Data Privacy and Safety
dex is designed with a modern, secure, and scalable architecture that separates operations into two distinct planes: the Control Plane and the Data Plane.
This separation ensures that while dex provides a seamless user experience with automation, orchestration, and monitoring, your data always stays in your cloud environment, never flowing through dex's infrastructure.
Control Plane
Runs dex’s interface, automations, orchestration engine, metadata services, native integrations and job coordination. This plane sends control instructions but never handles customer data directly.
Data Plane
Executes data tasks like ingestion, transformation, and replication. The data plane lives entirely within your cloud environment, isolated per customer, where all data is stored and processed securely.
How dex Protects Your Data
With dex, your data never leaves your cloud. All data processing and storage happen entirely within your own cloud account. The Control Plane is responsible only for managing metadata, job states, configurations, and orchestration signals—no raw data ever passes through this layer. The heavy lifting happens in the Data Plane, which consists of isolated compute workers dedicated to your organization. These workers handle data ingestion from APIs, databases, and files, perform transformations using SQL, Python, and dbt models, and execute pipeline orchestration.
Each Data Plane is fully isolated per customer, ensuring no cross-organization access. It is protected at every layer, including network, credentials, user permissions, and compute resources. Dedicated security boundaries and resource provisioning further guarantee the integrity and privacy of your data.
How It Works
You interact with dex through the Control Plane, whether via the web app, API, CLI, or automations. When you trigger a pipeline or workflow, the Control Plane sends execution instructions to the Data Plane assigned to your account. The Data Plane spins up secure compute workers that connect directly to your databases, warehouses, APIs, and services. These workers handle data ingestion, transformation, and delivery, and execute dbt models and other tasks defined in your pipelines. Once the job is completed, the Data Plane sends back execution logs, statuses, and metadata to the Control Plane—but never your actual data.
Data Plane Isolation Details
Every Data Plane runs within a dedicated VPC, leveraging private networking with no cross-tenant communication. Each instance operates with its own credentials, keys, and service accounts, fully isolated from other customers. Strict IAM policies enforce least-privilege access, ensuring that only the resources required by your organization are accessible. Compute and storage resources are logically and physically isolated, providing another layer of protection. Additionally, dex offers full auditability, with detailed logs and job metadata visible in the Control Plane—without exposing any sensitive data.
Why This Matters
This architecture is designed to be security-first, ensuring that no sensitive data ever leaves your cloud. It simplifies compliance with standards like SOC 2, GDPR, HIPAA, and other regulatory frameworks. At the same time, it offers scalability without compromise—dex’s Control Plane manages orchestration at scale, while your Data Plane handles compute-heavy workloads securely, efficiently, and entirely within your environment.
Last updated
Was this helpful?