Skip to main content
This page describes how to deploy Weave, manage access, and protect data, so you can choose the deployment option and security controls that fit your organization’s needs. Weave is available on the following deployment options:
  • W&B Multi-tenant Cloud: A multi-tenant, fully managed platform deployed in W&B’s Google Cloud Platform (Google Cloud) account in a North America region.
  • W&B Dedicated Cloud: Generally available on AWS, Google Cloud, and Azure.
  • Self-Managed instances: For teams that prefer to host Weave independently, your W&B team provides guidance to evaluate deployment options.

Identity and access management

Use the identity and access management capabilities for secure authentication and effective authorization in your W&B Organization. The following capabilities are available for Weave users depending on your deployment option and pricing plan:
  • Authenticate using single sign-on (SSO): Options include public identity providers like Google and GitHub, and enterprise providers such as Okta and Azure Active Directory, using OIDC.
  • Team-based logical separation: Each team may correspond to a business unit, department, or project team within your organization.
  • Use W&B projects to organize initiatives: Organize initiatives within teams and configure the required visibility scope, including the restricted scope for sensitive collaborations.
  • Role-based access control: Configure access at the team or project level to ensure users access data on a need-to-know basis.
  • Scoped service accounts: Automate generative AI workflows using service accounts scoped to your organization or team.
  • SCIM API and Python SDK: Manage users and teams with the SCIM API and the Python SDK.

Data security

The data security protections available to you depend on your deployment option.
  • Multi-tenant Cloud: W&B stores data for all Weave users in a shared ClickHouse Cloud cluster, encrypted with cloud-native encryption. Shared compute services process the data and ensure isolation through a security context that comprises your W&B organization, team, and project.
  • Dedicated Cloud: W&B stores data in a unique ClickHouse Cloud cluster in the cloud and region of your choice. A unique compute environment processes the data, with the following additional protections:
    • IP allowlisting: Authorize access to your instance from specific IP addresses. This is an optional capability.
    • Private connectivity: Route data securely through the cloud provider’s private network. This is an optional capability.
    • Data encryption: W&B encrypts data at rest using a unique W&B-managed encryption key.
    • ClickHouse cluster security: W&B connects to the unique ClickHouse Cloud cluster for your Dedicated Cloud instance over the cloud provider’s private network. W&B also encrypts the cluster with a unique W&B-managed encryption key and uses ClickHouse’s file-level encryption.
The W&B Platform secure storage connector or BYOB is not available for Weave.

Maintenance

If you’re using Weave on Multi-tenant Cloud or Dedicated Cloud, you avoid the overhead and costs of provisioning, operating, and maintaining the W&B platform, because W&B fully manages it for you.

Compliance

To request SOC 2 reports and other security and compliance documents, refer to the W&B Security Portal or contact your W&B team for more information.
Security controls for both Multi-tenant Cloud and Dedicated Cloud are periodically audited internally and externally. Both platforms are SOC 2 Type II compliant. Dedicated Cloud is also HIPAA-compliant for organizations managing PHI data while building generative AI applications.