Security & sovereignty
Your data, your jurisdiction, your keys.
Homany is built so the answers to where data lives, who can access it, and who holds the keys are yours to set - and yours to verify. Sovereignty here is configuration your security team can see, not a slogan.
- Region-pinned data residency in the EU and GCC.
- Customer-owned keys and audit log export.
- Operable outside US jurisdiction for CLOUD Act exposure.
What stays in your control
- Regional data residency
- Pin workspace data to an EU or GCC region.
- Customer-owned keys
- BYOK on self-hosted and bring-your-own-cloud.
- Your identity provider
- SSO and SCIM from your own directory.
- Audit log export
- Stream events to your own SIEM.
- EU & GCC regions
- BYOK
- SSO / SCIM
- Audit export
A summary of configurable controls - placeholder positioning pending legal review, not a certification.
Security & sovereignty
Sovereignty as a deployment property, not a marketing slogan.
For regulated teams, where data lives and who can compel access to it are first-order questions. Homany is built so those answers are yours to set: the workspace, its data, and its keys can stay inside a jurisdiction and a tenancy you control.
That posture is the same one your security reviewers can verify - region, key ownership, identity provider, and audit export are configuration you can see, not claims you have to take on trust.
- Regional data residency - designed so workspace data can be pinned to an EU or GCC region.
- Customer-owned keys (BYOK) - supported on self-hosted and bring-your-own-cloud deployments.
- Audit log export - intended to feed your own SIEM and review processes.
The questions buyers actually ask
Sovereignty, in the terms a security review uses.
Not a posture statement - the four decisions a regulated buyer weighs before approving a platform.
What does “sovereign-compatible by design” mean?
That residency, key ownership, identity, and audit are configuration you set per deployment - not a region label bolted onto a single-tenant default. The controls are yours to inspect, not promises to accept.
Why isn't region-only hosting enough?
A region pin says where bytes rest. It says nothing about who operates the plane, who holds the keys, or which jurisdiction can compel access. Sovereignty needs the operator and the keys accounted for too.
How does Homany reduce jurisdictional risk?
Homany can be operated by an entity and on infrastructure outside US jurisdiction, and self-hosted shapes keep keys and data inside your boundary - inputs teams use to reduce exposure to extraterritorial access regimes.
Learn moreWhen should we choose self-hosted over local cloud?
Choose managed local cloud for speed and sovereignty defaults; choose bring-your-own-cloud or on-premise when key custody, air-gapping, or classification rules require the workload to stay fully within your walls.
Learn more
How it fits together
Your jurisdiction, your keys, your identity - connected to Homany, not surrendered to it.
Homany runs inside a boundary you choose. The diagram shows what stays in your jurisdiction and what merely connects to it.
- No shadow copies - dashboards and reports read from the same region-pinned store.
- Operable outside US jurisdiction - part of how teams reduce exposure to extraterritorial access regimes.
- Stays in your boundary
- Connects from your control plane
Sovereignty FAQ
What security reviewers ask first.
Security review
Get current, dated security documentation
We share our security posture, key-management model, and any in-progress attestations directly with your team under NDA - so you assess the real status, not a badge.