Data flow & deployment reference · design-partner programs
Where your data lives, in every deployment model.
solidSF runs the same browser-native CAD/CAE/CAM product across six deployment models. They differ in one thing that matters to a program office: which network holds your model data, and who terminates the transport. This page is the reference for all six — commercial and CMMC-ready, in cloud, on-prem, and direct-TLS topologies.
The split that makes this work: control plane vs. data plane
Every solidSF deployment separates the control plane (the app shell, sign-in, org & team membership, entitlements) from the data plane (the geometry kernel, model files, drawings, Vault blobs, autosave). Moving the data plane is what changes a deployment model — the product experience, updates, and team management stay identical.
Control plane
Authentication, organization & team membership, license/entitlement checks, and the static frontend. Always the same experience; where it is hosted shifts between commercial cloud and GovCloud.
Data plane
The Rust geometry kernel, workspace state, drawings, and Vault storage. Its location is the whole game: solidSF cloud, your own network, or an isolated single-tenant instance.
Transport
How the browser reaches each plane: shared CDN edge, or a direct TLS/mTLS channel terminated by solidSF origin with no third-party edge in the trust path.
Family A
Commercial Standard design-partner programs
For commercial hardware teams. Fastest onboarding, full product surface, and a residency choice that scales from shared cloud to your own network.
Commercial Cloud
A1
Shared multi-tenant SaaS
All planes in solidSF cloud. Model data is stored in solidSF-managed object storage and Postgres. Reached through the shared CDN edge.
Data at rest: solidSF cloud
Commercial On-Prem
A2
Customer-resident data plane
Frontend + auth from cloud; data plane on your network. The browser loads the UI from solidSF and streams all geometry to a gateway inside your perimeter. Model bytes never transit solidSF.
Data at rest: customer network
Commercial Direct TLS
A3
Dedicated single-tenant, direct to origin
Isolated solidSF instance, no shared edge. The browser opens a direct mutual-TLS channel to solidSF origin — no third-party CDN terminates traffic. Data is in solidSF, but on single-tenant infra reached end-to-end.
Same three topologies, hardened for controlled unclassified information. The control plane runs in GovCloud (IL2, CMMC-ready) with US-persons operation and full audit logging; the data plane sits inside the assessed compliance boundary. This is the family for defense and Navy Nuclear work.
CMMC-ready Cloud
B1
GovCloud, isolated tenant
Everything inside GovCloud. Isolated IL2 tenant, US-persons ops, audit logging, CUI handling controls. CAC/SSO at the door.
Data at rest: GovCloud (IL2)
CMMC-ready On-Prem
B2
Data plane inside your enclave · Cogitic model
CUI never leaves your assessed boundary. Frontend + auth from GovCloud; the kernel, Vault, and every model byte run on a gateway inside your enclave. Per-user signed session tokens — no shared identity. Air-gap-capable.
Data at rest: customer enclave
CMMC-ready Direct TLS
B3
Dedicated GovCloud, direct mTLS
Single-tenant GovCloud, direct to origin. No shared edge in the CUI path; the browser reaches an isolated IL2 instance over direct mTLS. For programs that want SSF-hosted compliance without a shared boundary.
Data at rest: GovCloud (single-tenant)
Reference
Where every artifact lives, by model
The one table a security or program office needs. Rows are the things that carry or govern data; columns are the six models.
Artifact
A1 · Comm Cloud
A2 · Comm On-Prem
A3 · Comm Direct TLS
B1 · CMMC Cloud
B2 · CMMC On-Prem
B3 · CMMC Direct TLS
Frontend (app shell)
solidSF cloud
solidSF cloud
SSF single-tenant
GovCloud
GovCloud
GovCloud single-tenant
Auth & org / team
solidSF cloud
solidSF cloud
SSF single-tenant
GovCloud
GovCloud
GovCloud single-tenant
Geometry kernel compute
solidSF cloud
customer network
SSF single-tenant
GovCloud
customer enclave
GovCloud single-tenant
Model files / Vault / CUI
solidSF cloud
customer network
SSF single-tenant
GovCloud
customer enclave
GovCloud single-tenant
TLS termination
shared CDN edge
shared edge (UI) + customer origin (data)
SSF origin (mTLS)
GovCloud edge
GovCloud edge (UI) + enclave (data)
GovCloud origin (mTLS)
Compliance boundary
commercial
commercial + customer
commercial, isolated
CMMC / IL2
CMMC / IL2 + customer
CMMC / IL2, isolated
Air-gap capable
no
partial
no
no
yes
no
Onboarding speed
minutes
days
days
days
weeks
days
Constant across all six
What never changes
The product. Same browser CAD/CAE/CAM, same kernel, same agents, same updates — the deployment model only moves where data rests.
Credential isolation. A data plane on your network never receives solidSF cloud tokens; it authenticates users with short-lived, per-user signed session tokens minted by the control plane and verified locally.
Fail closed. A residency-controlled org will not open a workspace against the wrong plane — if the correct data plane can't be reached or proven, it refuses rather than silently falling back to cloud.
You own your team. The org owner adds and manages members and roles directly; seats and entitlements are the same in every model.