White-Label
Multi-tenant branding, per-org configuration, data isolation, and how white-label partners use SecureGate
Overview
SecureGate supports white-label deployment through Satschel IAM's multi-tenant organization model. Each white-label partner (org) gets their own branding, domain, feature flags, and data isolation — all running on shared infrastructure.
Branding Configuration
Org-specific branding is resolved at boot time from IAM or environment variables:
| Source | Priority | Configuration |
|---|---|---|
| IAM | 1 (highest) | GET /api/v1/orgs/[org]/branding |
| Environment variables | 2 | APP_NAME, APP_URL, APP_LOGO_URL, APP_SENDER_NAME, APP_SENDER_ADDRESS |
| Defaults | 3 | "SecureGate", securegate.dev.satschel.com |
Branding sets the hanzo/base Settings.Meta which controls:
- Admin UI title and logo
- Email templates (sender name, address, logo)
- API response metadata
- Dashboard theming
Per-Org Configuration
Each white-label org can customize:
| Setting | Description | Example |
|---|---|---|
| Domain | Custom domain for the dashboard | security.acme-events.com |
| Logo | Logo URL (wordmark recommended) | https://cdn.acme.com/logo.svg |
| Colors | Primary and accent colors | #1a1a2e, #e94560 |
| Features | Enabled feature flags | weapon detection, deepfake, enhance |
| Detection thresholds | Default confidence thresholds | face match: 0.65, weapon: 0.30 |
| Retention | Data retention period | 90 days |
Domain Routing
White-label domains are routed via Hanzo Ingress SNI-based routing:
security.acme-events.com
|
v
Hanzo Ingress (TLS termination, SNI routing)
|
v
Hanzo Gateway (resolves org from hostname -> X-Org-Id: acme-events)
|
v
Same API Gateway (multi-tenant, stateless)- DNS: Point the custom domain to the Hanzo Ingress load balancer IP.
- TLS: Certificates are auto-provisioned via Let's Encrypt.
- IAM: Register the domain in the org's IAM configuration.
- Gateway: Hostname-to-org mapping resolves the tenant context.
Data Isolation
White-label orgs receive the same isolation guarantees as any tenant:
| Level | Isolated | Mechanism |
|---|---|---|
| Org | Branding, features, billing, encryption root | IAM org config + OEK in HSM |
| Tenant | Customer data, events, embeddings | Separate SQLite DB + TEK |
| Customer | Face embeddings, PII | Per-customer CEK |
| Storage | Face crops, enhanced images | Per-tenant S3 prefix + CEK encryption |
A white-label partner cannot access another partner's data. The isolation is enforced at every layer:
- IAM: JWT contains org claim. Gateway injects
X-Org-Id. - Database: Each tenant has separate SQLite files.
- Encryption: Each org has its own OEK in HSM. Each tenant has its own TEK.
- Storage: S3 prefixes are scoped by tenant ID.
How White-Label Partners Use SecureGate
1. Onboarding
Partner signs white-label agreement
|
v
IAM creates org for partner
+-- Branding (logo, domain, colors)
+-- Feature flags (which capabilities enabled)
+-- OEK generated in HSM
|
v
Partner gets admin dashboard at their domain
+-- Create tenants (their customers)
+-- Configure per-tenant settings
+-- Manage users and roles2. Tenant Setup
The partner creates tenants for their customers:
Partner Org: Acme Events
+-- Tenant: Madison Square Garden
| +-- Events, cameras, attendees
| +-- Own TEK, own CEK per customer
+-- Tenant: Staples Center
| +-- Events, cameras, attendees
| +-- Own TEK, own CEK per customer3. Daily Operations
- Partner's operators use the branded dashboard at their custom domain
- All API calls carry the partner's org context via JWT
- Events, cameras, and attendees are scoped to the partner's tenants
- Detection results and timeline data are isolated per-tenant
4. Billing
White-label billing is per-org:
| Component | Billing Model |
|---|---|
| Platform fee | Monthly SaaS fee to partner |
| Face detections | Per-detection metered |
| Enhance jobs | Per-job metered |
| Storage | Per-GB for face crops and enhanced images |
| Cameras | Per-concurrent-stream |
Self-Hosted Option
For partners requiring on-premises deployment:
- Deploy the same K8s manifests to the partner's cluster
- Configure IAM to use the partner's IdP (SAML/OIDC federation)
- Point Hanzo KMS to the partner's HSM (or use software KMS with reduced security guarantees)
- All data stays within the partner's infrastructure
Self-hosted deployments use the same images and configuration as the SaaS deployment. The only differences are infrastructure endpoints (KMS, HSM, S3, IAM).