UNIQUE can deploy a customer environment as its own (single) separated tenant on UNIQUE’s enterprise subscription. That way all data storage and data processing is encapsulated in this landing zone and separated from all other customers.
Overview
Azure Application Gateway
Web application firewall is filtering all requests optionally
IP blocking can be configured in the web application firewall optionally
Azure Storage Accounts
data at rest is secured with soft delete for 30 days
data is backed-up with 14 days backup retention and RPO of 24h
Azure OpenAI Deployments
prompts are filtered using Azure content filtering
prompts and responses are not stored or reviewed by Microsoft (Azure abuse monitoring)
TYK Application Gateway
validates JWTs
Incoming requests are rate-limited
SSO
SSO can be configured to connect to customer IDP using Entra ID, OIDC, SAML, and other methods supported by Zitadel
Encryption
All data at rest is encrypted using keys managed by UNIQUE
BYOK is possible where the customer is managing the keys
Data classification
Zitadel only processes and stores user authentication data
Redis does not store any customer data, only state
Azure keyvault stores encryption keys and secrets
All other services and data storages store data of classification level confidential, internal or public depending on the customers restrictions on data classifications to use on UNIQUE
Author |
---|