Multi-agent DAG orchestration, purpose-built for enterprise engineering teams Learn more →

BYO-Cloud

Your cloud. Your data. Our intelligence.

The only AI engineering platform where your code, secrets, and artifacts never leave your cloud account. Cendriix agents execute inside your VPC, the control plane sees metadata only.

Architecture

See where your data lives.

Three zones, one principle: customer payloads never cross the boundary. The mTLS relay carries step pointers and status events, nothing else.

BYO-cloud relay · control-plane metadata onlymTLS
AWS · liveAzure · roadmapGCP · roadmap
Your cloud · VPC

Payloads never cross the boundary

  • Agent executor processes
  • Source code + secrets
  • Artifacts + diffs
  • Run output logs
  • Model API calls (direct)
  • Database connections
Cendriix control plane

EKS orchestrator · ephemeral relay

  • Run orchestration graph
  • Step-status events only
  • Policy + guardrail checks
  • Approval routing
  • Audit index (pointers)
  • Cost telemetry
Your sources

Tickets · CI · observability

  • GitHub / GitLab / Bitbucket
  • Jira / Linear / ServiceNow
  • CI pipelines
  • Observability stack
  • Cloud provider APIs
  • Custom webhooks

Matches production relay contract: STS-scoped IAM into your account; Cendriix stores orchestration metadata only, not repo contents or model payloads.

Your cloud (VPC)
Never leaves your boundary
  • Agent executor processes
  • Source code + secrets
  • Build artifacts + diffs
  • Run output logs
  • Model API calls (direct)
  • Database connections
Cendriix control plane
Metadata only
  • Orchestration graph
  • Step-status events
  • Policy checks
  • Approval routing
  • Audit index (pointers)
  • Cost telemetry
Your sources
Connected via your credentials
  • GitHub / GitLab
  • Jira / Linear / ServiceNow
  • CI pipelines
  • Observability stack
  • Cloud provider APIs
  • Custom webhooks
mTLS relay, step pointers only, never payloads. Customer code, secrets, and artifacts stay inside your cloud boundary at all times.
How it works

Four steps to your own cloud.

From CloudFormation deploy to first run, typically under an hour for design partners.

Step 01
Connect your cloud
Deploy the Cendriix agent runtime into your VPC with a single CloudFormation stack (or Terraform module). You control the IAM role.
Step 02
mTLS relay established
A mutual-TLS tunnel connects your agent runtime to the Cendriix control plane. Only step pointers and status events traverse the relay, never payloads.
Step 03
Agents run locally
Code checkout, builds, tests, model calls, and database access all happen inside your VPC. Artifacts never cross the boundary.
Step 04
Audit everything
Every agent decision is recorded in a hash-chained audit log stored in your account. Deterministic replay available for any run.
Why it matters

Built for regulated industries.

Every industry has different compliance requirements. BYO-Cloud meets them all with one architecture: your data never leaves.

Financial services
Trading algorithms stay in your VPC.
SOX audit trails generated automatically. Model calls route through your own Bedrock or Azure OpenAI endpoint, no third-party data residency risk.
Healthcare
PHI never leaves your HIPAA-compliant environment.
Business Associate Agreement available. Agent executors, logs, and model calls stay inside your cloud boundary, nothing to redact because nothing leaves.
Defense & government
ITAR / CUI code stays in GovCloud.
No FedRAMP dependency on Cendriix. The control plane sees step pointers only, never source code, artifacts, or classified data.
Enterprise
Pass any security questionnaire. Your CISO will love it.
Code never leaves your account. Hash-chained audit logs prove every agent decision. Export everything, anytime, no lock-in.
Security posture

Enterprise-grade by design.

mTLS relay, step pointers only
SOC 2 Type I readiness (Q3 2026)
Hash-chained audit logs
Customer-managed encryption keys
Data residency, your region, your rules
No egress of code or secrets

See BYO-Cloud in action.

30-minute pilot walkthrough. We deploy the agent runtime into your VPC and run a real workflow, so you see exactly where your data stays.