Skip to main content
This topic uses private connectivity as a general term for AWS PrivateLink and Azure Private Link.
Is my dedicated instance single-tenant? Yes. Each dedicated instance is single-tenant and logically isolated. It is not shared with other customers at the application or network level. Does traffic ever traverse the public internet? With private connectivity enabled, no traffic traverses the public internet by default. Inbound access is restricted to your private network, and outbound connections to your data sources and destinations use PrivateLink. Public egress is blocked unless explicitly enabled. For use cases where private connectivity is not supported — such as connecting to SaaS applications — public egress can be enabled, but only if the customer explicitly requests it by opening a support ticket with the Unstructured Support Portal. It is not enabled automatically. See connector support for AWS and Azure to understand which connectors support private connectivity. Without private connectivity, the platform is accessible over the public internet via HTTPS. Public ingress can be restricted to specific IP addresses or CIDR ranges on request. Is data encrypted? Yes. Data is encrypted in the following ways:
  • In transit: All traffic uses TLS 1.2 or higher.
  • Internally: Mutual TLS (mTLS) is used between platform services.
  • In cloud storage: Encryption policies are enforced at the storage layer.
  • At rest: Data is encrypted at rest using the cloud provider’s native key management service.
Can Unstructured access my data? Unstructured personnel do not access customer data as part of normal operations. Access to customer data sources is explicitly configured, limited to the minimum permissions required, and governed by customer-controlled IAM, RBAC, and resource policies. Any exceptional access, such as for troubleshooting, is controlled and audited. Is customer data used to train models? No. Customer data processed within a dedicated instance is not used to train models. How is access to the platform controlled?
  • Customers manage user access to the Unstructured UI and APIs.
  • Network access can be restricted by using private endpoints, security groups, and firewall rules.
  • DNS resolution can be kept private and scoped to customer networks.
What does private connectivity protect against? Private connectivity helps protect against:
  • Exposure to the public internet
  • Unintended inbound network access
  • DNS-based traffic interception
Private connectivity does not protect against:
  • Application-layer vulnerabilities
  • Misconfigured IAM or RBAC policies
  • Compromised credentials
How long is customer data retained? Unstructured does not store customer data long-term. Customer artifacts are used ephemerally during workflow execution and removed upon completion or failure. Transformed data is written to the configured destination. The data that persists in the Unstructured platform is limited to connector and workflow configuration metadata, connector keys stored in a secret store, and workflow execution telemetry, which does not contain file data. What compliance standards does Unstructured support? Unstructured maintains industry-standard security and compliance programs, including HIPAA compliance architecture, ITAR readiness with geo-blocking through AWS WAF, and SOC 2 controls. Detailed compliance artifacts are available in the trust portal.