Up in minutes
Contact sales, provision your tenant, enrol MFA, add a cloud role, watch discovery complete. No servers, no containers, no upgrades to plan.
SaaS Edition
GrandLine, fully managed.
Multi-tenant SaaS on AWS. MFA mandatory. Per-tenant KMS. Postgres row-level security. Your cloud credentials stay short-lived and read-only.
Why SaaS
Zero infrastructure to maintain. Upgrades and patches are ours.
Always current
New provider services, new security rules, new cost signals. you get them on merge, not on your next release train.
Predictable pricing
Three tiers. $0, $200, or $500 a month. Pay annually for two months off. No seat fees that explode when your team grows.
Tenant isolation, verified end to end
We treat isolation as a property of the system, not a feature of the app layer.
Row-level security in Postgres
Every tenant-scoped table has a tenant_id column and an RLS policy keyed to current_setting('app.current_tenant'). The ORM sets this session variable from the authenticated principal. Queries that forget to scope by tenant return zero rows. not "most rows".
Per-tenant KMS envelope encryption
Secrets (connector credentials, report signing keys, webhook secrets) are encrypted with a per-tenant data key. The data key is wrapped by a tenant-scoped KMS key in the SaaS account. Revoking a tenant revokes the key.
Tenant-prefixed S3 layout
Object storage uses s3://grandline-sa-<region>/t/<tenant_id>/.... Bucket policies deny cross-tenant access and require TLS. Signed URLs are short-lived (15 minutes) and scoped to a single object.
Logical database, physical options
By default, all tenants share one Postgres cluster with RLS. Enterprise customers on regulated workloads can request a dedicated cluster or schema.
Authentication and MFA
MFA is mandatory. There is no "remember this device for 30 days" escape hatch.
Passwords
argon2id with 64 MiB memory and 3 iterations. Minimum 12 characters with a breach-list check. No rotation theater.
TOTP on every plan
Enrolled on first login. QR provisioning, 30-second window, recovery codes held as argon2id hashes.
WebAuthn on Enterprise
Security keys and platform authenticators. Can be required for the Owner role. SSO via SAML or OIDC optional for the rest of the org.
Read-only cloud access
We read your estate. We never write to it. We require the minimum IAM needed.
AWS
You create an IAM role that trusts our SaaS account with an external ID. We assume it via STS for short-lived credentials. AWS Organizations onboarding discovers member accounts automatically.
Azure
Entra federated credentials let our workload identity exchange tokens without client secrets. Management Group onboarding covers subscriptions beneath a root MG.
GCP
Workload Identity Federation. no service account keys. Organization and Folder onboarding covers projects in scope.
Data residency and privacy
Pick where your metadata lives.
US (default)
All tenants default to us-east-1. Backups replicated to us-west-2.
EU
Pro and Enterprise can elect eu-west-1 as the primary region. Data does not leave the EU for processing, backup, or support.
We only ingest cloud metadata. configuration, tags, cost line items. We do not read your application data, buckets, or logs.
When to choose SaaS
Honest guidance. SaaS isn't right for every estate.
Pick SaaS if
You want the fastest path to value, you're comfortable sending cloud metadata to a multi-tenant service in the US or EU, and you'd rather not operate another Kubernetes workload.
Pick Self-Hosted if
Your compliance regime (FedRAMP, classified, some GovCloud and sovereign-cloud cases) requires data to remain inside your boundary, or you want to run GrandLine inside the same VPC as the workloads it inspects.