UNIQUE can deploy a customer environment as its own (single) separated tenant on UNIQUE’s enterprise subscription. That way all data storage and data processing is encapsulated in this landing zone and separated from all other customers.

Overview

Azure Application Gateway

• Web application firewall is filtering all requests optionally

• IP blocking can be configured in the web application firewall optionally

Azure Storage Accounts

• data at rest is secured with soft delete for 30 days

• data is backed-up with 14 days backup retention and RPO of 24h

Azure OpenAI Deployments

• prompts are filtered using Azure content filtering

• prompts and responses are not stored or reviewed by Microsoft (Azure abuse monitoring)

TYK Application Gateway

• validates JWTs

• Incoming requests are rate-limited

SSO

• SSO can be configured to connect to customer IDP using Entra ID, OIDC, SAML, and other methods supported by Zitadel

Encryption

• All data at rest is encrypted using keys managed by UNIQUE

• BYOK is possible where the customer is managing the keys

Data classification

• Zitadel only processes and stores user authentication data

• Redis does not store any customer data, only state

• Azure keyvault stores encryption keys and secrets

• All other services and data storages store data of classification level confidential, internal or public depending on the customers restrictions on data classifications to use on UNIQUE