Security and Compliance

Your databases, inside your perimeter, under your compliance controls

Tessell runs your databases inside your own cloud account, under your own encryption keys, on your own network, with the control plane operating from outside your perimeter. For regulated enterprises, data sovereignty is built into the architecture, not promised in a contract.

Trusted by regulated enterprises

Fortune 500 US Bank

Zero public internet exposure

Leading Healthcare Data Platform

67.5 TB migrated, zero compliance gaps

US State IT Services Provider

Public sector compliance on Azure

The problem

Compliance is easy to claim. Custody is harder

For regulated data, the hardest security question was never which controls you have. It is where your data actually lives, and who can reach it.
Managed simplicity usually meant your data living in someone else’s infrastructure.

Managed simplicity usually meant your data living in someone else’s infrastructure.

That is a reasonable trade for the operational relief, but for regulated data, where the data sits and who can reach it stays an open question.
Compliance stopped being a point-in-time event.

Compliance stopped being a point-in-time event.

Frameworks multiply, audit cadences tighten, and regulators increasingly expect continuous evidence rather than an annual snapshot. When the question comes, the answer has to be assembled across systems - and it is rarely as current as you would like.
Where data lives is now a board-level question.

Where data lives is now a board-level question.

Data residency, sovereignty, and who can access what across regions are no longer just technical details. They are regulatory and reputational concerns - and answering them precisely requires knowing exactly where every database sits and who can reach it.
The architectural answer

Sovereignty is a choice you get to make

One architectural decision shapes everything else. Tessell runs the same platform across a choice of deployment options, so you decide how much we manage and how much stays entirely within your perimeter, down to your own cloud account.

Full Data Sovereignty

The data plane runs inside your own cloud account, under your encryption keys and your network policies. Tessell's control plane manages operations from outside your perimeter. Your data never leaves your account.

  • Full data sovereignty: data plane in your own account (BYOA)
  • Your encryption keys (BYOK) and your network (BYON)
  • Private-only access, no public internet exposure

Best for regulated enterprises and governments with strict data sovereignty requirements.

/
What this gives you

Your data, your controls, your tooling - all within your perimeter

Data sovereignty is not a single feature. It is what becomes possible when the data plane runs in your own account: your keys, your network, and your existing security stack all stay in your hands.

/

Your data doesn’t leave your perimeter.

Data plane in your account (BYOA) Private-only access (PrivateLink)Least-privilege operator role

With VPT@Customer, the data plane runs inside your own cloud account. Tessell manages operations through a scoped service principal limited to specific resource groups, with private-only connectivity and no public internet exposure. Tessell never holds your data.

A Fortune 500 US bank deployed a fully private five-node production cluster on AWS, eliminating public internet exposure and keeping all administrative traffic within its secure perimeter.
/

Your keys. Your network. Your standards.

Data plane in your account (BYOA)BYON: Your network. Your security policies BYOI: Your software images

Encryption keys stay under your control through your own KMS or Key Vault. Databases deploy into your own network topology with your security policies applied. Tessell operates within the boundaries you define, never around them.

A Fortune 500 Professional Services Firm

BYOK enforced through an AWS-to-Azure migration
Encryption keys remained under the customer's control across a full cloud migration, with 99.99% platform availability maintained throughout.
/

Integrated with the security and observability tools you already run.

Vulnerability scanningSIEM & log management Observability & monitoringDatabase monitoring Identity & authentication

Tessell connects to your existing monitoring, security, and analytics stack rather than asking you to adopt a new one. Vulnerability scanning, log management, and observability flow into the tools your teams already operate, with enterprise authentication through your directory.

A Leading Healthcare Data Platform

67.5 TB migrated with zero compliance gaps
18 Oracle databases brought onto Tessell with full observability and private connectivity maintained throughout a HIPAA-regulated migration.
Certifications and Attestations

The compliance baseline your procurement team is looking for.

Tessell maintains the certifications and attestations enterprise security and procurement teams evaluate first. Because your data plane runs inside your own account, your databases operate within your compliance perimeter - under your controls, your audit trail, and your governance.

pcidss

PCI DSS v4.1

Privacy information management

pcidss

ISO 27001

Information security management

pcidss

ISO/IEC 27701

Privacy information management

pcidss

SOC 2

Security, availability & confidentiality controls

Sovereignty, proven in production

A Fortune 500 bank runs production on Tessell with zero public internet exposure.

For one of the largest banks in the US, moving database operations to the cloud could not mean moving data out of its control. With VPT@Customer, it didn't have to.

VPT@Customer on AWS · Oracle 5-node production cluster

[@portabletext/react] Unknown block type "span", specify a component for it in the `components.types` prop

headshot
0Public internet exposure - fully private via PrivateLink
5-nodeProduction cluster, entirely within the bank's own account
QuarterlyCross-region DR drills with regulatory documentation
BYOKCustomer-managed keys, customer-controlled network
Get Started

See what running databases on your own terms looks like.

Talk through the VPT@Customer architecture with a Tessell security architect, or request a security review that maps Tessell to your specific compliance and data sovereignty requirements.

Frequently Asked
Questions
With the VPT@Customer deployment model, your data plane runs inside your own cloud account, in your own VPC, in the regions you choose. Your databases, storage, and backups stay within your perimeter. Tessell's control plane manages operations from outside that perimeter and never hosts your data.
Tessell manages your databases through a scoped, least-privilege role limited to specific resource groups in your account - not broad access to your environment. With Bring Your Own Key (BYOK), your encryption keys remain under your control in your own KMS or Key Vault. Tessell never holds your keys and does not have standing access to your data.
Tessell maintains PCI DSS v4.1, SOC 2, ISO/IEC 27001 (information security management), and ISO/IEC 27701 (privacy information management). These reflect Tessell's own security and privacy posture as a platform.
Yes. HIPAA is a regulatory framework rather than a certification, so there is no "HIPAA certified" status for any vendor to claim. Tessell's architecture is built to support HIPAA-regulated environments - and healthcare data platforms run regulated workloads on Tessell today with full observability and private connectivity. Because your data stays within your own account and governance controls, your databases operate inside your compliance perimeter.
You do. Encryption keys are managed in your own cloud key management service - AWS KMS or Azure Key Vault - and remain under your control. Encryption at rest is enabled by default using cloud-native disk encryption, and BYOK lets you bring and manage your own keys for full key sovereignty.
Yes. Tessell connects to the monitoring, security, and analytics stack you already run rather than requiring a new one. Documented integrations span vulnerability scanning, SIEM and log management, observability and monitoring, and database monitoring - including Qualys, Splunk, Datadog, New Relic, Sumo Logic, and Oracle Enterprise Manager - alongside enterprise authentication through your directory.
They do not need to be. Tessell supports private-only access through AWS PrivateLink and Azure Private Link, with databases deployed into your own network topology. A Fortune 500 bank running production on Tessell operates with zero public internet exposure - all administrative and management traffic stays within its own secure perimeter.
In most managed services, your databases run in the provider's infrastructure. With VPT@Customer, the data plane runs inside your own cloud account - your VPCs, your keys, your network policies, while Tessell manages operations from outside your perimeter. You get the operational simplicity of a managed service while your data remains under your control and governance.Learn More
Tessell is an independently verified holder of PCI DSS v4.1, SOC 2, ISO 27001, and ISO 27701.
Tessell is not FedRAMP authorized. Because Tessell runs entirely inside your own cloud account, under your own encryption keys and network controls, it supports the compliance posture you are required to maintain, including for regulated and public-sector workloads.
In the cloud account, region, and VPCs you choose. Your data and backups stay within your perimeter, under your governance and sovereignty controls.