Where your data lives. Who holds the keys.
Procurement asks two questions about every analytics platform. Where does our data physically reside? And who controls the encryption key? Gitrevio has clean answers to both — an EU data-residency tier, BYOK KMS for tenant-DB encryption, and a Helm chart that runs in your VPC if that's what you need.
Three deployment modes
One Helm chart, three modes. Switching between them is a values-file change, not a fork.
BYOK KMS for tenant-DB encryption
Customer holds the key material; Gitrevio holds only encrypted references. Revoking the key at the KMS revokes Gitrevio's access — no support ticket required.
Supported KMS providers: AWS KMS, GCP KMS, Azure Key Vault, HashiCorp Vault Transit. Bootstrap is provider-specific; the runtime is uniform.
Multi-key registry with rotation. Old keys remain available for decrypt; new writes use the active key. Rotation is online; no read downtime.
Envelope encryption. Per-row data-encryption-keys are wrapped by the tenant's key-encryption-key in the KMS. Plaintext DEKs live in memory only.
EU data-residency tier
residency_tier: eu binds every storage location — central DB, customer DB, object store, backup snapshots, audit log — to EU regions. The tier flag is enforced at provisioning time and re-checked by a daily auditor.
Egress allowlist on dedicated_vpc and self_hosted modes pins outbound calls (AI provider, source connectors) to documented endpoints.
Backups stay in region. Snapshots are encrypted with the tenant KMS key and replicated only to in-region storage.
Air-gapped option. Frontend vendors every dependency under
assets/vendor/ — no unpkg, no jsdelivr, no Google Fonts.
The product runs without internet egress when the deployment requires it.