UNIQUE can deploy a customer environment as its own (single) separated tenant on UNIQUE’s enterprise subscription. That way all data storage and data processing is encapsulated in this landing zone and separated from all other customers.

Overview

Azure Application Gateway

• Web application firewall is filtering all requests

• IP blocking can be configured in the web application firewall optionally

Azure Storage Accounts

• data at rest is secured with soft delete for 30 days

• data is backed-up with 14 days backup retention and RPO of 24h

Azure OpenAI Deployments

• prompts are filtered using Azure content filtering

• prompts and responses are not stored or reviewed by Microsoft (Azure abuse monitoring)

Kong Application Gateway

• validates JWTs

• Incoming requests are rate-limited

SSO

• SSO can be configured to connect to customer IDP using Entra ID, OIDC, SAML, and other methods supported by Zitadel

Encryption

• All data at rest is encrypted using 2048 bits RSA-HSM keys, managed by UNIQUE

• All data in transit is encrypted using TLS 1.2+

Data classification

• Zitadel only processes and stores user authentication data

• Redis does not store any customer data, only state

• Azure Key Vault stores encryption keys and secrets

• All other services and data storages store data of classification level confidential, internal or public depending on the customers restrictions on data classifications to use on UNIQUE

MS Defender for Cloud (MDC)

• MDC monitoring and alerting on all incidents happening in the Azure landing zone resources

• Connected to MS Sentinel SIEM for monitoring and alerting

• 24/7 SOC monitoring of incidents for quick triage and response