Is SBOX FedRAMP authorized?

SBOX is FedRAMP-aligned by architecture but not currently FedRAMP authorized standalone. Because SBOX deploys single-tenant inside the agency's own GovCloud, it inherits the host environment's FedRAMP authorization.

Does SBOX deploy inside AWS GovCloud?

Yes. SBOX deploys as a single-tenant grid inside AWS GovCloud US, Azure Government, or Google Cloud Public Sector via Terraform-provisioned VPC deployment.

Can Element34 be procured through Carahsoft?

Yes. Element34 SBOX is available through Carahsoft. GSA Schedule, SEWP V, and ITES-SW2 vehicles supported.

Does SBOX handle citizen PII and CUI inside the agency tenant?

Yes. All test data, including citizen PII or CUI in test fixtures, stays inside the agency's GovCloud tenant. AI inference uses the agency's own LLM subscription.

Does SBOX integrate with PIV or CAC authentication?

Yes. SBOX supports PIV, CAC, Kerberos, SPNEGO, and PKI-based SSO. JWT-based RBAC controls per-project access.

What about CMMC Level 2 or 3 for defense contractors?

SBOX's single-tenant architecture, audit logging, and customer-controlled keys align with CMMC Level 2 access control, audit and accountability, and configuration management practices.

Industries · Government and Public Sector

Government test automation that's AI-native and runs in GovCloud or behind the firewall.

For federal agencies, regional governments, and national digital services that need test automation behind firewalls, not in a vendor's cloud. SBOX runs in GovCloud, your VPC, or fully private infrastructure, and keeps procurement compliant via the Carahsoft channel.

Talk to solutions Get a quote

FedRAMP-aligned architecture
GovCloud + dedicated infrastructure
Carahsoft procurement

ProcurementCarahsoft channel DeploymentGovCloud + private RegionUS · EU · UK · CH

Selenium Box · Government deployment

Security posture · per-agency

🔒 grid.private.agency-gov FedRAMP-aligned

US federal civilian agencyManaged

SBOX operated by Element34 in GovCloud, single-tenant, with Carahsoft procurement. 24x7 SLA. Customer-controlled keys via KMS.

GovCloud-Eastcustomer KMSFedRAMP-alignedSSO + SCIM

EU national agency, SwitzerlandPrivate Cloud

SBOX runs on customer Kubernetes in customer datacenter. Air-gap supported. Zero data egress. EU residency end-to-end.

CH-datacenterdedicated infrazero egresscustomer ops

Regional digital service, USVPC

SBOX deployed via Terraform into customer AWS account. Single-tenant inside VPC. PrivateLink at the edge.

us-east-1BYO cloudPrivateLinkzero-trust

Public SaaS test gridRejected

Multi-tenant cloud, shared inference, vendor master key. Federal procurement and security review block the trade.

multi-tenantvendor keydata egressno region pin

Element34 deployment Public SaaS (rejected)

Trusted across regulated industries that share the same security bar

Used by U.S. federal agencies to support secure browser testing behind the firewall.

Government challenges · Element34 solutions

Where federal and public-sector testing breaks under public SaaS, and what compliance-first testing fixes.

For federal agencies, regional governments, and national digital services that cannot use public SaaS, SBOX runs on a private testing grid the agency controls. Citizen data stays inside the agency perimeter. Procurement clears through Carahsoft.

Challenge 01 Federal procurement

Public-cloud SaaS gets rejected at federal procurement.

Federal civilian agencies, national digital services, and security-critical public-sector organizations cannot route test data through a vendor's multi-tenant cloud. Procurement teams reject the model outright. Security review flags the vendor's data egress as a blocker.

Vendor multi-tenant cloud
Test data crossing the perimeter
No procurement pathway

Element34 solution Single-tenant in GovCloud

SBOX single-tenant in GovCloud or customer infrastructure.

Element34 SBOX runs single-tenant in GovCloud or in the agency's own infrastructure. Test data, session recordings, and AI prompts stay inside the agency perimeter. Architecture documentation supports the security review without retrofitted attestations.

Single-tenant by default in every deployment
GovCloud and customer-managed regions
Architecture documentation up front

Challenge 02 FedRAMP sourcing

FedRAMP authorization sourcing is complex and slow.

Agencies that need test automation under FedRAMP face a sparse supplier landscape. The sourcing process can stall for quarters before procurement clears a new vendor. Existing public-SaaS tools lack the architecture for a FedRAMP-aligned deployment.

Sparse FedRAMP-authorized supplier list
Long sourcing cycles
Architectural gaps in incumbent tools

Element34 solution FedRAMP-aligned + Carahsoft

FedRAMP-aligned architecture, Carahsoft procurement channel.

SBOX is designed to a FedRAMP-aligned architecture (single-tenant, customer-controlled keys, audit logs, zero data egress) and is available through the Carahsoft procurement channel, which agencies already use. This shortens the path from technical fit to signed contract.

FedRAMP-aligned architecture documentation
Carahsoft procurement channel
Short path from technical fit to contract

Challenge 03 Citizen-data residency

Citizen-data residency rules block cross-border vendor cloud.

GDPR, state-level privacy law, and national data-sovereignty rules require citizen data to stay inside a defined jurisdiction. Public-SaaS test grids move data into vendor regions that shift over time, which the residency reviewer cannot verify.

Vendor cloud regions shift
Citizen PII in vendor systems
Sovereignty rules unverifiable

Element34 solution Region-pinned, zero egress

Region-pinned tenancy, zero egress to Element34.

Managed Private Cloud is region-pinned at deployment (GovCloud, EU-Central, EU-West, UK, Switzerland). VPC runs inside the agency cloud account. Private Cloud runs in the agency datacenter. Citizen data never crosses into Element34 infrastructure in any deployment.

GovCloud, EU-Central, EU-West, UK, Switzerland
Customer-defined region in VPC and Private Cloud
Zero data egress to Element34

Challenge 04 Air-gap operations

Defense-adjacent workloads require disconnected operation.

Intelligence-adjacent and defense-adjacent civilian workloads sometimes need to run without any external connectivity. Most public-SaaS test grids cannot operate at all without internet access to vendor infrastructure, which makes them non-starters.

No vendor-cloud connectivity allowed
Disconnected installation requirement
Vendor telemetry blocked

Element34 solution Disconnected installation supported

Disconnected installation in VPC and Private Cloud.

SBOX in Private Cloud installs into the agency's existing Kubernetes platform with no vendor telemetry after image pull. SBOX in VPC runs inside the agency cloud account with no external connectivity to Element34 during normal operation. Air-gap operation is documented and supported.

No vendor telemetry after image pull
Air-gapped operation in Private Cloud
VPC operation without external connectivity

AI-native modules

AI in every layer. Citizen data never leaves GovCloud.

AI runs inside the agency tenant. AI calls the agency's model, not a vendor's. AI writes to the agency audit trail. Every capability, every time.

AI test authoring

Studio

Plain-English benefits-portal test scenarios compiled into Selenium Java. AI authoring respects agency security review.

Explore Studio →

Self-healing locators

Auto Heal

When the citizen portal redesigns, Auto Heal updates locators inside GovCloud. Zero outbound to a vendor cloud.

Explore Auto Heal →

AI debug analyzer

Automated RCA

Failed regression on a federal portal gets a diagnostic for the dev team without exposing citizen PII.

Explore Automated RCA →

Release readiness signal

Pulse Report

Daily readiness signal for citizen-facing services. AI-summarized risk before every public release.

Explore Pulse Report →

Customer-controlled inference

BYO LLM

Agency's GovCloud-hosted model. Agency's audit trail. Agency's keys. Element34 never sees a prompt or response.

Explore BYO LLM →

Deployment options

One platform. Three deployment models. Same government controls everywhere.

Pick the deployment that matches the agency's security and procurement environment. The product does not change. The controls do not change.

Within your network

Private Cloud (self-hosted)

Run SBOX on your dedicated infrastructure, fully behind your firewall. For organizations with hard data-residency mandates or disconnected operation requirements.

KubernetesHelmDockerAir-gap supported

Docker-based deployment with hub-and-executor architecture
Stateless licensing and full RBAC
Disconnected operation supported
No vendor telemetry after image pull

See deployment details →

Generally available

Most chosen by government Dedicated cloud

Managed Private Cloud

Element34 runs a dedicated, single-tenant SBOX environment for you, pinned to your region. 24x7 SLA, white-glove operations.

Single-tenantRegion-pinnedEU / UK / CH / USPrivateLink

Single-tenant private grid, no shared infrastructure
Region pinning available across major jurisdictions
No public-cloud co-tenancy
24x7 SLA with white-glove operations

Talk to sales for availability →

Available in select regions

Inside your cloud tenancy

Virtual Private Cloud (VPC)

Deploy SBOX inside your AWS, Azure, or GCP account. Single-tenant inside your VPC with PrivateLink at the edge.

AWSAzureGCPVPC peering

Runs in your cloud tenancy
No shared infrastructure with other customers
Native to your cloud network, IAM, and observability stack
Compatible with your existing GitOps pipeline

See deployment details →

Generally available

Same SBOX, same controls — only who operates it changes. Compare deployments →

Government security · FedRAMP-aligned controls

Built for the controls a federal procurement team signs.

SBOX is FedRAMP-aligned and GovCloud-ready by architecture. Six controls a federal procurement, security, and audit team actually checks before contract.

⛨

Zero customer-data egress

Application data, citizen PII, session recordings, and AI prompts stay inside the agency perimeter across all deployment modes. Aligned to FedRAMP and EU data sovereignty.

FedRAMP-aligned

⛯

Single-tenant infrastructure

No shared compute, no shared storage, no multi-tenant database. Per-agency isolation across every deployment. Procurement signs on architectural review.

Always single-tenant

⎬

Network isolation + zero-trust

Runs without VPN tunnels or external connectivity back to Element34 infrastructure. The agency network is the only network in the chain.

Zero-trust posture

★

GovCloud and EU region pinning

Managed Private Cloud is region-pinned at deployment. GovCloud, EU-Central, EU-West, UK, Switzerland supported. Customer-defined regions in VPC and Private Cloud.

Region-pinned

≡

Customer-controlled AI

Your model subscription. Your prompts. Your AI governance review. SBOX AI calls the agency's own LLM provider; Element34 never sees a prompt.

BYO LLM

⚙

Full audit logging

Session-level and user-level logs, exportable to your agency SOC. Splunk, IBM QRadar, Microsoft Sentinel supported natively. Auditable end-to-end.

Customer SIEM export

See the reference architecture Talk to our security team

Customer success story

Why a US federal civilian agency moved test automation into GovCloud.

A US federal civilian agency operating a public-facing benefits portal replaced a public-cloud testing SaaS with SBOX, single-tenant in customer-managed GovCloud. The driver: a $40M regression coverage backlog and a procurement team that had rejected public-SaaS test grids.

US federal civilian agency Managed Private Cloud · GovCloud · Carahsoft procurement

Challenge

$40M backlog on regression coverage, public-SaaS rejected.

The previous testing approach left a $40M backlog of regression coverage on the public-facing benefits portal. The agency could not adopt public-SaaS test grids because procurement and security review rejected the multi-tenant cloud model and the data-egress posture. Existing tooling could not run inside GovCloud at the parallel-execution scale the portal needed.

Element34 solution

SBOX single-tenant in GovCloud, Carahsoft procurement.

Element34 deployed SBOX as a Managed Private Cloud inside a customer-managed GovCloud tenant, with the Carahsoft procurement channel handling the contract. Integrated the agency's AI provider for Auto Heal and Automated RCA, and wired session-level audit logs into the agency SOC.

Outcome

FedRAMP-aligned audit pass, regression from 14 days to 2 days.

✓FedRAMP-aligned architecture cleared the agency security review
✓4x parallel execution capacity vs the previous environment
✓Regression cycle from 14 days to 2 days on the benefits portal
✓Carahsoft procurement channel cleared the contract in one cycle

Government and FedRAMP FAQ

Government and FedRAMP, answered.

Is Element34 SBOX FedRAMP authorized?

Element34 does not currently hold FedRAMP authorization. SBOX is FedRAMP-aligned by architecture: single-tenant infrastructure, customer-controlled keys, network isolation, customer-controlled AI, audit logs exportable to the agency SOC, and zero data egress in normal operation. SBOX is available through the Carahsoft procurement channel that federal agencies already use, and ships with architecture documentation that supports the agency security review without retrofitted attestations.

Does SBOX run in GovCloud?

Yes. SBOX in Managed Private Cloud can be deployed inside GovCloud, region-pinned at deployment. SBOX in VPC can be deployed inside the agency's own GovCloud account via Terraform, single-tenant inside the VPC. SBOX in Private Cloud runs in the agency datacenter for workloads that cannot use commercial cloud.

How does procurement via Carahsoft work?

Element34 SBOX is available through the Carahsoft procurement channel that federal civilian and national agencies already use for software procurement. This shortens the contract path: the agency's procurement team works through an existing vehicle, security review uses the SBOX architecture documentation, and Element34 supports both with technical and contractual evidence.

Is air-gapped or disconnected installation supported?

Yes. SBOX in Private Cloud installs into the agency's existing Kubernetes platform with no vendor telemetry after image pull. SBOX in VPC runs inside the agency cloud account with no external connectivity to Element34 during normal operation. Air-gap operation is documented and supported for workloads that require it.

Is the SBOX environment truly single-tenant?

Yes. SBOX is single-tenant by default across all three deployment models. No shared compute, no shared storage, no multi-tenant database. Per-agency isolation is part of the architectural review evidence the agency procurement and security team can verify before contract.

Where does citizen data live?

Citizen PII, application data, session recordings, generated code, and AI prompts stay inside the agency environment in every deployment. In Managed Private Cloud, the environment is region-pinned (GovCloud, EU-Central, EU-West, UK, Switzerland, and others on request) and single-tenant. Element34 never holds or processes agency application data.

How does SBOX handle AI without exposing agency data?

SBOX is bring-your-own-LLM. The agency connects its existing Azure OpenAI, AWS Bedrock, GCP Vertex, OpenAI direct, Anthropic direct, or self-hosted model. Prompts and responses move between SBOX and the agency's AI provider only. Element34 has no access to agency prompts, responses, or test data, and is not in the scope of the agency AI governance review.

How are audit logs streamed to the agency SOC?

SBOX produces session-level and user-level audit logs that export to Splunk, IBM QRadar, or Microsoft Sentinel. The agency defines retention. The SOC, internal audit, and the inspector general get the same evidence trail without any vendor-side gap.

Which deployment models are available for government?

Three deployment models, same product. Private Cloud (self-hosted) for agencies with hard data-sovereignty or air-gap requirements. Virtual Private Cloud (VPC) for agencies that want SBOX inside their existing GovCloud, AWS, Azure, or GCP tenancy. Managed Private Cloud for agencies that want Element34 to operate a dedicated, single-tenant environment region-pinned to their jurisdiction with a 24x7 SLA.

How does the contract structure work for federal procurement?

SBOX uses annual licensing, not metered SaaS pricing. The contract is designed to pass a federal security review and is available through the Carahsoft procurement channel. Pricing structure includes the three SBOX product editions (SBOX Core, SBOX AI, SBOX Managed) and four drivers (parallel execution capacity, AI consumption, deployment model, and support tier). No public pricing. Talk to sales for a scoped quote.

Tell us about your procurement and security environment.

Whether you are scoping SBOX against FedRAMP, replacing a public-cloud testing SaaS that does not clear federal procurement, or planning a Managed Private Cloud pinned to GovCloud, we are ready to talk. We will scope your deployment, share the architecture documentation your security review needs, route the contract through Carahsoft, and run a working AI demo against a non-production agency app you choose.

Book a demo Get a quote

Talk to our security team →