At a glance
Enterprise clients can opt to run their NEXT AI Workspaces in dedicated AWS accounts to achieve physical separation. Each workspace has its own compute and data resources (e.g., DynamoDB tables, Lambda functions) and is provisioned through centralized deployment tooling—delivering strong tenant isolation by design.
Prefer multi-tenant isolation? See Logical data separation for how NEXT AI enforces tenant boundaries in shared infrastructure (token scoping + API checks).
How it works
One workspace → one AWS account: account-level isolation is a hard boundary in AWS, which limits blast radius and enforces clear permission guardrails.
Per-account resources: application services (e.g., DynamoDB, Lambda) and APIs are instantiated separately for each Enterprise account.
Centralized deployment: NEXT uses central tooling to consistently provision and manage tenant-specific environments across many accounts.
Access & monitoring: Production access is tightly controlled and logged; CloudWatch/CloudTrail monitor operations for anomaly detection and audit.
Benefits of physical separation
Strong isolation & reduced blast radius: account boundaries confine faults or misconfigurations to a single tenant.
Compliance & audits: per-tenant accounts simplify evidence collection and least-privilege enforcement across roles and services.
Operational clarity: separate environments make incident response and forensics cleaner, with tenant-scoped logs and controls.
If dedicated accounts aren’t required, Logical data separation explains how NEXT enforces strong isolation in the multi-tenant tier.
Local data residency
Enterprise customers can choose the AWS Region that hosts their physically separated workspace (EU and non-EU options). See Data processing location (data residency) for the current region list and residency notes.
Related topics
Logical data separation (Free tier, multi-tenant)
Data processing location (data residency)
FAQ
Q: What’s the difference between physical and logical separation at NEXT AI?
By default, Workspaces use logical separation in a shared/multitenant environment; Enterprise Workspaces can upgrade to be physically separated in a dedicated AWS account.
Q: Does every Enterprise Workspace really get its own AWS account?
Yes—if customer selects to be physically separated, the customer will get a workspace per AWS account, with its own app services (e.g., DynamoDB, Lambda) and APIs.
Q: How does this improve security?
In AWS, an account is a hard boundary. Using separate accounts limits blast radius and lets NEXT AI apply strict permission guardrails and monitoring per tenant.
Q: Can we keep our Enterprise Workspace in the EU (or another region)?
Yes. Enterprise customers choose the hosting Region; see Data processing location (data residency) for the up-to-date list and guidance.
Q: How is access to production managed across many accounts?
Production access is approval-based and temporary, with CloudWatch/CloudTrail logging and alerting for investigation and audit.
Q: Do customers need physical separation, or is logical separation enough?
Many customers use logical separation (multi-tenant) with strong token + API enforcement. When a hard boundary is required (e.g., strict blast-radius limits), physical separation provides a dedicated AWS account per workspace.
Q: Where can I read more about isolation best practices?
See AWS guidance on account management and separation for workload isolation and guardrails.