BYOB Storage¶
Bring Your Own Bucket (BYOB) allows enterprises to store documents in their own cloud storage infrastructure while using Archivus for intelligence and processing.
Why BYOB Storage?¶
Data Sovereignty¶
Your documents never leave your infrastructure. Archivus processes metadata and AI insights, but the actual files remain in storage you control.
Compliance Requirements¶
Many regulations require data to remain within specific jurisdictions or infrastructure:
- HIPAA - Healthcare data residency requirements
- GDPR - EU data protection requirements
- FedRAMP - US government data handling
- PCI DSS - Payment card industry standards
- Industry-Specific - Financial services, legal, defense
Existing Infrastructure¶
Leverage your existing cloud storage investments and security controls rather than duplicating data.
Supported Storage Providers¶
S3-Compatible Storage¶
Any storage that implements the S3 API:
| Provider | Notes |
|---|---|
| AWS S3 | Full feature support |
| MinIO | On-premises or cloud |
| Ceph | Open-source, self-hosted |
| Backblaze B2 | Cost-effective alternative |
| Wasabi | Hot storage pricing |
| DigitalOcean Spaces | Simple setup |
Cloud Provider Native¶
| Provider | Service |
|---|---|
| Azure | Blob Storage |
| Google Cloud | Cloud Storage |
| Oracle Cloud | Object Storage |
On-Premises¶
| Option | Use Case |
|---|---|
| MinIO | S3-compatible local storage |
| Ceph | Distributed storage cluster |
| Local Filesystem | Air-gapped deployments |
| NFS/SMB | Network attached storage |
Architecture¶
graph LR
subgraph "Your Infrastructure"
S[(Your Storage)]
end
subgraph "Archivus"
A[Upload Handler] --> B[Processor]
B --> C[AI Pipeline]
C --> D[(Metadata DB)]
end
A --> S
B <--> S
S --> CHow It Works¶
- Upload Request - Document upload initiated through Archivus
- Direct Upload - File streams directly to your storage bucket
- Processing - Archivus retrieves file for AI processing
- Metadata Storage - Only metadata and AI insights stored in Archivus
- Access - Downloads served from your storage
What Archivus Stores¶
| In Your Storage | In Archivus |
|---|---|
| Original documents | Document metadata |
| File content | AI-extracted text |
| Versions | Search indexes |
| Thumbnails (optional) | Knowledge graph entities |
| User activity logs |
Configuration¶
S3-Compatible Storage¶
Configure your storage backend with these settings:
storage:
type: s3
bucket: your-archivus-bucket
region: us-east-1
endpoint: https://s3.amazonaws.com # Or your MinIO/custom endpoint
path_style: false # Set true for MinIO
Required Permissions¶
Your storage credentials need these permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::your-archivus-bucket",
"arn:aws:s3:::your-archivus-bucket/*"
]
}
]
}
Encryption Options¶
Storage provider encrypts at rest:
- SSE-S3 - AWS-managed keys
- SSE-KMS - Customer-managed keys
- SSE-C - Customer-provided keys
Archivus encrypts before upload:
- AES-256 encryption
- Key management in your KMS
- Zero-knowledge to storage provider
Security Considerations¶
Network Security¶
- VPC Endpoints - Private connectivity without internet exposure
- IP Allowlisting - Restrict access to Archivus IP ranges
- TLS 1.3 - Encrypted data in transit
Access Control¶
- IAM Roles - Prefer role-based access over static credentials
- Temporary Credentials - STS tokens with automatic rotation
- Bucket Policies - Restrict access to Archivus service accounts
Audit Trail¶
- CloudTrail/Logging - Enable access logging on your bucket
- Archivus Logs - All file access logged with user context
- Compliance Reports - Exportable access reports
Multi-Region Setup¶
For global deployments, configure storage per region:
storage:
regions:
us:
bucket: archivus-us-prod
region: us-east-1
eu:
bucket: archivus-eu-prod
region: eu-west-1
apac:
bucket: archivus-apac-prod
region: ap-southeast-1
Documents are automatically stored in the region closest to the uploading user, with routing based on tenant configuration.
Migration¶
From Archivus-Managed Storage¶
If you're moving from Archivus-managed storage to BYOB:
- Enable BYOB - Configure your storage backend
- Migration Job - Archivus copies existing documents
- Verification - Validate all documents transferred
- Cutover - New uploads go directly to your storage
- Cleanup - Remove documents from Archivus storage
From Other Systems¶
When migrating from other document systems to Archivus with BYOB:
- Direct Upload - Migrate directly to your storage bucket
- Index Only - Tell Archivus to index existing documents
- Metadata Mapping - Preserve folder structure and metadata
Pricing¶
BYOB storage is available on Team and Enterprise tiers:
| Tier | BYOB Storage |
|---|---|
| Free | Not available |
| Starter | Not available |
| Pro | Not available |
| Team | Included |
| Enterprise | Included |
You pay your cloud provider for storage; Archivus charges only for processing.
Next Steps¶
- BYOB AI - Use your own AI models
- Deployment Options - Choose your deployment model
- Compliance - Security and compliance certifications