Security

Laser-Tight Security.
Secure by Architecture.

No inbound connections. No vendor access to your data. Pull-only control plane designed so that a compromised LaserData is still a safe LaserData.

Start FreeSecurity Docs

Architecture

Pull-Only by Design.

The Warden agent on each node initiates all communication with the control plane, over HTTPS, outbound only. No inbound connections exist. No SSH, no SSM, no management agents. Your firewall needs a single outbound HTTPS rule.

Security architecture docs

LaserData Control Plane

Tasks
Configs
Certificates
Telemetry

Warden pulls

configs, tasks, certs

No inbound

Warden reports

metrics, heartbeats

Your Deployment Node

Warden
Iggy
Connectors
Stream UI
Your apps connect via TLS

Zero access to your nodes or data: by architecture, not policy

Outbound only

Your firewall permits HTTPS outbound. No open ports, no SSH, no SSM agents required.

Zero push commands

The control plane queues tasks. Warden pulls and verifies them with Ed25519 before execution.

Compromise-resilient

If LaserData's control plane is breached, the attacker still cannot reach your data or nodes.

Networking

Locked down by default.

Every deployment starts with zero network access: no IP, no port, no protocol is reachable by anyone, including LaserData. Nothing opens until you say so.

Networking overview

Access Rules

All plans

CIDR-based allowlists for every deployment, on every plan. Choose exactly which IP ranges and protocols (TCP, HTTP, WebSocket, UDP) can reach your endpoints. Rules can carry an optional expiry date.

Read the docs

VPC Peering

AWS · GCP · Pro+

Create a direct private network path between your VPC and a Managed deployment on AWS or GCP. Traffic never traverses the public internet; it stays on the cloud provider's backbone.

Read the docs

PrivateLink

AWS · Pro+

Expose your AWS Managed deployment as a VPC Endpoint Service. Consumers in your account (or other authorized accounts) connect privately, with no CIDR coordination, no internet exposure.

Read the docs

Private Service Connect

GCP · Pro+

GCP equivalent of PrivateLink. Expose your Managed deployment as a PSC service attachment. Multiple consumers connect privately from their own VPCs without sharing network space.

Read the docs

Security Model

Six layers of protection.

01

Pull-Only, Zero Vendor Access

Warden initiates all connections outbound. The control plane cannot push commands: even if fully compromised it cannot reach your nodes, filesystems, or data.

Read the docs
02

Complete Tenant Isolation

Every deployment runs on dedicated VMs with its own storage, never shared serverless. No cross-tenant memory, no shared filesystem, no shared network paths.

03

End-to-End Encryption

TLS on all connections. Optional per-deployment AES message encryption before write. Every binary Ed25519-signed, every control-plane task verified before execution. Per-deployment certs from a private root CA (intermediate-chained); public HTTPS API fronted by Let's Encrypt. All certs provisioned and rotated automatically.

Read the docs
04

SSO & Scoped API Keys

Sign in via Google, GitHub, or Microsoft, with no passwords stored. API keys carry scoped permissions, mandatory expiry (max 365 days), optional IP allowlisting, and are instantly revocable.

Read the docs
05

Your Cloud, Your Keys

LaserData assumes a scoped IAM role in your AWS or GCP account for provisioning only: no S3, no Secrets Manager, no SSM. VMs, disks, and VPC belong to you. Revoke access at any time.

06

Audit-Ready Logging

Every access rule change, API key operation, and VPC peering event is recorded in the audit log with actor identity and timestamp. Encrypted at rest.

Encryption

Encrypted at every layer.

No plaintext credentials in logs, configs, or error messages. No exceptions.

Transport

All inter-component and client connections, including Warden polling and stream client traffic.

Data at rest

Messages persisted to NVMe and Network Drive are encrypted before write. Keys are scoped per cluster.

Task signing

Every control-plane task that Warden receives is signed and verified before execution. Tampered payloads are rejected.

Binary integrity

Release binaries are signed. Warden verifies the signature before running any updated component.

Certificates

Each deployment gets a unique certificate issued from a per-deployment intermediate chained to a LaserData private root CA. The public HTTPS API is fronted by Let's Encrypt (ACME). All certs are provisioned and rotated automatically; no manual management.

Data Sovereignty

Your cloud. Your keys. Your rules.

LaserData deploys into your cloud account. The VMs, disks, and network are yours: we manage them, but we never own them.

Deploy in your account

Provision into AWS or GCP using a scoped IAM role: EC2 lifecycle, networking, and EBS only. No S3, no Secrets Manager, no SSM. LaserData has no access to your application data.

Stay in your region

Choose any supported region. Data never leaves your designated geography. VPC Peering, PrivateLink, and Private Service Connect keep traffic off the public internet entirely.

No standing access

No SSH keys, no management agents, no bastion hosts. Managed nodes run with no IAM instance profile. Warden authenticates with pre-provisioned credentials scoped to that node only.

Single-node to multi-cluster

Security posture is consistent whether you run a single node or a multi-region cluster. Isolation guarantees don't depend on scale.

Security you can verify.

LaserData Cloud is available with a free tier. We’re onboarding teams selectively with dedicated support.

Start FreeSecurity Docs