BYOC

Warum regulierte SaaS Datadog DBM nicht nutzen können — und der BYOC-Fix

Architektur eines BYOC-Observability-Deployments: wo Daten liegen, was die Grenze überquert und wie SOC2 / HIPAA / GDPR erfüllt werden, ohne UX zu opfern.

Published 2026-03-04·Updated 2026-04-19·14 min read

If you’ve tried to put Datadog DBM in front of a regulated SaaS’s security team, you know. Query text is the most sensitive blob in a database — emails, tokens, account numbers, full-text search inputs. SaaS-only DBM means that blob crosses your boundary, hits a multi-tenant ingestion pipeline, and lives in a vendor’s storage. That’s a SOC2 / HIPAA / GDPR landmine.

What BYOC fixes

BYOC (Bring Your Own Cloud) splits a SaaS product cleanly into a data plane (the parts that touch raw telemetry) and a control plane (the UI, identity, billing, AI engine). The data plane runs in your VPC. The control plane runs in ours, and reaches the data plane through one narrow, audited gRPC endpoint.

What crosses the boundary

In a properly designed BYOC deployment: aggregated query results (counts, percentiles, plan blob IDs), anomaly verdicts, alert webhooks. Not: raw query text, plan content, row data, tags that could re-identify users.

How to evaluate a BYOC vendor

Ask for the data-plane proxy source (or its protobuf). If they can’t show it, it’s not real BYOC.
Ask whether your security team can audit every call the control plane sends.
Ask what happens when you turn the proxy off. (Should: graceful read-only.)
Ask for the Helm chart. If they ship a custom installer, it’s not portable.
Ask what happens at contract end. (Should: hard stop after a 7-day grace, but your data is never deleted by them.)

Obsfly’s answer

Same Go binaries run in SaaS, BYOC, and Sovereign mode — no fork. The data-plane proxy ships with its protobuf in packages/proto/dataplane.proto and a Helm chart in infra/helm/obsfly-data-plane/. Audit logging is a one-line setting.

Full architecture page: /byoc. Sovereign / on-prem option for fully air-gapped: /sovereign.

The license-controller catch

BYOC vendors typically pair their deployment story with a license-control mechanism — annual signed license, daily heartbeat, lifecycle that gracefully degrades after expiry. Obsfly is open about this. The exact heartbeat shape and lifecycle are documented on /sovereign. No query text, no row data, no schemas — only deployment health and DB count.

Is BYOC harder to install than SaaS?+

Yes — typically a 1–2 day spin-up for someone familiar with Helm/Terraform. SaaS is 5 minutes. The trade is what your security team requires.

Does BYOC cost more?+

Up-front yes (typically a $3–10k/mo platform fee on top of per-DB). On TCO, often less than SaaS at scale because you absorb storage cost in your existing cloud spend.

Can I migrate from SaaS to BYOC later?+

Yes. The agent stays the same; only the receiver URL changes. Historical data does not transfer (it lives in our cloud); we keep both data planes running for 30 days during a cutover.

Keep reading

Pricing

We added up Datadog DBM at 50 databases. Here's the bill.

A line-by-line walkthrough of what 50 Postgres + 12 MySQL + 8 Mongo databases actually cost on Datadog DBM in 2026, with ways to reduce it that don't involve switching tools.

Anomaly detection on database metrics: why thresholds fail and what works

A walk through forecast bands, change-point detection, multi-variate anomaly, and the seasonality math that makes 'p99 over 200ms' the wrong alert by default — with the Postgres example that broke our last threshold.

← All posts