Your cloud. Your VPC. Your rules.
Baponi is a sandboxed code execution platform for AI agents. One Helm chart deploys the entire platform in your Kubernetes cluster, in your VPC. Your data never leaves your infrastructure.
Fully operational in hours, not months. One Helm chart, your Kubernetes cluster.
Our security engineers work with your DevOps and SecOps teams to deploy, configure, and validate. Or we manage the entire deployment in your cluster for you.
Your Identity Provider
Okta, Azure AD, or any OIDC-compliant provider. Your SSO policies, your MFA rules, your user lifecycle.
Your Database
Your PostgreSQL instance, in your VPC, with your backup schedule and failover policies. No managed database dependency.
Your Cloud Storage
S3, GCS, or Azure Blob. Your buckets, your encryption keys, your retention policies. Data never leaves your account.
Your Network
Deploy inside your VPC with your firewall rules. Air-gapped deployments supported for classified and regulated environments.
Supported on GKE, EKS, AKS, OpenShift, Rancher, and bare-metal Kubernetes. Air-gapped deployments with zero internet access are fully supported.
GDPR, HIPAA, and SOC 2 compliance without auditing a third party
When data never leaves your infrastructure, compliance is a property of your architecture, not a vendor promise. You don't audit Baponi. You audit yourself.
Data stays in your chosen region. No cross-border transfers to third-party infrastructure. You control data residency, retention, and deletion.
Protected health information never leaves your cloud perimeter. No BAA with Baponi required because no patient data touches our systems.
Unlimited immutable audit trail on every execution, every API call, every admin action. Your existing SOC 2 controls extend to the deployment.
Any compliance framework. Because no data, credentials, or code leaves your infrastructure, your existing cloud compliance posture covers the Baponi deployment. No additional vendor assessment required.
Same platform, same API. Unlimited resources, zero data egress.
Enterprise runs the same codebase as our managed cloud. Start building on Free or Pro, move to Enterprise when compliance or scale requires it.
| Managed Cloud | Enterprise | |
|---|---|---|
| Infrastructure | ||
| Hosting | Baponi-managed cloud | Your Kubernetes cluster |
| Identity provider | Baponi auth | Your OIDC (Okta, Azure AD, etc.) |
| Database | Managed PostgreSQL | Your PostgreSQL |
| Storage | Baponi-managed + BYOB | Your cloud storage + BYOB |
| Network | Public internet | Your VPC, optional air-gap |
| Resources | ||
| Max CPU per sandbox | Up to 4 | Unlimited |
| Max RAM per sandbox | Up to 4 GiB | Unlimited |
| Concurrent executions | Up to 100 | Unlimited |
| Max execution time | 1 hour | Unlimited |
| Governance | ||
| Audit retention | Up to 30 days | Unlimited |
| SSO / OIDC | ||
| Air-gapped deployments | ||
| Dedicated security engineer | ||
| Custom SLA | ||
Enterprise pricing is annual with unlimited executions. No per-execution metering. Current as of April 2026.
Your AI agents use credentials and data but never see them
Connectors and BYOB storage give AI agents access to databases, APIs, and files without exposing credentials or moving data outside your infrastructure.
Credential Management
Connectors for databases, data warehouses, and cloud storage. Credentials are injected into the sandbox at runtime and wiped on exit — never stored on disk, never persisted between executions.
- Per-sandbox credential isolation
- Full audit trail on every credential access
- Rotate credentials without changing agent code
- Works with your existing secrets management
BYOB Storage
Mount S3, GCS, or Azure Blob buckets as local directories inside the sandbox.
Your AI agents read and write files at /data
without knowing they're accessing cloud storage. Data never leaves your bucket.
- Sub-path mounting for multi-tenant isolation
- Read-only or read-write per connection
- No data duplication or egress
- Your encryption keys, your retention policies
Enterprise questions
How long does deployment take?
Most deployments are fully operational in hours, not weeks. Our security engineers work directly with your DevOps team to configure the deployment, validate network policies, and run the first execution. Ongoing support covers upgrades, scaling, and configuration changes.
Which cloud providers and Kubernetes distributions are supported?
Baponi runs on any standard Kubernetes cluster: GKE, EKS, AKS, OpenShift, Rancher, or bare-metal. Air-gapped environments with no internet access are fully supported.
How are updates and patches handled?
We publish versioned releases with changelogs and migration guides. Your team controls when and how updates are applied. For critical security patches, our engineering team coordinates directly with your SecOps team for expedited rollout.
Can I start on the managed cloud and move to self-hosted later?
Yes. Many teams start with the Free or Pro tier on our managed cloud, build their integration, then move to self-hosted Enterprise when compliance or scale requirements grow. The API is identical. Your code, connectors, and configurations transfer without changes.
What does the security engineer consultation include?
A dedicated Baponi security engineer reviews your infrastructure, recommends network and RBAC configuration, validates the deployment against your compliance requirements, and stays available for ongoing security questions. This is included in every Enterprise contract.
What's the licensing model?
Annual subscription with unlimited executions, unlimited users, and unlimited API keys. No per-execution metering, no credit system, no usage caps. Pricing is based on deployment scope and support requirements.
Do I need to manage the infrastructure myself?
You choose the level of involvement. Some teams have their DevOps manage the deployment with our guidance. Others prefer a fully managed model where our team handles deployment and maintenance in your cluster. Both models are supported.
Deploy Baponi in your infrastructure
Talk to our security engineers about deployment, compliance, and pricing. Most deployments are operational in hours.