Enterprise overview
What is and is not part of the AACsearch enterprise tier — controls, deployment options, procurement, and contact.
Enterprise overview
The Enterprise tier of AACsearch is for organizations that need contractual controls (DPA, SLA, security questionnaire) and a few features that the standard plans do not include — SAML/OIDC SSO, SCIM provisioning, and dedicated infrastructure.
This page is honest about what is generally available, what is custom, and what is roadmap. If a control you need is not on this list, please ask before assuming.
What you get on Enterprise
| Capability | Standard plans | Enterprise |
|---|---|---|
| Hashed API keys, scoped tokens, audit log | ✅ | ✅ (same engine) |
| Origin allow-list, tenant isolation | ✅ | ✅ (same engine) |
| Data residency (EU / US / RU) | ✅ | ✅ (same engine) |
| Encryption at rest (AES-256) and in transit (TLS 1.3) | ✅ | ✅ (same engine) |
| SAML 2.0 / OIDC SSO | — | ✅ (configured on request) |
| SCIM 2.0 provisioning | — | ✅ (self-serve once enabled) |
| Provisioning group → role rules | — | ✅ |
| Custom DPA, BAA, MSA | Standard DPA only | ✅ Custom-negotiable |
| Security questionnaire response | Self-serve docs | ✅ Filled by our team |
| Custom SLA (uptime, response, restore time) | 99.9 % shared | ✅ Negotiable |
| Named technical account manager | — | ✅ |
| Priority support (24/7 P1) | Business hours | ✅ |
| Dedicated cluster | — | 🟡 Available on request — see Dedicated cluster |
| Self-hosted / air-gapped | — | 🟡 Roadmap — see Dedicated cluster |
| White-label / OEM | — | 🟡 Roadmap |
Anything marked 🟡 is not a self-serve option you can buy from the dashboard. Talk to sales — we will tell you honestly whether your timeline matches what we can deliver.
Who Enterprise is for
You probably want Enterprise if any of these apply:
- Your security review process requires a signed DPA, MSA, and SOC 2 report — not a click-through.
- You need SAML or OIDC for sign-in, with provisioning controlled by your IdP.
- A search outage of more than 15 minutes costs you measurable revenue, and you need an SLA with a credit schedule, not best-effort uptime.
- Your compliance team requires a named contact for incident response.
- You need a dedicated cluster (no neighbors), or you are evaluating a private deployment.
You probably don't need Enterprise if you are happy with the standard DPA, 99.9 % shared SLA, and the security controls available to every plan. Most of the security model on the Security overview page is the same regardless of plan.
How to start
- Read the security and operational docs first. That gives you the technical baseline to compare against.
- Email
sales@aacsearch.comwith a short description of your use case, your data residency requirements, and any non-negotiables (SAML, dedicated cluster, custom SLA). - We'll schedule a 30-minute scoping call and respond to your security questionnaire within 5 business days.
- After scoping, we send a draft MSA + DPA. You can hand off to legal in parallel with a technical evaluation.
Typical time from first email to signed contract: 2–6 weeks, depending mostly on your side.
Procurement and compliance documents
The following are available on request, gated by an NDA:
- SOC 2 Type II report — see SOC 2 checklist for the current scope.
- Penetration test summary, latest available.
- Data flow diagram for the region you will deploy into.
- Sub-processor list with locations and purposes.
- Standard DPA (no NDA needed — request from
sales@aacsearch.com). - Standard security questionnaire (CAIQ-style; we can also fill SIG Lite).
See Procurement for the full process and document set.
Things we will not sign
- Liability terms that put us on the hook for indirect damages we cannot meaningfully control.
- "Right to audit" clauses that mean an unannounced on-site visit. We will accept "reasonable notice" right-to-audit clauses against the latest SOC 2 report.
- A custom SLA that we cannot operationally meet. We'd rather say no than promise something we'll miss.
We are happy to discuss alternatives for any of these. The point of being explicit is to save your legal team time on a clause we will eventually push back on anyway.
See also
- Security overview — all the controls available regardless of plan
- Procurement — the document set and the typical timeline
- Dedicated cluster — when you need to be the only neighbor