Skip to content
Claresia Docs

Mode B — Claresia Cloud Dedicated

Mode B is the standard for mid-market through enterprise customers (200–5000 seats) with residency or CMEK requirements. Default for Dainese-class accounts (475 seats, EU manufacturing).

When to choose Mode B

Section titled “When to choose Mode B”
  • 200–5000 seats
  • Residency in standard region (US-only or EU-only)
  • CMEK desired (rotate the encryption key on your schedule)
  • SOC 2 evidence required
  • Dedicated DPA negotiated
  • Phone support required for Sev 1

What’s different from Mode A

Section titled “What’s different from Mode A”
DimensionMode AMode B
Hub PostgresShared Aurora, RLS-isolatedDedicated Aurora Serverless v2 per tenant
Encryption keyClaresia-rotated AES-256CMEK in customer-named KMS / Key Vault
Telemetry storageShared ClickHouseDedicated ClickHouse per region
NetworkShared subnetDedicated subnet, IP allowlisting available
DPAClick-throughSigned, Schrems II compliant
Audit reportsOn requestAnnual SOC 2 Type 2 + pen test summary
SLA99.5%99.9%
Phone supportNot includedIncluded for Sev 1

Topology

Section titled “Topology”

Same wire diagram as Mode A, but the Hub Postgres is a dedicated cluster and the telemetry ClickHouse is a dedicated cluster in your chosen region. The encryption key lives in a customer-named KMS / Key Vault key ring.

                      Claresia Cloud (eu-south-1 OR eu-central-1)
            ┌──────────────────────────────────────────────────────┐
            │                                                        │
            │  WorkOS · Distribution · Telemetry · Command Center    │
            │                                                        │
            │  ┌──────────────────────┐   ┌──────────────────────┐  │
            │  │ Aurora Postgres      │   │ ClickHouse           │  │
            │  │ DEDICATED to tenant  │   │ DEDICATED to tenant  │  │
            │  │ + customer KMS CMEK  │   │ + customer KMS CMEK  │  │
            │  └──────────────────────┘   └──────────────────────┘  │
            │                                                        │
            └──────────────────────────────────────────────────────┘
                                    
                          Customer LLM platform
                          (Claude / Copilot / ChatGPT / Gemini)

Customer-side install

Section titled “Customer-side install”

Still zero. No Terraform, no agents, no sidecars. The IT admin pastes the same credentials as Mode A. The CMEK key is created by the customer in their KMS / Key Vault (we walk you through it in the portal); we operate the key ring under a Customer Lockbox contract.

The only added step vs Mode A: choose your region during portal Step 7 (Provision Hub) and generate the CMEK key.

Time-to-go-live

Section titled “Time-to-go-live”

5 business days. The bulk of the time is Claresia provisioning the dedicated Aurora cluster + dedicated ClickHouse cluster + the CMEK key ring. The IT admin spends the same 30–60 min in the portal.

Pricing

Section titled “Pricing”

Standard cc-033 v2 pricing plus:

  • +$12k/year regional residency fee (eu-central-1)
  • +$25k/year for non-standard regions (e.g., eu-central-1, ap-southeast-1) — currently roadmap

CMEK key management

Section titled “CMEK key management”

Customer creates the KMS key (AWS KMS, Azure Key Vault, or GCP KMS). Customer grants Claresia’s per-tenant IAM principal the kms:Encrypt, kms:Decrypt, kms:GenerateDataKey permissions. Customer can rotate at any time; new key material is used for new writes; old encrypted data is re-encrypted in the background within 24 hours.

Customer can revoke the key at any time. Doing so makes the Hub immediately unreadable to Claresia (we cannot decrypt). Customer can re-grant to restore.

Customer Lockbox contract

Section titled “Customer Lockbox contract”

Optional but recommended for Mode B. Adds a layer requiring explicit customer approval before any Claresia engineer can access tenant data for support purposes. Approval flow runs through your Slack/Teams Connect channel + audit log.

SLA

Section titled “SLA”
TierTarget
Uptime99.9%
Sev 1 (down) response15 min
Sev 2 (degraded)1 h
Sev 3 (cosmetic)1 business day

DPA

Section titled “DPA”

Mode B includes a signed, redlined DPA. Default version is Schrems II compliant (Standard Contractual Clauses + technical supplementary measures) and covers EU data subjects. NIS2 readiness pack + Italian Garante alignment.

When to upgrade Mode B → Mode C

Section titled “When to upgrade Mode B → Mode C”
  • CISO mandate forbids customer data leaving customer cloud
  • Public-sector customer (federal / state / local)
  • Region not in Claresia’s roadmap (e.g., Saudi region, (EU residency only; no US-Gov pursuit))
  • Internal compliance audit requires the customer to have direct OS-level access to the database