Deployment Options

ASCEND offers flexible deployment models to fit your infrastructure requirements. Choose between SDK integration for maximum control or gateway integration for zero-code governance.

Architecture Overview

Architecture Diagram

┌─────────────────────────────────────────────────────────────────────────┐
│                         YOUR ENVIRONMENT                                 │
│                                                                          │
│    ┌──────────┐         ┌─────────────┐         ┌─────────────┐        │
│    │ AI Agent │────────▶│  ASCEND SDK │    OR   │ API Gateway │        │
│    └──────────┘         │ (3 lines)   │         │(Kong/Envoy) │        │
│                         └──────┬──────┘         └──────┬──────┘        │
│                                │                       │               │
└────────────────────────────────┼───────────────────────┼───────────────┘
                                 │                       │
                    ═════════════╪═══════════════════════╪═════════════
                                 │  TLS 1.3 / HTTPS      │
                                 │  Action Metadata Only │
                    ═════════════╪═══════════════════════╪═════════════
                                 │                       │
                                 ▼                       ▼
┌─────────────────────────────────────────────────────────────────────────┐
│                          ASCEND CLOUD                                    │
│                                                                          │
│    ┌─────────────┐    ┌─────────────┐    ┌─────────────┐    ┌────────┐ │
│    │ Risk Engine │───▶│Policy Engine│───▶│  Workflows  │───▶│ Audit  │ │
│    │ CVSS/NIST   │    │ Smart Rules │    │  Approvals  │    │  Log   │ │
│    └─────────────┘    └─────────────┘    └─────────────┘    └────────┘ │
│                                                                          │
└─────────────────────────────────────────────────────────────────────────┘

    CROSSES BOUNDARY:                    NEVER CROSSES:
    ✓ Action type, Agent ID              ✗ SQL queries, API payloads
    ✓ Timestamp, Risk context            ✗ Credentials, secrets
    ✓ Decision (approve/deny)            ✗ PII/PHI data

Deployment Comparison

Question	SaaS + SDK	SaaS + Gateway
Where does ASCEND run?	ASCEND Cloud	ASCEND Cloud
Agent code changes?	Yes (3 lines)	No
Time to first value	5 minutes	1 hour
Latency added	~15-50ms p50-p99	~20-60ms p50-p99
Best for	New agents, full control	Existing APIs, zero-code
MCP support	Native	Via gateway
Approval workflow	SDK handles polling	Webhook callbacks

Option 1: SaaS + SDK (Recommended)

Best for: New AI agents or agents you can modify.

Integration Code:

from ascend import AscendClient

# Initialize once
client = AscendClient(api_key=os.getenv("ASCEND_API_KEY"))

# Add to each action (3 lines)
decision = client.evaluate_action(
    action_type="database.query",
    resource="customer_db"
)
if decision.denied:
    return {"error": decision.reason}

# Your existing code continues unchanged
result = database.execute(query)

Option 2: SaaS + Gateway

Best for: Existing APIs you cannot modify.

Supported Gateways:

Gateway	Integration	Documentation
AWS API Gateway	Lambda Authorizer	Setup Guide
Kong	Custom Plugin	Kong Plugin
Envoy/Istio	ext_authz	Envoy Integration
NGINX	Auth subrequest	Contact support

What Crosses the Network Boundary?

Understanding data flow is critical for security reviews.

Example Request

What ASCEND receives:

{
  "agent_id": "financial-advisor-001",
  "action_type": "database.query",
  "resource": "customer_accounts",
  "environment": "production",
  "timestamp": "2026-01-21T10:30:00Z",
  "context": {
    "contains_pii": true,
    "data_classification": "confidential"
  }
}

What ASCEND NEVER receives:

{
  "sql_query": "SELECT * FROM accounts WHERE id = 12345",
  "customer_name": "John Smith",
  "account_balance": 50000.00,
  "ssn": "123-45-6789",
  "api_key": "sk-xxxx",
  "database_password": "..."
}

Data Boundary Summary

Data Type	Crosses Boundary?	Encryption	Storage
Action type	Yes	TLS 1.3 in transit	Logged
Agent ID	Yes	TLS 1.3 in transit	Logged
Timestamp	Yes	TLS 1.3 in transit	Logged
Risk score	Yes (returned)	TLS 1.3 in transit	Logged
Decision	Yes (returned)	TLS 1.3 in transit	Logged
Request payload	NO	N/A	Never stored
Response data	NO	N/A	Never stored
Credentials	NO	N/A	Never stored
PII/PHI	NO	N/A	Never stored

Network Requirements

Outbound Connectivity

Your environment needs outbound HTTPS access to ASCEND:

Destination	Port	Protocol	Purpose
`api.ascendowkai.com`	443	HTTPS (TLS 1.3)	API requests
`pilot.owkai.app`	443	HTTPS (TLS 1.3)	Pilot environment

Firewall Rules

# Allow outbound HTTPS to ASCEND
iptables -A OUTPUT -p tcp --dport 443 -d api.ascendowkai.com -j ACCEPT
iptables -A OUTPUT -p tcp --dport 443 -d pilot.owkai.app -j ACCEPT

IP Allowlist

For IP-based firewall rules, contact support for current IP ranges.

High Availability

ASCEND Cloud SLA

Metric	Target	Measurement
Uptime	99.9%	Monthly
API Latency (p50)	< 50ms	Per request
API Latency (p99)	< 150ms	Per request
RTO	4 hours	Disaster recovery
RPO	1 hour	Data recovery

Failover Behavior

Configure SDK fail mode for your availability requirements:

from ascend import AscendClient, FailMode

# Security-first (recommended for production)
client = AscendClient(
    api_key="...",
    fail_mode=FailMode.CLOSED  # Block if ASCEND unavailable
)

# Availability-first (for development/testing)
client = AscendClient(
    api_key="...",
    fail_mode=FailMode.OPEN  # Allow if ASCEND unavailable
)

Multi-Region Deployment

Current Availability

Region	Status	Endpoint
US East (N. Virginia)	Production	`api.ascendowkai.com`
EU (Frankfurt)	Coming Q2 2026	`eu.api.ascendowkai.com`
APAC (Singapore)	Coming Q3 2026	`ap.api.ascendowkai.com`

Data Residency

For EU data residency requirements, contact sales@ascendowkai.com.

Security Architecture

Security Controls by Layer

Layer	Controls	Implementation
Network	WAF, DDoS protection, VPC isolation	AWS Shield, WAF rules
Transport	TLS 1.3, HSTS, certificate pinning	ALB, SDK
Authentication	API key (SHA-256), JWT (RS256), MFA	Cognito, custom auth
Authorization	RBAC (6 levels), RLS	PostgreSQL RLS, middleware
Data	AES-256 encryption, BYOK	AWS KMS, customer keys
Audit	Immutable logs, hash-chain	WORM S3, PostgreSQL

Integration Decision Matrix

Use this matrix to choose your integration approach:

Scenario	Recommended	Reason
Building new AI agent	SDK	Full control, native integration
Existing API endpoints	Gateway	Zero code changes
MCP server	SDK	Native MCP support
LangChain agent	SDK	LangChain callback support
High-volume (>1000 rps)	Gateway	Lower latency, connection pooling
Strict latency (<10ms)	Gateway	Async evaluation
Multi-language agents	Gateway	Language-agnostic
Need approval workflows	SDK	Built-in polling/webhooks

Next Steps

Adoption Path — Day-1 to Day-30 implementation guide
Quick Start — Get your first agent governed in 5 minutes
SDK Installation — Full SDK setup guide
Gateway Integration — Zero-code options

Last Updated: 2026-01-21

Architecture Overview​

Architecture Diagram​

Deployment Comparison​

Option 1: SaaS + SDK (Recommended)​

Option 2: SaaS + Gateway​

What Crosses the Network Boundary?​

Example Request​

Data Boundary Summary​

Network Requirements​

Outbound Connectivity​

Firewall Rules​

IP Allowlist​

High Availability​

ASCEND Cloud SLA​

Failover Behavior​

Multi-Region Deployment​

Current Availability​

Data Residency​

Security Architecture​

Security Controls by Layer​

Integration Decision Matrix​

Next Steps​