> ## Documentation Index
> Fetch the complete documentation index at: https://docs.traversal.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Deployment options

> Traversal's architecture, security model, and deployment options — SaaS and BYOC.

Traversal is agent-less and always read-only. In most cases, Traversal does not require the deployment of any software in your environment, and it cannot modify your systems or data. The [Traversal Connector](/architecture/connector) can be deployed to securely reach private data and observability sources, and the [Traversal Processor](/setup/processor) can be deployed to minimize egress volumes and apply data redaction before data leaves your environment.

Both the [Traversal Connector](/setup/connector) and [Traversal Processor](/setup/processor) run in any environment — AWS, GCP, Azure, OCI, on-prem Kubernetes, or any container runtime. Kubernetes is the easiest path: we publish Helm charts for both.

Traversal offers two deployment options: **SaaS** to get going in minutes with Traversal's cloud, or **BYOC** (Bring Your Own Cloud) for a dedicated, single-tenant, fully-managed deployment in your own cloud account.

<Card title="SOC 2 Type II certified" icon="shield-check" href="/responsible-use/security">
  Traversal has received and maintains its SOC 2 Type II attestation, applicable to both deployment options.
</Card>

<Tabs>
  <Tab title="SaaS">
    The easiest way to get started in minutes with Traversal is by signing up on Traversal's SaaS/cloud offering. Your data and connections to your observability providers remain fully secure, whether they are cloud vendors or you host them in your internal infrastructure.

    Communication from the [Traversal Connector](/setup/connector) and [Traversal Processor](/setup/processor) to the Traversal SaaS travels over the public internet and is secured with mTLS — both sides authenticate with certificates, and all traffic is encrypted in transit.

    <img className="block dark:hidden" src="https://mintcdn.com/traversal-ff380fca/hoHvpQKBXhvdGtuw/architecture/saas-light.png?fit=max&auto=format&n=hoHvpQKBXhvdGtuw&q=85&s=a7044fe092fe1bd6cdf601da32305cb0" alt="Traversal SaaS Architecture Diagram" width="2354" height="1400" data-path="architecture/saas-light.png" />

    <img className="hidden dark:block" src="https://mintcdn.com/traversal-ff380fca/hoHvpQKBXhvdGtuw/architecture/saas-dark.png?fit=max&auto=format&n=hoHvpQKBXhvdGtuw&q=85&s=61e459fd2218a973bd4049e984448e17" alt="Traversal SaaS Architecture Diagram" width="2354" height="1400" data-path="architecture/saas-dark.png" />

    <CardGroup cols={2}>
      <Card title="Tenant isolation" icon="shield">
        At every layer — from frontend to database and agentic workflows.
      </Card>

      <Card title="Zero data retention" icon="eye-slash">
        On LLM calls, with options to bring your own key (BYOK) and bring your own provider.
      </Card>

      <Card title="Secure access" icon="lock">
        Connect to your private data sources and systems with the [Traversal Connector](/architecture/connector).
      </Card>

      <Card title="Minimal egress" icon="arrow-right-from-bracket">
        Reduce data leaving your environment with the [Traversal Processor](/setup/processor).
      </Card>

      <Card title="Data redaction" icon="eraser" href="/setup/redaction">
        Customer-configured data redaction and obfuscation at the edge.
      </Card>

      <Card title="Strong authentication" icon="key">
        SSO and MFA for all users.
      </Card>
    </CardGroup>
  </Tab>

  <Tab title="BYOC (Bring Your Own Cloud)">
    With Traversal BYOC, you get a dedicated, single-tenant, fully-managed deployment of Traversal in your own cloud account, with fully private access and network paths to your Traversal deployment, and full custody of your data in dedicated data stores and cloud storage buckets.

    <img className="block dark:hidden" src="https://mintcdn.com/traversal-ff380fca/hoHvpQKBXhvdGtuw/architecture/byoc-architecture-light.png?fit=max&auto=format&n=hoHvpQKBXhvdGtuw&q=85&s=9ead488303bee85348d63bacfe0ef5b9" alt="Traversal BYOC Architecture Diagram" width="2354" height="1400" data-path="architecture/byoc-architecture-light.png" />

    <img className="hidden dark:block" src="https://mintcdn.com/traversal-ff380fca/hoHvpQKBXhvdGtuw/architecture/byoc-architecture-dark.png?fit=max&auto=format&n=hoHvpQKBXhvdGtuw&q=85&s=803cc9d7f45e03a7a51c400c77b32e33" alt="Traversal BYOC Architecture Diagram" width="2354" height="1400" data-path="architecture/byoc-architecture-dark.png" />

    <CardGroup cols={2}>
      <Card title="Dedicated environment" icon="building">
        Full Traversal environment in a dedicated cloud account within your infrastructure boundary.
      </Card>

      <Card title="Dedicated resources" icon="server">
        All compute, storage, encryption keys, and agentic runtime is exclusive and dedicated.
      </Card>

      <Card title="Private networking" icon="network-wired">
        All traffic flows through private network paths and customer-controlled proxies (PrivateLink).
      </Card>

      <Card title="Private LLM routing" icon="brain">
        Options for BYOK, LLM gateways, and private inference endpoints.
      </Card>

      <Card title="Data redaction" icon="eraser" href="/setup/redaction">
        Customer-configured data redaction and obfuscation at the edge.
      </Card>

      <Card title="Fully managed" icon="hands-helping">
        Secure and fully auditable management by skilled Traversal operators.
      </Card>
    </CardGroup>

    For the full architecture details, deployment process, and responsibility matrix, see the [BYOC guide](/architecture/byoc).
  </Tab>
</Tabs>