Per-organization encryption
Every tenant gets its own data encryption key, wrapped by AWS KMS. Operators cannot decrypt customer secrets without an audited break-glass grant.
How encryption works →VectorFlow Cloud
The managed control plane for your Vector fleet. Vector agents still run inside your network — only the control plane runs ours. Customer log data never crosses the boundary; see /trust for the data-flow diagram.
What you get
Operator break-glass, audited
When an operator needs access to triage an incident, the customer OWNER must approve the grant in-app. Every grant is hash-chained into the audit log so tampering is detectable.
See the audit chain →Stripe self-serve billing
Pick a plan at signup. Upgrade, downgrade, change cards, download invoices from the Stripe Customer Portal — no support ticket required.
See pricing →Passkey & magic-link sign-in
No password to leak. Sign in with a passkey on every browser you use, or fall back to a one-time magic link. OIDC for orgs that want SSO.
Sub-processor change notice
Subscribe an address per org and get an email every time we add, remove, or change a sub-processor — before the change goes live.
Current sub-processors →Tenant data export
Download a portable snapshot of your org — pipelines, environments, audit chain, member roster — at any time. GDPR right-to-portability built in.
Data Processing Agreement →What we don't hold
Customer log payloads — the actual messages your Vector agents process — never cross the control-plane boundary. We hold pipeline configurations, fleet metadata (which agent is running which version, last heartbeat), and the audit log of who did what inside the control plane. Bounded sample events that the customer explicitly taps for debugging cross the boundary briefly and are not persisted beyond the tap session.
/trust diagrams the exact data flow, including where each Postgres row encryption key lives. /trust/dpa is the standard DPA we countersign with customers.
Want to self-host instead?
VectorFlow is open core. The same control plane is available as an AGPL-3.0 build you can run with docker compose up on your own infrastructure. Self-host gets you the same product surface minus operator-side break-glass, Stripe billing, and managed backups.