Platform / Security

Your data stays in your cloud. Under your control

Tessell runs every database inside your own cloud account, secured with your keys. Your data never leaves your perimeter.

The Tessell difference

Security that starts with your architecture, not ours

Most managed database services ask you to move your data into their environment. Tessell does the opposite. Your databases run where your data already lives, under governance you already control.

Runs in your account
Runs in your accountEvery database, snapshot, backup, and log lives in your own cloud tenant, inside your VPCs and security boundary. Tessell does not host or store your data.
Your keys, your control
Your keys, your controlBring your own encryption keys, OS images, and security posture. Data is encrypted at rest and in transit, and you hold the keys throughout.
No inbound access
No inbound accessThe control plane never connects into your environment. Agents make outbound-only calls over HTTPS, so there are no inbound ports to open.
Architecture

Two planes. Your data stays in one of them.

Tessell separates the management layer from the data layer. The control plane runs in Tessell's cloud and holds only metadata about your services. The data plane runs in your cloud account and holds everything else. Because your data never flows to Tessell, Tessell acts as a tool you operate, not a processor. You stay in control of what runs, where it runs, and who can reach it.

FeatureDetail
Encryption and access

Protected at every layer

The same controls apply across every engine and every cloud you run

TLS 1.2+

Encrypted in transit

All traffic is secured with TLS, enforced at a minimum of TLS 1.2, using strong cipher suites for every connection.

AES-256 · BYOK

Encrypted at rest

Databases and backups are encrypted at rest with cloud-native encryption. Bring your own customer-managed keys through AWS KMS or Azure Key Vault.

PrivateLink

Private connectivity

Keep control-plane to data-plane traffic off the public internet with AWS PrivateLink and Azure Private Link.

MFA · RBAC · SSO

Controlled access

Multi-factor authentication, role-based access with least privilege, and SSO through Okta, Google, or Microsoft Entra ID, with revocable tokens.

Data residency

Your cloud. Your region. Your rules.

Choose where every database runs and in which region, and keep the keys, images, and tooling that go with it. Data stays in the account and region you select, and nothing is copied out to run the platform. And bring your own:

  • Encryption keys
  • Custom OS images
  • Security and compliance posture
  • Third-party tooling and integrations
FeatureDetail
How we operate

Security built into how we build and run

The same rigor applies to our people, our code, and our infrastructure, every day, not just at audit time.

Practice
Secure development
Tested by outsiders
Vetted people
Watched around the clock
What it means
Every change follows a secure development lifecycle aligned to the OWASP Top 10, with static and dynamic testing across the codebase.
Independent penetration testing and continuous vulnerability scanning on production and internet-facing systems.
Background checks, confidentiality agreements, and ongoing security training for everyone with access.
Continuous monitoring with alerting on anomalies before they become incidents.
Certifications and compliance

Independently audited. Continuously renewed.

Tessell maintains the certifications enterprise security teams look for, in production across financial services, energy, healthcare, and government.

SOC 2 Type II

SOC 2 Type II

AICPA Service Organization Control. Validates security controls operating effectively over time. Report available on request.

PCI DSS v4.1

PCI DSS v4.1

Payment Card Industry Data Security Standard, aligned to the current v4.1 requirements.

ISO/IEC 27001:2022

ISO/IEC 27001:2022

Information Security Management System. Passed the latest surveillance audit with zero non-conformities.

ISO/IEC 27701:2019

ISO/IEC 27701:2019

Privacy Information Management System. Extends ISO 27001 to privacy and PII handling.

SOC Report

Because your databases run inside your own account and your data stays under your governance, Tessell supports the compliance posture you already maintain, including GDPR, DORA, and PCI DSS, without taking custody of your data. Your residency, sovereignty, and access controls remain yours to define, cloud by cloud and region by region.

Fortune 500 companies, global banks, and government agencies trust Tessell with their most critical databases

aon
aon
csx
landis
moody
collectors
Frequently Asked
Questions
Inside your own cloud account and VPCs. Every database, snapshot, backup, and log stays in your tenant. The control plane holds only metadata, and your data never leaves your perimeter.
No. Tessell does not host or store your data, and the control plane never connects inward. Access stays governed by your own IAM, keys, and policies, and agents make outbound-only calls over HTTPS.
Yes. Encryption at rest uses customer-managed keys through AWS KMS or Azure Key Vault, and all traffic is encrypted in transit with TLS 1.2 or higher. You hold the keys throughout.
SOC 2 Type II, ISO/IEC 27001, ISO/IEC 27701, and PCI DSS v4.1, independently audited and continuously renewed. The SOC 2 report is available on request.
Tessell does not hold FedRAMP or HIPAA certification. Because your databases run inside your own account and your data stays under your governance, Tessell supports the compliance posture you already maintain, including GDPR, DORA, and PCI DSS, without taking custody of your data.
Yes. You choose the cloud, account, and region for every database, and nothing is copied out to run the platform, so your residency and sovereignty requirements stay enforced.
It was always in your account, so there is nothing to extract and hand back. Your databases stay where they already run.
Yes. A specialist walks your team through the architecture, shares the SOC 2 report and supporting documentation, and completes your security questionnaire.
Have a security review coming up?

Talk to a specialist. We will walk your team through the architecture, share our reports, and answer your security questions.