Element34
Platform
Product editionsSBOX CoreSBOX AISBOX Managed
AI native modulesStudioAI authoringAuto HealSelf-healing locatorsAutomated RCAFailure root causePulse ReportsSite health intelligenceReal Device CloudiOS and Android
Integrations & moreCI/CD integrationsJenkins, GitLab, GitHub ActionsNotificationsSlack, MS Teams, JiraAI capabilitiesPrivate inference, BYO LLMRoadmapAPI, Visual, TCM, Accessibility
Deployment
Private Cloud (self-hosted)Virtual Private Cloud (VPC)Managed Private CloudCompare deployments
Security
ArchitectureCompliance postureAudit and governanceResponsible disclosure
Industries
Banking and Financial ServicesInsurance and ReinsuranceGovernment and Public SectorHealthcare and HealthTechMedTech
Resources
Case studiesComparison guidesBlogDocumentationWhitepapers
Company
AboutCustomersCareersContact
Book a demo
Deployment · Virtual Private Cloud (VPC)

Your cloud account. Your VPC. Your perimeter.

SBOX deployed inside your own cloud account, in your VPC, in your region. Element34 templates the deployment. Your security team controls the perimeter. Single-tenant by default. Customer-controlled encryption keys. VPN or PrivateLink to your network. AWS, Azure, GCP.

  • AWS · Azure · GCP
  • BYOK · PrivateLink · regional
Keys
Customer KMS
Connectivity
PrivateLink · VPN
Selenium Box · Virtual Private Cloud
Deployment topology
🔒 grid.private.yourcorp Customer cloud
AWS Azure GCP Sovereign
Customer cloud account · AWS region us-east-1
Private subnet · single-tenant
Load Balancer Hub-1 Hub-2 Hub-3 Hub-4 100 Executors (autoscale) S3 video bucket KMS (customer key)
PrivateLink → grid.yourcorp.internal · no public internet exposure
Customer cloud boundary SBOX components (Terraform-provisioned)
Banking & Financial Services
Single-tenant in your account

Test data lands in your AWS, Azure, or GCP account. Your VPC, your subnet, your IAM. Audit-friendly without leaving the cloud.

Single-tenant
Insurance & Healthcare
Keep PHI in your jurisdiction

Pick the region. Pick the availability zone. PHI and patient data stay in customer-mandated jurisdiction. HIPAA-aligned by deployment.

Regional residency
Government & Public Sector
Run in GovCloud and sovereign clouds

Runs on AWS GovCloud (US), Azure Government, and equivalent sovereign-cloud regions.

GovCloud-compatible
Cloud-first enterprises
Same cloud bill, no new vendor cloud

SBOX runs on the cloud spend you already commit to. AWS EDP, Azure MACC, GCP committed-use. No new vendor cloud, no new contract.

Reserved-capacity friendly
The cloud-first gate

You moved to AWS, Azure, or GCP. Your testing platform did not.

Cloud-first IT mandates shut the door on public SaaS testing platforms. The mandate also shut the door on in-house grids. VPC deployment threads the needle: SBOX runs in the cloud the mandate already approved, single-tenant inside the customer account.

Pain pattern 01

Cloud mandate forbids both in-house and SaaS

Symptom. The cloud mandate says no in-house hardware. The security review says no multi-tenant SaaS. The QA team has no path forward.

VPC response SBOX deploys via Terraform into the customer's AWS, Azure, or GCP account. Cloud-native, single-tenant, customer-controlled.
Pain pattern 02

Sovereign cloud is mandatory

Symptom. Customer must run in AWS GovCloud, Azure Government, or sovereign-cloud equivalent. Most testing platforms cannot deploy there.

VPC response SBOX runs in AWS today with S3 IAM role integration in regulated-customer production deployments. VPC deployment works in any region the customer account can reach, including sovereign-cloud regions.
Pain pattern 03

Reserved cloud spend goes unused

Symptom. Customer has committed cloud spend (AWS EDP, Azure MACC, GCP committed-use). Public SaaS testing platforms do not draw down the commitment.

VPC response SBOX runs on the customer's cloud resources. Reserved VM instances, savings plans, and committed-use discounts all apply.
Cloud providers supported

Deploy on AWS, Azure, GCP, or sovereign clouds.

SBOX deploys into the three major public clouds and the sovereign-cloud equivalents the regulated buyers actually use. Terraform modules handle the platform side. Customer cloud team handles the account, the IAM, the network.

AWS

AWS · standard + GovCloud (US)

Standard AWS regions plus AWS GovCloud (US). EKS or EC2 deployment. S3 for video storage with IAM role integration (in regulated-customer production). PrivateLink for customer-corporate-network connectivity. KMS for customer-controlled encryption.

Services used EC2 · EKS · S3 · IAM · KMS · PrivateLink · CloudTrail · VPC
Azure

Azure · standard + Azure Government

Standard Azure regions plus Azure Government. AKS or Azure VM deployment. Azure Blob Storage. Azure Reserved VM Instances supported (Element34 advises on configuration). Private Endpoint for customer connectivity. Key Vault for encryption.

Services used VM · AKS · Blob Storage · Entra ID · Key Vault · Private Endpoint · Activity Log · VNet
GCP

GCP · standard + Assured Workloads

Standard GCP regions plus Assured Workloads regions. GKE or GCE deployment. Cloud Storage for video. VPC Service Controls for perimeter. Cloud KMS for encryption.

Services used GCE · GKE · Cloud Storage · IAM · Cloud KMS · Private Service Connect · Cloud Audit Logs · VPC
Sovereign

Sovereign clouds

AWS GovCloud (US), Azure Government, AWS Secret Region (where customer has authorization), Bleu (France via Microsoft), GAIA-X aligned providers in EU. Customer cloud team confirms region eligibility, Element34 confirms platform compatibility.

Note Customer cloud account must have prior authorization for the sovereign region. Element34 does not provision the cloud account itself.
Terraform-based provisioning

Element34 templates. Your platform team applies.

Element34 ships Terraform modules for the three major cloud providers. Customer platform team forks the module into their own infrastructure-as-code repository, fills in customer-specific values, and applies through their normal Terraform workflow. Element34 has no write access to the customer cloud account.

Add to your Terraform · AWS example Available

main.tf 
1 # Add Element34 Terraform module (AWS example)
2 module "sbox" {
3   source = "git::https://github.com/element34/sbox-terraform-aws.git?ref=v1.8.2"
4   // ↓ customer-supplied values
5   account_id      = var.aws_account_id           // your account
6   vpc_id          = var.customer_vpc_id          // your VPC
7   subnet_ids      = var.customer_private_subnets // your subnets
8   region          = "us-east-1"                  // your region
9   kms_key_arn     = var.customer_kms_key_arn     // your KMS key
10  hub_count       = 4
11  executor_count  = 100
12  s3_video_bucket = var.customer_video_bucket    // your S3 bucket
13  enable_privatelink = true
14}
Same Terraform tooling your platform team already uses. SBOX module reads customer-supplied values, never embeds secrets.
Three deployment models

Pick the deployment model that matches your operating model.

Three private deployment models. Same SBOX product runs across all three. VPC sits in the middle: cloud-native, single-tenant, customer-perimeter-controlled.

Dimension
Private Cloud
VPC
(this page)
Managed Private Cloud
Where it runs
Customer-owned infrastructure (in-house or datacenter)
Customer AWS, Azure, or GCP account
Element34-operated, customer-isolated environment
Who operates it
Customer operates everything
Customer cloud team operates, Element34 provides Terraform templates
Element34 operates with 24x7 SLA
Network posture
Customer network only, air-gap supported
Customer VPC, customer-controlled VPN or PrivateLink
Element34-operated, optional VPN or PrivateLink to customer network
Best fit
Hard data residency, in-house mandate, air-gap required
Cloud-first IT mandate, single-tenant required, sovereign-cloud region
Want enterprise testing infrastructure without operating it

See the full compare deployments page →

Security posture

Inherit every security control your cloud account already runs.

VPC deployment inherits every security control the customer already runs on their cloud account. SBOX is just another workload inside the VPC. Same IAM, same KMS, same VPC flow logs, same audit trail.

Single-tenant by default

Every SBOX VPC deployment is single-tenant inside the customer cloud account. No Element34-shared infrastructure. No multi-tenant control plane.

Customer KMS, BYOK

Encryption at rest uses customer KMS keys. SBOX never holds the key material. Customer key rotation lifecycle applies the same way as other customer workloads.

VPC peering or PrivateLink

Customer connects from corporate network via PrivateLink (AWS), Private Endpoint (Azure), or Private Service Connect (GCP). No public internet exposure required.

Customer identity and audit

SBOX integrates with customer SSO (SAML, OIDC). User actions land in customer audit log. CloudTrail, Azure Activity Log, GCP Cloud Audit Logs all capture SBOX interactions.

Cloud-native compliance posture

SBOX inherits the customer's cloud compliance landing zone. If the customer cloud account is FedRAMP-aligned, HIPAA-aligned, or PCI-aligned, SBOX runs inside that boundary.

VPC FAQ

VPC, answered.

What is VPC deployment for Element34 SBOX?
VPC deployment runs SBOX inside the customer's own cloud account in AWS, Azure, or GCP. The deployment is single-tenant by default, inside a customer-specified VPC, in a customer-specified region. Element34 provides the Terraform modules. The customer platform team applies them. Element34 has no write access to the customer cloud account.
Which cloud providers does VPC deployment support?
AWS, Azure, and GCP in standard regions. Plus AWS GovCloud (US), Azure Government, and equivalent sovereign-cloud regions where the customer cloud account has authorization. SBOX runs in AWS today with S3 IAM role integration in regulated-customer production deployments.
How does Element34 deploy SBOX into the customer cloud account?
Element34 publishes Terraform modules per cloud provider. The customer platform team forks the module into their own infrastructure-as-code repository, fills in customer-specific values (account ID, VPC ID, region, KMS key, S3 bucket), and applies through their normal Terraform workflow. Element34 has no API credentials in the customer cloud account.
Is SBOX single-tenant in VPC deployment?
Yes. Every VPC deployment is single-tenant inside the customer cloud account. No Element34-shared infrastructure, no multi-tenant control plane, no neighboring tenants.
Does VPC deployment work with reserved VM instances or committed-use discounts?
Yes. SBOX runs on customer-owned cloud resources, so AWS Reserved Instances, Azure Reserved VM Instances, and GCP Committed Use Discounts all apply. Element34 advises on the configuration where requested.
Can VPC deployment connect to the customer corporate network?
Yes. AWS PrivateLink, Azure Private Endpoint, and GCP Private Service Connect are all supported. Customer connects from corporate network without public internet exposure. VPN is also supported for legacy connectivity.
Does VPC inherit cloud certifications like FedRAMP or HIPAA?
Yes, at the deployment level. SBOX runs inside the customer cloud account, so it inherits the customer cloud landing zone's compliance posture. If the customer AWS account is FedRAMP-aligned and HIPAA-aligned, SBOX runs inside that boundary.

We hand your cloud team the Terraform plan.

Send us the cloud provider, the region, and the network policy. We hand back the Terraform module, the IAM policy, the network diagram, and the deployment checklist. Annual licensing, predictable across the contract term.