TL;DR
- B2B vendors face a structural tradeoff: multi-tenant SaaS is fast to build but carries cross-tenant data risk; pure on-prem is secure but expensive to support.
- Splitting the architecture into a control plane (stays in the vendor’s cloud) and a data plane (runs in the customer’s own cloud account) resolves both problems at once.
- PlanetScale runs its database data plane inside the customer’s AWS or GCP account, connected to its control plane through AWS PrivateLink or GCP Private Service Connect.
- Tailscale keeps device-to-device traffic on direct WireGuard connections; its coordination server only handles identity verification and key distribution – it never touches user data.
- The common thread across both implementations: an encrypted, auditable channel that gives the vendor zero direct access to customer data while still allowing centralized updates and monitoring.
- This pattern – often called Cloud-Prem or BYOC – is becoming the default architecture choice for B2B vendors selling into regulated industries and security-conscious enterprises.
Every B2B infrastructure vendor eventually runs into the same wall: enterprise customers want SaaS-level velocity, but their security teams won’t approve a platform where customer data sits in someone else’s multi-tenant database. The vendor either slows down to satisfy procurement, or ships fast and hopes the security review goes smoothly. Neither option is good, and the tension between the two has shaped a specific architectural pattern that’s worth examining closely.
PlanetScale and Tailscale are two of the clearer public examples of how this gets solved in practice. Both split their systems into a control plane and a data plane, placing the sensitive half of the system inside the customer’s own infrastructure while keeping the management layer centralized. The split isn’t a marketing term – it’s a specific, well-documented architectural decision with real engineering tradeoffs, and it’s worth understanding exactly how it works.
