Introduction In today's data-driven landscape, enterprises face an increasingly complex challenge: how to move data efficiently across distributed systems while maintaining sovereignty, security, and control. Traditional data integration solutions force organizations into rigid deployment models—either sacrificing control for convenience in the cloud, or accepting on-premise operational complexity in exchange for sovereignty.
Today, we're excited to announce Airbyte Enterprise Flex, a groundbreaking approach to enterprise data movement that refuses to compromise. Built on our core philosophy that flexibility and control aren't mutually exclusive, Enterprise Flex represents a fundamental shift in how organizations can architect their data infrastructure. By decoupling the control plane from the data plane, we're enabling businesses to maintain complete data sovereignty while benefiting from cloud-native management capabilities.
This isn't just another enterprise offering—it's a reimagining of what enterprise data movement should be in an era of hybrid infrastructure, stringent compliance requirements, and distributed teams.
Ten years ago, every organization wanted to be cloud native. Now, data sovereignty is rewriting the rules. Regulations multiply across borders. Prying eyes and foreign governments want to know what you’re doing. In the age of AI, you want to secure your first-party data. Flexible deployments are no longer a luxury.
Technical architecture overview The basis of Enterprise Flex’s data sovereignty is a separation of Airbyte’s control plane from Airbyte’s data planes.
Control plane: the brain of the cluster Think of the control plane like a brain. It manages the state of the cluster and coordinates syncs. In Airbyte, the control plane is responsible for Airbyte's user interface, APIs, Terraform provider, and orchestrating work.
When you log in, click buttons, and navigate the Airbyte web app, you’re using the control plane.
Similarly, when you integrate programmatically with Airbyte (using the API or Terraform), configure connections (selecting streams, fields, and state), or schedule and initiate syncs, you’re using the control plane.
Despite all this, it’s critical to understand that the control plane itself never sees data or credentials. The control plane sees job metadata and state information: exactly what it needs to orchestrate work and nothing more. Sync data belongs to the data plane, and it’s where things get interesting.
Data plane: the muscle of the cluster Think of the data plane like a muscle. It’s where containers are actually run. In Airbyte, the data plane initiates jobs, syncs data, completes jobs, and reports its status back to the control plane.
When Airbyte syncs data from your source to your destination, you’re using the data plane. When you use mappings to hash, encrypt, and rename fields, and filter rows, those mappings occur on the data plane.
The point of this separation of duties is that only the data plane ever connects to your sources and destinations, sees your data, and performs operations on that data.
The result is an Airbyte deployment that is decentralized. You get the convenience of a fully-managed control plane running on Airbyte’s network, but the power and flexibility of data planes that run in your own infrastructure or anywhere else, which no one else can see or interact with.
Let’s take a look at that flexibility.
Deployment models and flexibility The concept of an independent data plane isn’t new in Airbyte. In fact, we already offer managed data planes in multiple regions. Flex takes this concept to the next level by offering maximum flexibility in your deployment with cloud, hybrid, and multi-cloud options.
Cloud only In a Cloud-only deployment, Airbyte fully manages both the control plane and your data planes. We currently have data planes in the US and EU. Each workspace can choose a different region for its data residency, and you can switch between them as easily as you can select the option from Airbyte’s user interface.
For added security, you can connect to sources or destinations in your VPC via PrivateLink without even needing to deploy a data plane. Currently Airbyte supports this for AWS only, but we intend to support PrivateLink with more cloud providers in the future.
Airbyte can also connect to your secrets manager (AWS, GCP, Azure Key Vault, or Hashicorp Vault) to store source and destination credentials securely.
Hybrid In a hybrid deployment, you have maximum control and sovereignty over your data. Airbyte manages the control plane, and can still manage some data planes if you choose, but you can also rely on data planes deployed in your own infrastructure where you need them. This can be a specific region with your hyperscaler provider of choice, a bare metal server, or even your own computer.
Typically, a hybrid deployment looks like this:
A fully managed control plane on Airbyte’s network. One or more managed data planes for data that can run through Airbyte’s network. One or more self-managed data planes for data that needs to remain under your control. Multi-cloud Many organizations choose a multi-cloud strategy to avoid vendor lock-in, improve resilience, or to improve data residency. We specifically built Enterprise Flex to accommodate these needs.
One organization can utilize data planes running on a mix of providers. You don’t need multiple control planes or deployments. Deploy your data planes where it makes sense to do so. Full stop.
Enterprise security features As an enterprise-ready product, Enterprise Flex supports the standard enterprise needs we see commonly.
External secrets management : Bring your own secrets manager and connect it to your data plane during setup so you can securely reference your credentials for data sources and destinations.PrivateLink : Connect to data sources and destinations in your virtual private cloud from Airbyte’s data plane.Audit logging : Airbyte implements audit logging on all Airbyte Cloud instances. The Airbyte team can reference them if you need assistance with a security investigation.Single sign on : Use Airbyte’s user interface to input your SSO details from Okta or Entra ID. This self-serve process enables swift integration with your SSO provider.Role-based access control : Users with administrator access can assign roles to different users. These roles can be applied at the organization level, or within a specific workspace, allowing for fine-grained control over the data Airbyte users are able to access.Multi-tenancy and workspace management With data sovereignty as king, the obvious question is how we’ve architected multiple users and workspaces, and what kinds of isolation guarantees and administrative controls support this.
Organizations are Airbyte’s highest-level objects. Think of them as analogous to your customer account. They’re how we group workspaces together, giving you a single view across your entire Airbyte environment.
Workspaces exist within organizations. A workspace is the object you associate to a region, which in turn associates it to a data plane. Workspaces provide a more granular level of control over user access. Within each workspace, you create a unique set of sources, destinations, and connections. This ensures people only see and modify things they have permissions to.
Airbyte employs a variety of strategies to ensure workspaces are always organization-specific.
Users can only access workspaces they have explicit permissions for. Workspace queries filter by organization ID, preventing cross-organization access. Secrets use workspace-scoped coordinates, preventing cross-workspace access. Jobs execute exclusively on a workspace’s assigned region and data plane. API operations on workspaces require role verification. The result is a meaningful object that people can see and work with in Airbyte, but which is backed by strong controls intended to isolate it from those who shouldn’t see it.
Deployment Guide Anyone can start with Enterprise Flex. As well, Standard or Pro subscription to Airbyte Cloud can upgrade to Enterprise Flex with ease. The technical aspects of the migration are straightforward, but they do require some thought about infrastructure.
1. Determine your infrastructure requirements The most crucial aspect of an Enterprise Flex deployment is determining what kind of infrastructure you actually need to run. Your organization, and your data, are subject to a variety of compliance obligations and controls. These requirements should drive the design of your deployment, and it’s important to get them right.
It’s worth pausing for a moment to talk about enterprise scale. When you operate in superlatives, you might feel daunted by this task. How can you weed through dozens of countries, hundreds or thousands of data sources, and all the complexity of their unique requirements for data handling?
Let’s look at a common example for those dealing with European data: GDPR.
Although GDPR does not say “keep your data in the European Union”, people often interpret its requirements into a data residency control. This is because it’s easier to prove data integrity without additional documentation and legal agreements when data hasn’t crossed a border and passed through a number of processors and sub-processors, where laws are different and a record could have been altered, viewed, or destroyed.
That single data residency control , even if only interpretive, helps your organization fulfill a broad set of compliance requirements at audit time. A good compliance framework isn’t necessarily exhaustive. Sometimes, a smaller set of correctly and strategically implemented controls act as powerful tools for compliance . Data residency is a key ingredient here and will come up frequently when auditors ask for evidence of compliance.
Knowing you have a GDPR compliance requirement, you determine that personal information that is currently stored in the eu-west-1 region must sync using a data plane in eu-west-1. You’re officially a superhero in your organization, at least as far as auditors are concerned
As you continue these types of assessments, you develop a clearer picture of your physical infrastructure needs.
How many and which cloud provider regions you need. What servers or machines you need. For the sake of example, let’s equate a physical machine with a region, and say you need the following regions:
AWS eu-west-1 GCP asia-south1 GCP northamerica-northeast2 A bare metal server in Richmond, Virginia 2. Provision your infrastructure Airbyte offers two options for deploying data planes.
You can use Helm if you have in-house Kubernetes expertise. Helm deployments require Kubernetes infrastructure like EKS, GKE or AKS. Use our tool for single-node deployments if you don’t have Kubernetes expertise. Single-node deployments run on EC2, GCE, or AVM with Docker Desktop or Docker Engine installed. If you have existing infrastructure you want to reuse, that’s fine too. You don’t need to provision new machines, but you should ensure existing machines have sufficient resources for Airbyte.
3. Create workspaces in Airbyte In step 1, we determined you need four regions. In Airbyte, each region is represented in one Airbyte workspace. So, create four workspaces – one for each region.
4. Deploy your data planes Follow the deployment guide that matches the infrastructure you set up in step 2. If you’re deploying to a Kubernetes cluster, use the Helm guide . If you’re deploying to a single node, use our command line tool .
5. Assign data planes to workspaces Once your data planes are deployed, assign them to the relevant workspace. From now on, when syncs run in that workspace, they run on your data plane.
Conclusion Airbyte Enterprise Flex represents more than just a new product plan—it's a validation of our belief that enterprises shouldn't have to choose between the convenience of cloud-native solutions and the requirements of data sovereignty. By fundamentally rethinking how data integration platforms should be architected, we've created a solution that adapts to your infrastructure rather than forcing your infrastructure to adapt to it.
The decoupled architecture at the heart of Enterprise Flex isn't just a technical innovation; it's a response to the real challenges our enterprise customers face every day. Whether you're navigating complex compliance requirements, managing data across multiple clouds, or simply need the peace of mind that comes from keeping sensitive data within your own infrastructure, Enterprise Flex provides the foundation for a modern, scalable data movement strategy.
As we move forward from our successful early access program into general availability, we're excited to see how organizations will leverage this flexibility to solve their unique data challenges. The future of enterprise data integration isn't about choosing sides—it's about having the freedom to architect your data infrastructure on your terms.
Ready to experience true flexibility in enterprise data movement? Contact our team to learn how Airbyte Enterprise Flex can transform your data integration strategy.
