Security

In-VPC Data Warehousing: A CISO's Guide

HatiData Team6 min read

The Problem With Data Leaving Your VPC

Every time a query result crosses a network boundary, it creates an exfiltration vector. Traditional cloud data warehouses operate in their own multi-tenant environments. Your data travels from your VPC to theirs, gets processed on shared infrastructure, and returns over the internet — sometimes through public endpoints. For regulated industries, this architecture is a compliance nightmare.

CISOs are increasingly asking a simple question: why does our most sensitive data need to leave our security perimeter at all?

What In-VPC Deployment Actually Means

HatiData deploys entirely inside your AWS VPC. The compute nodes, the storage layer, the query engine — all of it runs on infrastructure you own and control. Your data never traverses the public internet. It never touches a multi-tenant environment. It never leaves your security boundary.

The control plane — the component that handles orchestration, billing, and metadata — communicates with the data plane exclusively through AWS PrivateLink. This means even the management traffic stays within AWS's private backbone network, never touching a public endpoint.

CMEK: Your Keys, Your Control

Customer-Managed Encryption Keys (CMEK) give you full control over data-at-rest encryption. HatiData encrypts all data using keys stored in your AWS KMS account. You control the key rotation policy, you control the access policy, and you can revoke access at any time.

This is not envelope encryption where the vendor holds a master key. This is true CMEK — if you delete the key, the data becomes permanently unreadable. That level of control is what auditors want to see.

Immutable Audit Logs

Every query executed against HatiData is logged to an immutable audit trail. Logs are written to S3 with Object Lock enabled — once written, they cannot be modified or deleted, even by account administrators. The default retention period is 7 years, configurable to meet your specific compliance requirements.

Each audit record includes the full query text, execution metadata, the authenticated identity of the caller, and a SHA-256 hash for tamper detection. This gives your compliance team a forensic-grade record of every data access event.

Compliance Timeline Compression

The typical security review for a new data vendor takes 3–6 months: questionnaire, architecture review, pen test, legal review, DPA negotiation. HatiData's in-VPC architecture compresses this timeline dramatically.

Because the data plane runs inside your VPC, it's already covered by your existing SOC 2, HIPAA, and FedRAMP controls. Your network segmentation, your monitoring, your incident response — all of it applies automatically. The only new component to evaluate is the control plane, which handles no customer data and communicates exclusively over PrivateLink.

We've seen CISOs approve HatiData in a single meeting. When the data never leaves your VPC, most of the hard questions answer themselves.

A Security Architecture, Not a Feature List

Security isn't a feature you bolt on — it's an architecture you build from the ground up. HatiData was designed for environments where data sovereignty, encryption, and auditability are non-negotiable. If your organization operates under SOC 2, HIPAA, PCI-DSS, or similar frameworks, in-VPC deployment isn't a nice-to-have — it's the only architecture that makes sense.

Ready to see what an in-VPC data warehouse looks like in your environment? Start with a Shadow Mode pilot — we deploy alongside your existing warehouse, read-only, and you evaluate on your own terms.

Ready to see the difference?

Run the free audit script in 5 minutes. Or start Shadow Mode and see HatiData run your actual workloads side-by-side.

Run the Audit Script →Back to Blog