Single Tenant Vending Form

Single Tenant Vending Form

To start discussing a single tenant, the following questions around compliance, tenant properties and capacity planning have to be answered.


Area

Needed as per

Clarification

Options

Further information

Area

Needed as per

Clarification

Options

Further information

Compliance

Upfront

Where can the Unique employees maintain the solution be from?

  • Globally

  • US + EU/Switzerland/UK

  • EU, Switzerland + UK

  • Switzerland Only

  • US Only

From which locations is Unique allowed to access the single tenant to provide support.

Compliance, Data Residency

In which Azure region should the primary deployment reside?

  • All regions from Azure

https://azure.microsoft.com/en-us/explore/global-infrastructure/geographies/#overview

Which Azure regions could be used for any OpenAI or LLM interactions?

  • Global Standard

  • Datazone Standard

  • Regional: ___________________

More regions = more flexibility and potentially better quality.

Check regions for OpenAI Models here: Azure OpenAI in Azure AI Foundry Models - Azure OpenAI

Compliance, Email Data Sub-processing

How and if would you like the IDP from Unique AI to communicate with you?

  • We bring our own SMTP credentials

  • We don’t need email notifications (SSO)

  • We allow processing by Uniques Email Server

See Outgoing notifications

Tenant Settings, Domain

Which x.unique.app URL do you choose?

  • _________________.unique.app

You can select your subdomain yourselves. The self-selected URL must at least be 4 characters long and should not exceed a human readable length otherwise no one can type that.

The format is always https://<selection>.unique.app.

The name must not be generic like my.unique.app or genai.unique.app but a bit dedicated like customer-alias-prod.unique.app or so. Unique reserves the right to reject an URL if it was chosen without their consent.

You must consent in written form that this URL will appear in Uniques code base as part of the Infrastructure/Configuration as Code.

The URL can’t be changed afterwards without significant effort (timeline and monetary impact).

Tenant Settings, Tab Name

Anytime, the earlier the better

image-20250605-105725.png
Tab Name

 

_________________________

 

Tenant Settings, Theme

You can change the theme anytime later on. It though makes sense to start early so the tenant can be presented from start in the desired appearance.

Style Unique AI to your Corporate Identity

 

Tenant Settings, Feature Flags and Settings

Get in touch with your SPOC to define certain behavior up front.

 

You find various product options in Technical Product Administration, feel free to request certain administrative configurations up front to ease your start.

  •  

Tenant Settings, SSO

If you want to bring your own SSO or SAML, prepare the information and credentials as early as possible with your central team(s).

Unique leverages Zitadel as its IDP - that means all Identity Providers from Zitadel are supported.

Further options

Mobile Apps

Mobile setups with managed devices repeatedly surfaced to be tricky. Make sure to prepare your landscape as early as possible as outlined in https://unique-ch.atlassian.net/wiki/x/JwBdMw.

If you chose IP-Blocking below, ensure repeatedly that the devices always use authorized IP ranges.

Outgoing notifications

If the client would like that our IDP sends out e-mails (for sign-up confirmations, 2FA with e-mail, password change links etc.), they must either trust the @unique.ch e-mail domain as we will send them via our mail server or they must provide a valid SMTP configuration themselves in an encrypted way to us.

You can read in the FAQ Security section how Unique is DMARC compliant.

Unique does not host e-mail services, there are enough out there to do so.

IP-Blocking

Unique Single Tenants can be isolated using IP-Filtering on the Application Gateway. This option shall be considered carefully as it has a functionality as well as monetary impact. Approach your SPOC to discuss this option.

Unique Employees (Support or Solution Engineering) will be allow-listed using Uniques VPN and Office Outbound IP-Addresses.

IP block costs ~500$ per month in Azure costs (using Azure Application Gateway Web Application Firewall) and increases management effort to manage for both parties.

Also, repeatedly toggling the blocking on and off is subject to additional service charges.

If desired, you must provide your complete list of IP-Addresses and CIDR ranges to the Unique SPOC. By providing the list you agree that the content will be used in infrastructure as code.

You also agree to sport the necessary knowledge internally to debug 403 errors thrown by the Gateway to investigate why certain requests from your IPs don’t work.


Author

Solution Engineering

 

 

© 2025 Unique AG. All rights reserved. Privacy PolicyTerms of Service