Skip to content

Private Tenant

Private Tenant is a deployment option for organizations whose regulatory posture, data-classification rules, or internal security policy don't fit the multi-tenant SaaS. On a Private Tenant, Escape runs on dedicated infrastructure you can pin to a specific region and audit end-to-end.

What Dedicated Means

  • Dedicated database and object storage: your scan artifacts, issues, assets, and reports live on infrastructure allocated to your organization only. No data co-tenancy with other customers.
  • Dedicated scanner fleet: scanner workers run in pods labeled to your tenant. Scan traffic, auth material, and captured payloads don't leave your tenant's namespace.
  • Dedicated ingress and API surface: the Public API and the app UI are served from a tenant-scoped hostname with a TLS certificate you can pin.

Region Pinning

Private Tenants can be deployed in any of the Escape-supported regions:

  • EU (Paris, Frankfurt)
  • US (N. Virginia, Oregon)
  • Singapore, Sydney

Additional regions on request. Region pin is strict: every datum, scan log, and generated artifact stays in the region you picked.

Who Should Look at This

Typical triggers:

  • Data residency obligations (GDPR Article 44, German IT security law, French Cloud de confiance).
  • Sector-specific rules (HIPAA-adjacent deployments, financial regulators requiring customer data segregation).
  • Internal policies that prohibit security-finding storage on shared multi-tenant systems.

If any of those apply, Private Tenant is the fit.

What Operating a Private Tenant Involves

A Private Tenant is a standing commitment, not a configuration toggle

Running Escape on dedicated infrastructure means we replicate, in isolation for your organization alone, what we otherwise amortize across the entire customer base. Concretely:

  • A dedicated platform team is staffed against your tenant. Two senior engineers (SRE + platform) are allocated to your environment for upgrades, on-call rotations, capacity planning, incident response, security patching, and compliance evidence collection. They do not work on shared SaaS in parallel.
  • A full second copy of the Escape stack is provisioned for you. Database clusters, object storage, message queues, scanner worker pools, ingress, observability pipelines, backup tiers, and disaster-recovery replicas are all stood up and operated only for your traffic — sized for your peak, not your average.
  • AI inference is provisioned at your tenant's scale, not the fleet's. Pentest reasoning, triage, and remediation models run against quotas dedicated to you, with the per-token economics of a single-tenant deployment rather than the pooled rates of the shared SaaS.
  • Compliance, auditability, and key custody are operated end-to-end per tenant. Region failover drills, SOC 2 / ISO evidence per environment, encryption-key rotation, penetration testing of the tenant itself, and audit-log retention are run as standalone programs.
  • Every cost line in our shared SaaS is replaced by a tenant-specific one. Cloud spend, third-party security tooling, monitoring, model providers, and human time are all underwritten by your contract rather than spread across thousands of organizations.

For these reasons, Private Tenant is offered as a multi-year enterprise engagement and is sized accordingly. We will only propose it when the regulatory or policy driver genuinely requires it; for most organizations, the multi-tenant SaaS with region pinning is the right answer.

How to Get Started

Private Tenant is sold per organization with its own onboarding. Contact your account team, or write to support@escape.tech if you'd like an architecture review for your compliance program. The onboarding covers region, region failover, SSO identity provider, scanner concurrency caps, and audit-log export.

See also Privacy and Security for the broader data-handling model.