Network isolation & data residency¶
DataHub is deployed entirely inside your own cloud subscription. Your data never moves to a shared or multi-tenant environment. This page explains what that means in practice and what you can rely on from a compliance and security perspective.
Where your data lives¶
| Component | Location |
|---|---|
| Application database | Azure PostgreSQL Flexible Server, in your subscription and chosen region |
| Secrets & credentials | Azure Key Vault, in your subscription |
| Frontend & backend services | Azure Container Apps, in your subscription |
| AI/search index | Azure Blob Storage, in your subscription |
DataHub's own systems have zero access to your database, your secrets, or your files. Support access requires you to explicitly grant it via Azure RBAC.
Network access paths¶
Who can reach the application¶
Access to DataHub is controlled exclusively through Cloudflare. There are two protected entry points per deployment:
| Entry point | What it serves | Who can reach it |
|---|---|---|
{your-subdomain}.datahub.nl |
DataHub web app | Anyone with valid credentials; protected by Cloudflare WAF and DDoS mitigation |
api-{your-subdomain}.datahub.nl |
Backend API | Browser sessions only (authenticated); no other inbound path exists |
The backend API has no public Azure endpoint — it is only reachable via the Cloudflare-protected API route. Direct connections to the underlying cloud service are not possible.
Internal service communication¶
All communication between application components (frontend ↔ backend, backend ↔ database, backend ↔ secret store) runs entirely within a private Azure Virtual Network. No inter-service traffic crosses the public internet.
- The database has public network access disabled. It is only reachable from within the private network.
- The secret store (Key Vault) denies all connections by default. Only the application services inside the private network can retrieve secrets.
Outbound connections¶
Some features require DataHub to make outbound calls to external services you configure (e.g. Databricks, Microsoft 365, dbt Cloud, webhooks). All outbound traffic from DataHub exits through a single static IP address per environment.
Static egress IP¶
Every environment has a fixed public IP address for all outbound connections. You can use this address to allowlist DataHub in your corporate firewall, Databricks workspace policy, or any other system that requires IP-based access control.
Your static egress IP is provided in your onboarding documentation. Contact support if you need it.
What this means for integrations
When you configure a Databricks workspace connection, a Microsoft 365 integration, or a webhook endpoint, you only need to add one IP address to your allowlist. That address never changes unless you explicitly request an environment migration.
Compliance & audit¶
| Question | Answer |
|---|---|
| Does DataHub access my database directly? | No. The application services connect from within your private network using application credentials stored in your Key Vault. |
| Can DataHub staff read my data? | Not without explicit grant. Production access requires an Azure RBAC role assignment, which you control. |
| Is data encrypted at rest? | Yes. Azure PostgreSQL and Azure Blob Storage use platform-managed encryption by default. You can bring your own key (BYOK) via Azure Key Vault. |
| Is data encrypted in transit? | Yes. All connections use TLS. Internal service-to-service traffic within the private network also uses TLS. |
| Is there a network boundary between my deployment and other customers? | Yes. Each deployment runs in a dedicated virtual network with no peering to other customers. |
| Can I restrict which users can access DataHub by IP or location? | Yes, through Cloudflare Access policies (configurable per deployment). Contact support to enable this. |
Troubleshooting¶
| Symptom | Likely cause | Action |
|---|---|---|
| An integration says our IP address is blocked | Your firewall is not yet allowlisting the DataHub egress IP | Add the static egress IP to your allowlist; IP is in your onboarding docs or available from support |
| DataHub cannot reach an internal data source | DataHub cannot connect to private networks in your organisation by default | Contact support to discuss private peering or a VPN tunnel option |
| Cloudflare shows an access error before the login page | Cloudflare Access policy is blocking the connection | Check the Cloudflare Access policy configured for your deployment |