Note: These deployment options are available exclusively for Enterprise plans.
On-Premise Deployment Options
In a cloud-centric world, securing the connection between your internal infrastructure and external tools is paramount. Foundational understands that some organizations operate within strict network boundaries where exposing services—such as internal source code servers or on-premise data warehouses—to the public internet is not feasible.
To support these requirements, Foundational offers flexible Enterprise deployment models. These options allow you to balance your security needs with the level of infrastructure maintenance you are willing to manage.
Deployment Levels
We support multiple levels of on-premise integration, depending on whether your primary concern is connectivity or data processing residency:
Level 1: Secure Connectivity (Private Network Access)
This level is designed for customers who need to connect Foundational to internal resources (like a self-hosted GitHub Enterprise or an on-premise Postgres) without exposing those services to the public internet.
How it works: A lightweight agent is deployed in your network to act as a secure bridge.
Data handling: Metadata is securely transmitted to Foundational's cloud for processing.
Best for: Teams that need to keep their firewall ports closed but are comfortable with metadata being processed in the Foundational cloud.
Level 2: Local Processing (Data Residency)
This level provides a higher degree of isolation. It ensures that sensitive data processing occurs entirely within your environment.
How it works: Heavier compute resources are deployed within your infrastructure to handle parsing and analysis locally.
Data handling: Sensitive data (such as source code content or table statistics) is processed locally and does not leave your premise. Only the final, sanitized lineage graph and metadata are synced.
Best for: Highly regulated industries requiring strict data residency compliance.
Choosing the Right Deployment
While Level 2 offers maximum data isolation, it requires more resources to deploy and maintain compared to the lightweight nature of Level 1. The table below summarizes the trade-offs:
Deployment Level | Primary Goal | Ease of Implementation | Maintenance Overhead |
Secure Connectivity | Connect internal services without public internet exposure. | Easy – Requires minimal configuration of a lightweight agent. | Low |
Local Processing | Ensure sensitive data is processed entirely on-premise. | Moderate – Requires provisioning compute resources (CPU/RAM) for processing as well as allow Foundational to allocate those. | Medium |
Level 1: Secure Connectivity via Agent
This deployment model relies on a lightweight Agent that sits within your internal network. It facilitates communication between your internal resources (such as self-hosted Git servers or databases) and the Foundational platform without requiring you to expose these services to the internet.
Deployment Methods
The Agent is deployed as a container within your infrastructure. We currently support deployment via Helm Chart (Recommended for Kubernetes environments)
How the Agent Communicates
Unlike traditional methods that require opening inbound ports, the Foundational Agent operates entirely via outbound communication.
Polling: The Agent establishes a secure connection to Foundational’s cloud infrastructure by polling a dedicated SQS queue.
Task Execution: When Foundational needs to scan a repository or check a schema, a task is placed in the queue. The Agent picks up this task and executes the request against your internal server (e.g., fetching a file from your on-premise GitLab).
Data Transmission: The Agent transmits the necessary metadata or file content back to Foundational.
Important Note on Data Processing: In this configuration, the data extractors and analysis logic run in the Foundational cloud, not on the Agent itself. The Agent functions strictly as a secure bridge to retrieve the necessary information. This means that while your network remains closed to inbound traffic, the relevant metadata is transmitted to Foundational for processing.
Level 2: Local Processing (Data Residency)
This deployment model is designed for organizations with strict data residency requirements. Unlike Level 1, which acts as a bridge for data to travel out, Level 2 ensures that the extraction and processing of sensitive data occurs within your own cloud environment.
Deployment Methods
This integration is currently supported only for AWS environments.
We support deployment via Terraform. Foundational provides a set of Terraform files. Your team applies these files to create a secure cross-account link between your AWS environment and Foundational.
How it Works: Secure Cross-Account Access
Rather than deploying a static agent, this model allows Foundational to provision and manage the compute resources directly within your VPC.
Role Provisioning: When you apply the Terraform files, you create a cross-account link between Foundational AWS and your own AWS, as well as a specific IAM role for Foundational to use
Resource Management: Foundational uses this role to spin up the necessary compute clusters and allocate resources needed for the extraction job.
Scoped Permissions: Security is enforced via strict IAM scoping. The role granted to Foundational allows access only to resources with the specific prefix
foundational-onprem. Foundational cannot access or modify any resources (buckets, instances, or databases) that were not explicitly created by Foundational with this prefix.
Data Flow & Artifacts
The primary distinction of this level is where the code that processes sensitive metadata or code runs.
Local Extraction: The extractors run on the compute resources provisioned within your network. Your sensitive data (such as source code or table metadata) is read and processed locally.
Processed Outputs Only: The system does not send your raw metadata or code to the cloud. Instead, it extracts only the necessary metadata artifacts—such as parsed SQL queries (extracted from code) or a dbt manifest—and syncs these sanitized artifacts to the Foundational SaaS.
The result for customers is that they receive the full benefit of Foundational's processing and lineage UI hosted on Foundational public SaaS, while their sensitive metadata and code never leaves your controlled network boundary.