New: Supaflow Claude Plugin -- let Claude create, edit, and monitor your data pipelines. Try the plugin

Zero Trust Architecture for Data Pipelines

Supaflow separates the control plane from the data plane so teams can run pipelines in customer-controlled environments while Supaflow Cloud stores orchestration metadata and encrypted connection metadata.

In customer-controlled deployments, agents run within your AWS account or Snowflake Snowpark Container Services (SPCS) and communicate with Supaflow exclusively via outbound HTTPS polling. No inbound firewall rules, IP allowlists, or SSH access are required.

With VPC or Snowflake-native agents, data processing happens inside that environment rather than through Supaflow-managed infrastructure.

Supaflow Security Architecture Diagram

What This Means in Practice

The security model on this page is designed to answer the questions infrastructure and compliance teams usually ask first: network direction, data residency, and key control.

No inbound access required

The Supaflow Agent polls for work over outbound HTTPS only. The security model does not depend on inbound firewall rules, SSH sessions, or IP allowlists.

Customer data stays in the data plane

With customer-controlled agents, raw customer data and PHI stay in your environment or in Snowflake compute. Supaflow Cloud stores orchestration metadata and encrypted connection metadata.

Customer-managed keys stay with you

The agent decrypts job metadata locally using private keys stored in your own secret manager, so Supaflow does not need access to the keys used to unlock sensitive credentials.

How Supaflow Agent Works

For customer-controlled agents, data flows directly from source to destination.

1

Agent Polls for Jobs

The Supaflow Agent runs in your AWS environment or Snowflake SPCS and polls Supaflow for work using outbound HTTPS only. No inbound network access is required.

2

Agent Decrypts Job

The agent retrieves encrypted job metadata and decrypts it locally using customer-managed keys stored in your secret manager (AWS Secrets Manager or Snowflake Secrets).

3

Agent Runs Pipeline

The agent connects directly to your sources and destinations within your network. In customer-controlled deployments, data moves from source to destination without passing through Supaflow Cloud.

Enterprise Security Features

Zero Trust Architecture

No ingress connections required. Agent polls control plane via HTTPS egress only, ensuring your network perimeter remains secure.

Customer-Managed Encryption

Your private encryption keys stay in your Secret Manager. We never have access to decrypt your sensitive connection credentials.

Data Plane Isolation

For customer-controlled agent deployments, customer data processing happens in your VPC or Snowflake SPCS. Raw data and PHI stay in that data plane.

Metadata-Only Storage

Supaflow Cloud stores pipeline configurations, lineage, and encrypted connection metadata. Customer-controlled deployments keep business data processing in your data plane.

Per-Tenant Encryption

Dedicated encryption keys per tenant ensure complete data isolation. Each tenant's metadata is encrypted independently with keys they control.

Audit Logging

Track pipeline configurations, job executions, and user actions for compliance reviews and operational visibility.

Metadata Residency & Compliance

Lives in Supaflow Cloud

  • Pipeline configurations
  • Lineage metadata
  • User and workspace settings
  • System orchestration data
  • Connection credentials (encrypted with your public key)

Stays with You

  • Encryption private keys
  • Raw data and PHI
  • Execution logs and artifacts
  • Sensitive business information

Compliance-Friendly Architecture: For customer-controlled deployments where customer data remains in your environment or Snowflake compute, this architecture can reduce the scope of a Business Associate Agreement review.

Flexible Deployment Options

AWS VPC Deployment

Deploy Supaflow Agent in your AWS account with full control over networking, IAM, and compute resources. No firewall rules or SSH bastions needed—agent uses standard HTTPS egress.

Snowflake SPCS Native

Run the agent natively in Snowflake Snowpark Container Services for ultimate data gravity and security. Zero infrastructure setup required.

Learn how Snowflake native ETL works →

Watch how to deploy the Supaflow Agent in Snowflake SPCS in minutes

Additional Security Controls

Role-Based Access Control (RBAC)

Strict identity and access management boundaries at workspace and project levels.

Audit Trail

Track pipeline configurations, deployments, and user actions for compliance and operational reviews.

Encryption in Transit & At Rest

Industry-standard TLS encryption for all network communication. Metadata encrypted at rest in our database.

Frequently Asked Questions

Common questions from teams evaluating network, key management, and deployment requirements.

Does customer data pass through Supaflow Cloud?
With customer-controlled agents, data flows directly from source to destination without passing through Supaflow Cloud. Supaflow Cloud stores orchestration metadata and encrypted connection metadata.
Does Supaflow require inbound firewall rules or SSH access?
No. The Supaflow Agent polls for work using outbound HTTPS only. No inbound firewall rules, IP allowlists, or SSH access are required.
Where do encryption keys live?
Private encryption keys stay in the customer-controlled secret manager. The agent decrypts job metadata locally using keys stored in systems such as AWS Secrets Manager or Snowflake Secrets.
Where can the Supaflow Agent run?
The Supaflow Agent can run in your AWS VPC or in Snowflake Snowpark Container Services.

Ready to secure your data pipelines?

Start building with Supaflow's zero trust architecture today.

Start for FreeBook a Demo