Security Architecture

Private Dedicated Environments (PDEs)

Many enterprise AI platforms run on shared multi-tenant infrastructure. OneReach.ai Generative Studio X (GSX) deployments are single-tenant  by default, so each customer gets dedicated compute, storage, and network isolation on either their AWS instance or one managed by OneReach.ai. These are known as Private Dedicated Environments or PDEs.

A PDE is a logically and operationally isolated deployment of GSX provisioned for a single customer. It is not a shared SaaS instance with tenant-level segmentation. Each PDE maintains dedicated infrastructure, data stores, runtime services, and security boundaries. PDEs can be provisioned within OneReach.ai-managed infrastructure or deployed directly into a customer’s own AWS account for organizations that prefer full ownership and control of their environment.

This model is designed to meet enterprise requirements for isolation, control, and regulatory alignment, particularly in highly regulated environments.

A Private Dedicated Environment is:

  • A customer-specific GSX deployment

  • Hosted in a dedicated AWS environment

  • Isolated at the network, compute, storage, and data layers

  • Configurable to align with customer security and compliance requirements

Depending on customer preference, a PDE may be:

  1. Hosted and managed by OneReach.ai within a dedicated AWS account

  2. Deployed into a customer-controlled AWS account and cloud environment

In both cases, the deployment architecture ensures that customer workloads, logs, knowledge stores, and agent runtime services are segregated from all other GSX instances.

A typical PDE architecture includes:

  • Dedicated VPC with private subnets

  • Containerized runtime services (e.g., orchestrated via Kubernetes or equivalent)

  • Isolated data stores for knowledge retrieval and state management

  • Encrypted object storage for artifacts and logs

  • IAM roles scoped to least-privilege access

  • Optional VPN or private connectivity (e.g., Direct Connect) into customer networks

Security controls follow AWS best practices, including:

  • Encryption at rest (AES-256)

  • TLS 1.2+ encryption in transit

  • Network segmentation and security groups

  • Continuous monitoring and logging

For customers with advanced requirements, GSX can integrate into existing enterprise controls including SIEM, identity federation (SAML/OIDC), and centralized key management.

Each PDE enforces strict isolation across:

  • Knowledge repositories

  • Vector and graph retrieval systems

  • Agent execution state

  • Logs and audit trails

  • Model interaction records

Customer data is not commingled with other customers’ data at the application, database, or storage layer.

Where foundation models are used, GSX operates as a secure orchestration layer. Customer prompts, responses, and context handling are governed by the customer’s configured policies. Data handling aligns with applicable provider terms regarding model training and retention.

Customers deploying GSX into their own AWS account retain full control over:

  • Network boundaries

  • IAM policies

  • Data retention policies

  • Key management systems (including customer-managed KMS keys)

This enables organizations to meet internal legal, regulatory, and residency requirements.