Skip to main content

Security & Tenancy

Saddle Data is built with a "Security-First" mindset, providing enterprise-grade isolation and encryption for your sensitive data and credentials.

Worker Isolation

To ensure tenant isolation, Cloud Workers in Saddle Data implement a multi-layered isolation model.

  • Job-Level Isolation: Every flow execution (and discovery job) creates its own isolated temporary directory on the file system. This ensures that one sync process cannot access the temporary files or buffers of another concurrent sync.
  • Strict Cleanup: All temporary files (such as buffers for Excel or S3 uploads) are stored in these job-specific directories and are automatically wiped as soon as the job completes.
  • Memory Safety: Workers are implemented in Go, providing strong memory safety guarantees between concurrent execution routines.

Bring Your Own Key (BYOK)

While Saddle Data manages and encrypts your credentials by default, enterprise organizations can opt for an additional layer of security by providing their own encryption keys.

  • Customer-Managed Keys: You can configure your organization to use a specific Google Cloud KMS Key for encrypting all your integration secrets.
  • Full Control: By using your own KMS key, you maintain full control over the encryption lifecycle. If you revoke Saddle Data's access to your key, we will immediately lose the ability to decrypt and use your integration credentials.
  • Auditability: All key access requests are recorded in your own Google Cloud Audit Logs, providing a clear trail of when and how your secrets are being accessed.

Configuring BYOK

To use your own KMS key, you must grant Saddle Data permission to use it for encryption and decryption.

1. Grant IAM Permissions

In your Google Cloud Console, navigate to your KMS Key and grant the Cloud KMS CryptoKey Encrypter/Decrypter role (roles/cloudkms.cryptoKeyEncrypterDecrypter) to the Saddle Data service identity.

The service identity you need to authorize is our Secret Manager Service Agent: service-417205367576@gcp-sa-secretmanager.iam.gserviceaccount.com

Note: For more details on why this specific account is used, see the Google Cloud Documentation on Customer-Managed Encryption Keys.

2. Provide the Resource ID

  1. Navigate to Organization Settings in the Saddle Data dashboard.
  2. In the General tab, find the Bring Your Own Key (BYOK) section.
  3. Enter the full KMS Key Resource ID (e.g., projects/your-project/locations/us-central1/keyRings/your-ring/cryptoKeys/your-key).
  4. Click Update Security Settings.

Note: Once configured, all new integrations created will be encrypted using your provided key. Existing integrations will continue to use the system default key.

Remote Agents

For organizations with the most stringent security requirements, our Remote Agent architecture allows you to keep your data and credentials entirely within your own infrastructure.

See the Remote Agents concept page for more details.