---
title: Deployment | Keycard
description: Understanding Keycard's deployment options for different security and compliance needs
---

Keycard offers four different deployment models, providing customers with different characteristics and pricing models to suit the needs of developers, small companies, and the world’s largest enterprises.

- **Keycard Cloud**: Multi-tenanted deployment of Keycard without any Enterprise features such as SSO, Audit Log Export, Bring Your Own Key, and Private Networking.
- **Keycard Dedicated Enterprise Cloud:** Single-tenanted deployment of a Data Plane in Keycard’s Cloud for a specific Enterprise Customer with all Enterprise Features. The control plane is shared across all enterprise customers.
- **Keycard Enterprise Bring Your Own Cloud (Coming Soon):** Ability to deploy a data plane tenant into a customer’s cloud, ensuring, all traffic only passes through their VPC.

By default, when you sign up for Keycard, your account will be assigned to Keycard Cloud. To gain access to our Enterprise deployment options, please contact <sales@keycard.ai>.

---

## Keycard Cloud (Multi-Tenant)

Keycard’s standard deployment model. Keycard uses a cell-based architecture which ensures high availability, performance and security. It consists of a control plane which manages provisioning zones across many Keycard managed data planes.

Data planes are responsible for zone management (such as zone, resource, application creation) and zone operations (such as OAuth handshakes as well as token exchange). They are self-contained and operate without any control plane dependencies, ensuring high availability and reduced blast radius.

### Architecture

![hybrid cloud architecture](/images/light/hybrid-cloud.png) ![hybrid cloud architecture](/images/dark/hybrid-cloud.png)

### Characteristics

- **Shared Infrastructure**: Zones from multiple customers run on shared data planes
- **Logical Isolation**: Each zone has isolated data encryption keys, credentials, and audit logs
- **High Availability**: Automatic failover and redundancy across multiple cells
- **Global Reach**: Access from anywhere via public endpoints
- **Managed Operations**: Keycard handles all infrastructure management and scaling

### Best For

- **Startups and scale-ups** getting started with Keycard
- **Development and staging environments** before production deployment
- **Applications without strict data residency requirements**
- **Teams prioritizing speed and simplicity** over dedicated infrastructure

### Networking

![keycard cloud networking](/images/light/networking-cloud.png) ![keycard cloud networking](/images/dark/networking-cloud.png)

In the context of Keycard Cloud & Keycard Enterprise Cloud, all traffic flows through our WAF, and then, over a private-link to the data-plane. For customers with configured KMS Keys, traffic between our Vault and their KMS instance, travels over a private network.

---

## Enterprise Cloud (Dedicated Cell)

A dedicated dataplane for your zones. Dedicated Enterprise Cloud comes with AWS PrivateLink secure connectivity to the Keycard cloud, enabling you to have a unidirectional communication link between your environment and Keycard Cloud.

Keycard’s Dedicated Enterprise Cloud provides runtime isolation, avoiding noisy neighbour problems or any potential memory sharing with other Keycard customers. This provides you with the highest trust in data privacy.

Keycard’s Dedicated Enterprise Cloud is unidirectional, and data flows from your cloud to Keycard Cloud. Keycard does not have access to your internal network.

### Architecture

![hybrid cloud architecture](/images/light/enterprise.png) ![hybrid cloud architecture](/images/dark/enterprise.png)

### Characteristics

- **Dedicated Data Plane**: Your zones run on infrastructure exclusively allocated to your organization
- **AWS PrivateLink**: Unidirectional private connectivity from your VPC to Keycard
- **Runtime Isolation**: Complete isolation from other Keycard customers at runtime
- **No Noisy Neighbors**: Predictable performance without resource contention
- **Private Network Traffic**: Data never traverses the public internet during runtime operations
- **Enhanced Security**: Reduced attack surface with private connectivity

### Networking

![dedicated cell networking](/images/light/networking-dedicated-tenant.png) ![dedicated cell networking](/images/dark/networking-dedicated-tenant.png)

A dedicated dataplane for your zones. Dedicated Enterprise Cloud comes with AWS PrivateLink connectivity directly to the dataplane, enabling you to have a unidirectional communication link between your environment and Keycard Cloud. This ensures your data stays single tenant (your dedicated dataplane) and gives you increased high availability by bypassing Keycard’s control plane. All data flows directly between your cloud and the Dedicated Enterprise Cloud, ensuring your data never leaves AWS’s private network.

Keycard’s Dedicated Enterprise Cloud provides runtime isolation, avoiding noisy neighbour problems or any potential memory sharing with other Keycard customers. This provides you with the highest trust in data privacy.

Keycard’s Dedicated Enterprise Cloud is unidirectional, and data flows from your cloud to Keycard Cloud. Keycard does not have access to your internal network.

### Private Connectivity

**AWS PrivateLink** provides a secure, private link between your infrastructure and Keycard:

- **Unidirectional**: Traffic flows from your environment to Keycard only
- **No Ingress**: Keycard cannot initiate connections into your network
- **IP Allowlisting**: Optionally restrict access to specific IP ranges
- **VPC Endpoints**: Connect directly from your VPC without internet gateway

### Console Access

The Keycard Console operates at the control plane level for management operations:

- **Console path**: Customer → Control Plane → Dedicated Cell
- **Runtime path**: Customer → PrivateLink → Dedicated Cell (direct)

Note

**Recommended**: Use the [Keycard Terraform Provider](https://registry.terraform.io/providers/keycardai/keycard/latest/docs) to manage zone configuration directly against your dedicated cell, bypassing the control plane entirely for infrastructure operations.

### Best For

- **Enterprise production workloads** with compliance requirements
- **Organizations requiring network isolation** (banking, healthcare, government)
- **Customers with data residency mandates** requiring private network boundaries
- **High-value applications** where performance consistency is critical
- **Companies needing enhanced audit and compliance** capabilities

### Security Benefits

| Feature                | Benefit                                          |
| ---------------------- | ------------------------------------------------ |
| Dedicated Runtime      | No shared memory or compute with other customers |
| Private Network        | Data never leaves AWS’s private network backbone |
| IP Allowlisting        | Restrict access to known networks only           |
| Audit Isolation        | Your audit logs never mix with other customers   |
| Performance Guarantees | No resource contention from noisy neighbors      |

---

## Comparison Table

| Feature                  | Keycard Cloud                 | Enterprise Cloud          |
| ------------------------ | ----------------------------- | ------------------------- |
| **Infrastructure**       | Shared multi-tenant           | Dedicated single-tenant   |
| **Network Access**       | Public internet               | AWS PrivateLink           |
| **Data Plane Isolation** | Logical (per-zone encryption) | Physical (dedicated cell) |
| **Noisy Neighbor Risk**  | Low (cell isolation)          | None                      |
| **Data Residency**       | AWS regions                   | AWS regions (dedicated)   |
| **Setup Time**           | Immediate                     | Days                      |
| **Operational Burden**   | Keycard managed               | Keycard managed           |
| **Best For**             | Most customers                | Enterprise production     |
| **Pricing**              | Standard                      | Premium                   |

---

## Choosing a Deployment Model

### Start with Keycard Cloud if you:

- Are prototyping or in early development
- Do not have strict data residency requirements
- Want to minimize operational overhead
- Need to get started quickly

### Upgrade to Enterprise Cloud if you:

- Are deploying production workloads at scale
- Require network isolation for compliance
- Need predictable, isolated runtime performance
- Have security policies requiring private connectivity
- Want dedicated infrastructure for your organization

---

## Migration Paths

### Keycard Cloud → Enterprise Cloud

**Process:**

1. Provision dedicated cell in your desired region
2. Configure AWS PrivateLink connection
3. Export zone configuration from Cloud deployment
4. Import configuration to Enterprise Cloud cell
5. Update application endpoints to use PrivateLink
6. Validate functionality
7. Cutover traffic

**Downtime:** Typically < 1 hour with proper planning