Enterprise (VPC Deployment)

For organizations that require data to never leave their network, HatiData Enterprise deploys the data plane directly inside your AWS, GCP, or Azure VPC. The control plane communicates exclusively over PrivateLink -- no public internet exposure.

Architecture

Your VPC                                  HatiData VPC
+-----------------------------------+     +---------------------------+
|                                   |     |                           |
|  AI Agents / Applications         |     |  Control Plane (Axum)     |
|       |                           |     |    - Auth (JWT/API key)   |
|       v                           |     |    - Billing              |
|  HatiData Proxy (:5439)           |     |    - Policy management    |
|    - Postgres wire protocol       |     |    - Audit                |
|    - SQL transpilation            |     |    - Dashboard API        |
|    - DuckDB execution engine      |     |                           |
|    - L1 RAM / L2 NVMe cache      |     +---------------------------+
|       |                           |              ^
|       v                           |              |
|  Object Storage (your bucket)     |     PrivateLink (no public internet)
|    - Iceberg-format tables        |              |
|    - Encrypted at rest (KMS)      |     ---------+
|                                   |
+-----------------------------------+

Key properties:

Data plane in your VPC -- The proxy, DuckDB engine, and caches run on your infrastructure
No data egress -- Query data never crosses VPC boundaries
PrivateLink connectivity -- Control plane communication uses VPC endpoints, not the public internet
Your storage, your keys -- Data stored in your S3/GCS/Azure Blob buckets, encrypted with your KMS keys

Cloud Provider Support

HatiData Enterprise supports all three major cloud providers:

Provider	Data Plane	Storage	Encryption	Terraform Modules
AWS	EC2 Auto Scaling (i3 NVMe)	S3 (Iceberg)	AWS KMS	`terraform/aws/` (8 modules)
GCP	GKE Standard or Cloud Run	GCS (Iceberg)	Cloud KMS	`terraform/gcp/` (11 modules)
Azure	AKS or Container Instances	Azure Blob (Iceberg)	Azure Key Vault	`terraform/azure/` (6 modules)

Infrastructure (AWS Example)

HatiData Enterprise deploys via Terraform modules:

Module	Purpose
`vpc`	VPC, subnets, security groups, NAT gateway
`compute`	EC2 Auto Scaling Group (i3 instances with NVMe)
`storage`	S3 buckets (data lake, audit), KMS encryption keys
`iam`	IAM roles, instance profiles, cross-account access
`control_plane`	PrivateLink endpoint, VPC endpoint service
`monitoring`	CloudWatch, Prometheus, alerting
`marketplace`	AWS Marketplace metering integration
`shadow_mode`	Query replay and compatibility testing

Compute Tiers

Environment	Instance Type	NVMe Storage	Pricing
Development	i3.large	475 GB	Spot instances
Staging	i3.xlarge	950 GB	Spot instances
Production	i3.2xlarge	1.9 TB	On-demand

NVMe storage is used for the L2 disk cache, providing sub-millisecond reads for frequently accessed data. On instance termination, NVMe volumes are cryptographically wiped via cryptsetup luksErase.

Shadow Mode

Before migrating production workloads, Shadow Mode lets you validate compatibility without risking your existing pipelines:

Upload your existing query history
Replay queries against HatiData in parallel with your current warehouse
Compare results, latency, and costs
Review a compatibility report showing which queries pass, which need adjustment

# Start shadow mode
curl -X POST -H "Authorization: Bearer $JWT" \
  https://api.hatidata.com/v1/organizations/$ORG_ID/shadow-mode

# Upload query history
curl -X POST -H "Authorization: Bearer $JWT" \
  -F "file=@query_history.csv" \
  https://api.hatidata.com/v1/organizations/$ORG_ID/shadow-mode/upload

# Start replay
curl -X POST -H "Authorization: Bearer $JWT" \
  https://api.hatidata.com/v1/organizations/$ORG_ID/shadow-mode/replay

# Get comparison report
curl -H "Authorization: Bearer $JWT" \
  https://api.hatidata.com/v1/organizations/$ORG_ID/shadow-mode/report

Shadow Mode is particularly useful when migrating from Legacy Cloud Warehouses. The compatibility report identifies queries that need adjustment and provides suggested rewrites.

IP Protection (Shield)

Enterprise deployments include HatiData Shield -- a four-layer defense-in-depth system:

Black Box Binary -- Symbol stripping, LTO, string obfuscation, anti-debug detection
Heartbeat License -- JWT-based tokens with agent-aware feature gating
Locked Instance -- No SSH/SSM access, encrypted EBS, AMI-only delivery
Environment Binding -- Cloud metadata validation of account, project, or subscription and region

Security Features

Enterprise deployments include all security features described in the Security Overview:

RBAC with 6 roles (ServiceAccount, Developer, Analyst, Auditor, Admin, Owner)
ABAC with 10-attribute evaluation context and compiled policy sets
Row-level security with agent-aware placeholders
Column masking with role-based redaction levels
Hash-chained audit logs (SHA-256) with tamper detection
JIT access grants with time-bounded privilege escalation
Federated authentication (AWS STS, Azure AD, Google Cloud Identity)
Multi-tenancy with automatic tenant isolation and cross-tenant JOIN prevention

SLAs and Support

Tier	SLA	Support
Standard	99.9% uptime	Business hours email, 24h response
Premium	99.95% uptime	24/7 Slack, 4h response, named TAM
Mission Critical	99.99% uptime	24/7 phone, 1h response, dedicated team

Getting Started

Enterprise deployment is customized to your infrastructure. To get started:

Contact sales -- Email sales@hatidata.com or visit hatidata.com
Architecture review -- We map your VPC topology, data sources, and compliance requirements
Shadow Mode trial -- Validate compatibility with your existing queries
Terraform deployment -- We provide the modules; you run terraform apply in your account
Go live -- Cut over agents and applications to your in-VPC HatiData proxy

Terraform Quick Start

Once you have access to the Terraform modules, deployment follows a standard workflow:

# Clone the modules
git clone https://github.com/HatiOS-AI/HatiData-Enterprise.git
cd HatiData-Enterprise/terraform/aws  # or /gcp or /azure

# Configure
cp terraform.tfvars.example terraform.tfvars
# Edit terraform.tfvars with your account details, region, VPC ID, etc.

# Deploy
terraform init
terraform plan
terraform apply

The Terraform modules create all required infrastructure: VPC endpoints, compute instances, storage buckets, IAM roles, monitoring, and the PrivateLink connection to the control plane.

Migrating from Cloud

Upgrading from Cloud to Enterprise preserves your data, schemas, policies, and API keys. The migration process:

Terraform provisions the data plane in your VPC
Data is replicated from HatiData-managed storage to your S3/GCS/Azure Blob bucket
DNS is updated to point to your in-VPC proxy
The old cloud endpoint is decommissioned

Zero-downtime migration is supported with a brief period of dual-write during cutover.

Next Steps

Security Overview -- RBAC, ABAC, encryption, and audit details
API Reference -- Control plane REST API
SQL Compatibility -- Supported functions, types, and constructs
Core Concepts -- Architecture and query pipeline details
Integrations -- LangChain, CrewAI, MCP, and more

Architecture​

Cloud Provider Support​

Infrastructure (AWS Example)​

Compute Tiers​

Shadow Mode​

IP Protection (Shield)​

Security Features​

SLAs and Support​

Getting Started​

Terraform Quick Start​

Migrating from Cloud​

Next Steps​

Stay in the loop