys access only their organization
- Scope-based permissions - Scopes limit what keys can do
- Resource isolation - Keys cannot access other organizations
Compliance
Data isolation supports compliance requirements including SOC 2, GDPR, and industry-specific standards.
Evolving Isolation
Your isolation model can evolve over time:
- Start simple - Begin with shared infrastructure for cost efficiency
- Increase isolation - Create environments with dedicated infrastructure as needed
- Scale to enterprise - Use dedicated networking or BYOC for compliance requirements
- Same operations - All isolation levels use the same operational workflows
You can have separate Onvera environments with different isolation levels. For example:
- Staging environment on shared infrastructure
- Development environment on dedicated infrastructure
- Production environment on BYOC
All managed through the same Onvera control plane with consistent operational workflows.
Guarantees
Onvera guarantees:
- No data leakage - Data from one organization never accessible to another
- Flexible isolation - Choose the right isolation level for each environment
- Access controls - Multiple layers of access control
- Audit trail - Complete logging of all access
Related Topics
- Security Overview - Security features