Platform

The Bulkhead Architecture

Every merchant gets their own database, storage, and compute. No shared state between tenants — ever.

Read the Documentation

Powered by Bulkhead

Your data stays yours. Every merchant runs on isolated infrastructure. We can't access your data without you knowing — every action is logged, every access is audited.

Tenant Infrastructure6 active pods
tenantdatabasecomputestatus
acme-corpsql-acme-001run-acme-001● isolated
brew-cosql-brew-002run-brew-002● isolated
nova-retailsql-nova-003run-nova-003● isolated
peak-outdoorsql-peak-004run-peak-004● isolated
drift-supplysql-drift-005run-drift-005● isolated
summit-gearsql-smmt-006run-smmt-006● isolated
resourcesregionmemcpu
acme-corpus-central1-a2 GB2 vCPU
brew-cous-central1-b4 GB4 vCPU
nova-retaileu-west1-c2 GB2 vCPU
peak-outdoorus-east1-a4 GB4 vCPU
drift-supplyeu-west1-a2 GB2 vCPU
summit-gearus-west1-b2 GB2 vCPU
0 shared resources0 cross-tenant queriesall isolated

  • Complete isolation

    Every merchant gets their own database, storage, and compute. No shared state between tenants — ever.

  • Full audit trail

    Every data access, every deploy, every configuration change recorded with actor, timestamp, and correlation ID.

  • Merchant-controlled access

    Alloy engineers cannot access merchant data without explicit authorization. Access requests are logged and time-bounded.

Request Pipelinereq_a8f2c1
>authenticateHS256 JWTaud: pod-acme-001
-encryptAES-256-GCMkey: sm://tenant/...
-isolateCloud Runsvc: pod-acme-001
-executeQueryrows: 247
-auditEvent loggedactor: usr_k8x...
0/5 layers passedprocessing...

Data Protection

Four layers between every request and your data. Authentication, encryption, process isolation, and audit logging.

AES-256-GCM

All data encrypted at rest. Encryption keys derived from per-tenant secrets stored in Secret Manager.

JWT authentication

Short-lived HS256 tokens signed per-request. Audience scoped to the pod ID. Validated on every call.

Process isolation

Each tenant runs in their own Cloud Run service. Memory, CPU, and network boundaries enforced by the runtime.

Immutable audit log

Structured events: who did what, when, and why. Retained for compliance. Queryable via the API.

One merchant, one pod. Every organisation runs on its own isolated infrastructure. Nothing is shared between tenants.

  • Identical architecture

    Every tenant pod runs the same container image with the same schema. Infrastructure is consistent across all merchants.

  • Provisioned in ~15 minutes

    Database, storage, compute, migrations, health checks — fully automated. Merchants see real-time progress while they wait.

  • Failure containment

    A failure in one merchant's pod can't affect any other merchant. Each pod runs independently.

Provisioning: acme-corptier: standard · est. ~15 min
-Provisioning database
Cloud SQL · dedicated instance
-Creating storage bucket
GCS · tenant-scoped prefix
-Deploying application
Cloud Run · from container image
-Running migrations
Prisma · schema + seed data
-Health check & activation
Endpoint verification · session migration
elapsed: 0m 0s> provisioning

Built for trust. Bulkhead is the infrastructure commitment underpinning every Alloy solution. Every guarantee here applies to every product we ship.

  • Zero shared databases. Every merchant gets a dedicated Cloud SQL instance. Your product catalog, metafields, and configuration never share a row with another merchant.

  • Explicit access grants. Alloy support cannot SSH into your pod or query your database without a time-bounded access request that you approve. Every session is recorded.

  • Circuit breaker isolation. When one merchant's pod is under load, circuit breakers prevent cascading failures. Your performance is never affected by another tenant.

  • Encrypted at every layer. OAuth tokens encrypted with AES-256-GCM in transit. Data encrypted at rest in Cloud SQL. Secrets managed in Google Secret Manager.

  • Compliance-ready audit trail. Every lifecycle event — provisioning, deployment, access, suspension — recorded with actor, timestamp, and metadata. Export-ready for SOC 2.

  • Graceful lifecycle management. Uninstall doesn't mean data loss. Bulkhead holds infrastructure during a teardown window. Re-install within the window and everything is restored.

Security

Read about our security posture.

Security & Compliance