Data Isolation¶
LightPane uses a tiered isolation model. Your plan tier determines the level of infrastructure isolation between your data and other customers.
Isolation tiers¶
| Plan | Isolation model | Infrastructure |
|---|---|---|
| Explorer (free) | Shared | Shared AWS account, path-based data separation |
| Team | Shared | Shared AWS account, path-based data separation |
| Business | Dedicated | Your own AWS account within the LightPane organisation |
| Enterprise | Dedicated | Your own AWS account with custom configuration |
| Partner | Dedicated | Dedicated accounts per client organisation |
Shared infrastructure (Explorer, Team)¶
Explorer and Team customers share a common infrastructure stack:
- Shared Lambda functions — tenant routing determines which cloud accounts to query
- Shared API Gateway — all requests enter through the same endpoint
- Shared DynamoDB tables — tenant data is partitioned by tenant ID
- Shared S3 cache — path-based isolation (
tenants/{tenant_id}/...)
Data isolation in the shared tier is enforced at the application layer:
- Every request is authenticated and resolved to a specific tenant
- The tenant context restricts which DynamoDB partitions and S3 paths are accessible
- Access grants bind to specific cloud accounts — a token for tenant A cannot query tenant B's accounts
Shared tier is appropriate for most use cases
The shared tier provides strong logical isolation. Every request is authenticated, every cloud account binding is per-tenant, and cross-tenant access is prevented by the access grant model. Dedicated infrastructure is available for customers who require it for compliance or policy reasons.
Dedicated infrastructure (Business and above)¶
Business, Enterprise, and Partner customers get a dedicated AWS account:
Customer's Dedicated Account
├── API Gateway + CloudFront + WAF
├── Lambda functions (same code, isolated execution)
├── DynamoDB tables (customer's data only)
├── S3 cache bucket (customer's data only)
├── Secrets Manager (unique signing keys)
├── CloudWatch Logs (customer's logs only)
└── IAM roles (scoped to customer's cloud accounts)
Dedicated accounts provide:
- AWS account boundary — the strongest isolation primitive AWS offers
- Separate encryption keys — unique JWT signing keys and password peppers per account
- Independent scaling — your Lambda concurrency and DynamoDB capacity are yours alone
- Separate logs — CloudWatch Logs never leave your account
- Separate WAF rules — customisable at Enterprise tier
- Auditable isolation — review IAM roles in your account to verify the permission boundaries
Per-account authentication¶
Each dedicated account has its own complete authentication stack:
| Component | Shared per account |
|---|---|
| User registration | Yes — per-account Lambda |
| User login | Yes — per-account Lambda |
| User table | Yes — per-account DynamoDB |
| Session table | Yes — per-account DynamoDB |
| JWT signing key | Yes — unique per account (Secrets Manager) |
| Password pepper | Yes — unique per account (Secrets Manager) |
No cross-account authentication dependencies exist at runtime. If the LightPane central infrastructure is down, your dedicated environment continues to operate.
What LightPane can and cannot access¶
The LightPane deployment system can update Lambda code in your dedicated account. It cannot read your data:
| Action | Permitted |
|---|---|
| Update Lambda function code | Yes |
| Update Lambda layers | Yes |
| Read DynamoDB tables | No — explicit deny |
| Read S3 cache bucket | No — explicit deny |
| Read Secrets Manager | No — explicit deny |
| Read CloudWatch Logs | No — explicit deny |
The deployment role (LightPaneDeploymentRole) has explicit deny policies on all data
access. This is auditable via IAM policy review in your account.
Upgrade path¶
When you upgrade from Team to Business:
- A dedicated AWS account is provisioned
- Your data is migrated from the shared S3 to dedicated DynamoDB
- Your DNS endpoint (
{slug}.api.lightpane.cloud) is repointed to the dedicated infrastructure - Your endpoint URL does not change — no impact on embedded pages or scripts
Self-hosted option¶
Enterprise and Partner customers can run LightPane entirely in their own AWS account:
- LightPane provides deployment packages, CloudFormation templates, and documentation
- You deploy in your own account outside the LightPane AWS Organisation
- LightPane has zero access to your environment
- Updates are delivered as new deployment packages
See Self-Hosting for details.