Deployment
Understanding Keycard's deployment options for different security and compliance needs
Keycard offers four different deployment models, providing customers with different characteristics and pricing models to suit the needs of developers, small companies, and the world’s largest enterprises.
- Keycard Cloud: Multi-tenanted deployment of Keycard without any Enterprise features such as SSO, Audit Log Export, Bring Your Own Key, and Private Networking.
- Keycard Dedicated Enterprise Cloud: Single-tenanted deployment of a Data Plane in Keycard’s Cloud for a specific Enterprise Customer with all Enterprise Features. The control plane is shared across all enterprise customers.
- Keycard Enterprise Bring Your Own Cloud (Coming Soon): Ability to deploy a data plane tenant into a customer’s cloud, ensuring, all traffic only passes through their VPC.
By default, when you sign up for Keycard, your account will be assigned to Keycard Cloud. To gain access to our Enterprise deployment options, please contact sales@keycard.ai.
Keycard Cloud (Multi-Tenant)
Section titled “Keycard Cloud (Multi-Tenant)”Keycard’s standard deployment model. Keycard uses a cell-based architecture which ensures high availability, performance and security. It consists of a control plane which manages provisioning zones across many Keycard managed data planes.
Data planes are responsible for zone management (such as zone, resource, application creation) and zone operations (such as OAuth handshakes as well as token exchange). They are self-contained and operate without any control plane dependencies, ensuring high availability and reduced blast radius.
Architecture
Section titled “Architecture”
Characteristics
Section titled “Characteristics”- Shared Infrastructure: Zones from multiple customers run on shared data planes
- Logical Isolation: Each zone has isolated data encryption keys, credentials, and audit logs
- High Availability: Automatic failover and redundancy across multiple cells
- Global Reach: Access from anywhere via public endpoints
- Managed Operations: Keycard handles all infrastructure management and scaling
Best For
Section titled “Best For”- Startups and scale-ups getting started with Keycard
- Development and staging environments before production deployment
- Applications without strict data residency requirements
- Teams prioritizing speed and simplicity over dedicated infrastructure
Networking
Section titled “Networking”
In the context of Keycard Cloud & Keycard Enterprise Cloud, all traffic flows through our WAF, and then, over a private-link to the data-plane. For customers with configured KMS Keys, traffic between our Vault and their KMS instance, travels over a private network.
Enterprise Cloud (Dedicated Cell)
Section titled “Enterprise Cloud (Dedicated Cell)”A dedicated dataplane for your zones. Dedicated Enterprise Cloud comes with AWS PrivateLink secure connectivity to the Keycard cloud, enabling you to have a unidirectional communication link between your environment and Keycard Cloud.
Keycard’s Dedicated Enterprise Cloud provides runtime isolation, avoiding noisy neighbour problems or any potential memory sharing with other Keycard customers. This provides you with the highest trust in data privacy.
Keycard’s Dedicated Enterprise Cloud is unidirectional, and data flows from your cloud to Keycard Cloud. Keycard does not have access to your internal network.
Architecture
Section titled “Architecture”
Characteristics
Section titled “Characteristics”- Dedicated Data Plane: Your zones run on infrastructure exclusively allocated to your organization
- AWS PrivateLink: Unidirectional private connectivity from your VPC to Keycard
- Runtime Isolation: Complete isolation from other Keycard customers at runtime
- No Noisy Neighbors: Predictable performance without resource contention
- Private Network Traffic: Data never traverses the public internet during runtime operations
- Enhanced Security: Reduced attack surface with private connectivity
Networking
Section titled “Networking”
A dedicated dataplane for your zones. Dedicated Enterprise Cloud comes with AWS PrivateLink connectivity directly to the dataplane, enabling you to have a unidirectional communication link between your environment and Keycard Cloud. This ensures your data stays single tenant (your dedicated dataplane) and gives you increased high availability by bypassing Keycard’s control plane. All data flows directly between your cloud and the Dedicated Enterprise Cloud, ensuring your data never leaves AWS’s private network.
Keycard’s Dedicated Enterprise Cloud provides runtime isolation, avoiding noisy neighbour problems or any potential memory sharing with other Keycard customers. This provides you with the highest trust in data privacy.
Keycard’s Dedicated Enterprise Cloud is unidirectional, and data flows from your cloud to Keycard Cloud. Keycard does not have access to your internal network.
Private Connectivity
Section titled “Private Connectivity”AWS PrivateLink provides a secure, private link between your infrastructure and Keycard:
- Unidirectional: Traffic flows from your environment to Keycard only
- No Ingress: Keycard cannot initiate connections into your network
- IP Allowlisting: Optionally restrict access to specific IP ranges
- VPC Endpoints: Connect directly from your VPC without internet gateway
Console Access
Section titled “Console Access”The Keycard Console operates at the control plane level for management operations:
- Console path: Customer → Control Plane → Dedicated Cell
- Runtime path: Customer → PrivateLink → Dedicated Cell (direct)
Best For
Section titled “Best For”- Enterprise production workloads with compliance requirements
- Organizations requiring network isolation (banking, healthcare, government)
- Customers with data residency mandates requiring private network boundaries
- High-value applications where performance consistency is critical
- Companies needing enhanced audit and compliance capabilities
Security Benefits
Section titled “Security Benefits”| Feature | Benefit |
|---|---|
| Dedicated Runtime | No shared memory or compute with other customers |
| Private Network | Data never leaves AWS’s private network backbone |
| IP Allowlisting | Restrict access to known networks only |
| Audit Isolation | Your audit logs never mix with other customers |
| Performance Guarantees | No resource contention from noisy neighbors |
Comparison Table
Section titled “Comparison Table”| Feature | Keycard Cloud | Enterprise Cloud |
|---|---|---|
| Infrastructure | Shared multi-tenant | Dedicated single-tenant |
| Network Access | Public internet | AWS PrivateLink |
| Data Plane Isolation | Logical (per-zone encryption) | Physical (dedicated cell) |
| Noisy Neighbor Risk | Low (cell isolation) | None |
| Data Residency | AWS regions | AWS regions (dedicated) |
| Setup Time | Immediate | Days |
| Operational Burden | Keycard managed | Keycard managed |
| Best For | Most customers | Enterprise production |
| Pricing | Standard | Premium |
Choosing a Deployment Model
Section titled “Choosing a Deployment Model”Start with Keycard Cloud if you:
Section titled “Start with Keycard Cloud if you:”- Are prototyping or in early development
- Do not have strict data residency requirements
- Want to minimize operational overhead
- Need to get started quickly
Upgrade to Enterprise Cloud if you:
Section titled “Upgrade to Enterprise Cloud if you:”- Are deploying production workloads at scale
- Require network isolation for compliance
- Need predictable, isolated runtime performance
- Have security policies requiring private connectivity
- Want dedicated infrastructure for your organization
Migration Paths
Section titled “Migration Paths”Keycard Cloud → Enterprise Cloud
Section titled “Keycard Cloud → Enterprise Cloud”Process:
- Provision dedicated cell in your desired region
- Configure AWS PrivateLink connection
- Export zone configuration from Cloud deployment
- Import configuration to Enterprise Cloud cell
- Update application endpoints to use PrivateLink
- Validate functionality
- Cutover traffic
Downtime: Typically < 1 hour with proper planning