Security & BYOC — SeqFlux

Data Residency

In BYOC (Bring Your Own Cloud) mode, your data never leaves your AWS account. SeqFlux communicates with your infrastructure via SQS and HTTPS callbacks only. Sample sheets, FASTQ files, pipeline outputs, and MultiQC reports all reside in your S3 buckets.

IAM Model

The SeqFlux Runner Agent runs in your ECS cluster with a role that has least-privilege access: SQS receive/delete, Batch SubmitJob, S3 read on inputs. The Batch job role has S3 read on inputs and S3 write on outputs. No cross-account access is required.

BYOC Boundary

The SeqFlux control plane (web UI + API) is hosted by SeqFlux. It stores workspace metadata, run records, and user accounts. Pipeline inputs and outputs stay in your AWS account. The control plane never accesses your S3 data directly.

HMAC Signing

Every RunRequest message sent to your SQS queue is signed with HMAC-SHA256. The Runner Agent verifies the signature before processing. Invalid or missing signatures are rejected.