SBOX deployed inside your own cloud account, in your VPC, in your region. Element34 templates the deployment. Your security team controls the perimeter. Single-tenant by default. Customer-controlled encryption keys. VPN or PrivateLink to your network. AWS, Azure, GCP.
Test data lands in your AWS, Azure, or GCP account. Your VPC, your subnet, your IAM. Audit-friendly without leaving the cloud.
Single-tenantPick the region. Pick the availability zone. PHI and patient data stay in customer-mandated jurisdiction. HIPAA-aligned by deployment.
Regional residencyRuns on AWS GovCloud (US), Azure Government, and equivalent sovereign-cloud regions.
GovCloud-compatibleSBOX runs on the cloud spend you already commit to. AWS EDP, Azure MACC, GCP committed-use. No new vendor cloud, no new contract.
Reserved-capacity friendlyCloud-first IT mandates shut the door on public SaaS testing platforms. The mandate also shut the door on in-house grids. VPC deployment threads the needle: SBOX runs in the cloud the mandate already approved, single-tenant inside the customer account.
Symptom. The cloud mandate says no in-house hardware. The security review says no multi-tenant SaaS. The QA team has no path forward.
Symptom. Customer must run in AWS GovCloud, Azure Government, or sovereign-cloud equivalent. Most testing platforms cannot deploy there.
Symptom. Customer has committed cloud spend (AWS EDP, Azure MACC, GCP committed-use). Public SaaS testing platforms do not draw down the commitment.
SBOX deploys into the three major public clouds and the sovereign-cloud equivalents the regulated buyers actually use. Terraform modules handle the platform side. Customer cloud team handles the account, the IAM, the network.
Standard AWS regions plus AWS GovCloud (US). EKS or EC2 deployment. S3 for video storage with IAM role integration (in regulated-customer production). PrivateLink for customer-corporate-network connectivity. KMS for customer-controlled encryption.
Standard Azure regions plus Azure Government. AKS or Azure VM deployment. Azure Blob Storage. Azure Reserved VM Instances supported (Element34 advises on configuration). Private Endpoint for customer connectivity. Key Vault for encryption.
Standard GCP regions plus Assured Workloads regions. GKE or GCE deployment. Cloud Storage for video. VPC Service Controls for perimeter. Cloud KMS for encryption.
AWS GovCloud (US), Azure Government, AWS Secret Region (where customer has authorization), Bleu (France via Microsoft), GAIA-X aligned providers in EU. Customer cloud team confirms region eligibility, Element34 confirms platform compatibility.
Element34 ships Terraform modules for the three major cloud providers. Customer platform team forks the module into their own infrastructure-as-code repository, fills in customer-specific values, and applies through their normal Terraform workflow. Element34 has no write access to the customer cloud account.
1 # Add Element34 Terraform module (AWS example) 2 module "sbox" { 3 source = "git::https://github.com/element34/sbox-terraform-aws.git?ref=v1.8.2" 4 // ↓ customer-supplied values 5 account_id = var.aws_account_id // your account 6 vpc_id = var.customer_vpc_id // your VPC 7 subnet_ids = var.customer_private_subnets // your subnets 8 region = "us-east-1" // your region 9 kms_key_arn = var.customer_kms_key_arn // your KMS key 10 hub_count = 4 11 executor_count = 100 12 s3_video_bucket = var.customer_video_bucket // your S3 bucket 13 enable_privatelink = true 14}
Three private deployment models. Same SBOX product runs across all three. VPC sits in the middle: cloud-native, single-tenant, customer-perimeter-controlled.
VPC deployment inherits every security control the customer already runs on their cloud account. SBOX is just another workload inside the VPC. Same IAM, same KMS, same VPC flow logs, same audit trail.
Every SBOX VPC deployment is single-tenant inside the customer cloud account. No Element34-shared infrastructure. No multi-tenant control plane.
Encryption at rest uses customer KMS keys. SBOX never holds the key material. Customer key rotation lifecycle applies the same way as other customer workloads.
Customer connects from corporate network via PrivateLink (AWS), Private Endpoint (Azure), or Private Service Connect (GCP). No public internet exposure required.
SBOX integrates with customer SSO (SAML, OIDC). User actions land in customer audit log. CloudTrail, Azure Activity Log, GCP Cloud Audit Logs all capture SBOX interactions.
SBOX inherits the customer's cloud compliance landing zone. If the customer cloud account is FedRAMP-aligned, HIPAA-aligned, or PCI-aligned, SBOX runs inside that boundary.
Send us the cloud provider, the region, and the network policy. We hand back the Terraform module, the IAM policy, the network diagram, and the deployment checklist. Annual licensing, predictable across the contract term.