The EZ4Youtech platform

Multi-tenant BYOK SaaS — one secure workspace per client. How it works · Security · Pricing

How the platform works

Three roles — one isolated tenant per business. Each tenant gets 20 workspace apps (by plan) plus 10 industry workflows for one vertical — Browse the full catalog.

Platform operator

Creates client workspaces from the operations console
Sets industry vertical and plan (Basic / Standard / Elite / Enterprise)
Controls which catalog apps are Live vs coming soon
Provisions tenant admins and team sign-ins

Client admin (setup)

One-time BYOK setup — OpenAI, Together, or Anyscale keys
Encrypted credentials stored per tenant; never logged
No day-to-day workspace or industry apps on this login

Team members (daily use)

Run structured AI apps — forms and tuned prompts, not open chat
Plan tier unlocks seats and catalog depth (2+3+5 per 10-app pack)
Upload, draft, summarize, and extract inside tenant boundaries

Typical rollout

Provision — Operator creates the tenant, industry, and plan.
BYOK — Client admin adds provider keys (required for pilots and production).
Team access — Agents sign in; they see only apps their plan unlocks.
Run workflows — Complete the job in the app built for that task.

Pilot launch waives the platform fee for 2 months; BYOK applies from day one.

Security at a glance

Built for client-facing and regulated work. We describe an enterprise-ready architecture. We do not claim SOC 2, ISO 27001, or HIPAA unless agreed in a signed contract.

BYOK — your API keys, encrypted per tenant; never logged
Tenant isolation — tenant_id on every JWT-backed request and storage path
Role separation — admins configure keys; agents run apps without handling secrets
No data resale — subscription revenue only; prompts not sold for ads or model training

Core security controls

How we protect tenant data and credentials in the live application.

Authentication & access

JWT with tenant_id, plan, and role on every API call
bcrypt password hashing; login rate limiting per IP
RBAC — superadmin, partner, tenant admin, agent
Plan gating — app catalog and agent seats enforced server-side

BYOK & data handling

Fernet-encrypted provider keys in MongoDB Atlas
Keys decrypted only for outbound provider requests
Uploads and run history under tenant_id/ storage paths
Production security headers (HSTS, X-Frame-Options, Referrer-Policy)

Agent request flow

Agent signs in → JWT with tenant_id and plan.
App catalog loaded per plan; admin BYOK keys already configured.
Run submitted → API decrypts tenant key, calls provider, stores result under tenant scope.
Usage recorded for dashboards — not resold to third parties.

Deeper diagrams: Architecture & security guide · Security FAQ

Technology stack & operations

For IT and security reviewers — USA production posture (May 2026).

Azure production stack — Container Apps + Key Vault + Blob Storage
MongoDB Atlas — tenants, users, usage, and encrypted BYOK credentials
BYOK routing — OpenAI / Together / Anyscale via tenant-owned keys
Tenant isolation — enforced by tenant_id across API and storage paths

Production stack

Layer	Technology	Role
Edge	HTTPS, CDN	TLS for marketing site and platform hostname
Application	FastAPI + Streamlit	REST API and agent/admin UI
Compute	Azure Container Apps	Managed runtime, tagged releases
Secrets	Azure Key Vault	JWT key, encryption key, Mongo URI — not in git
Database	MongoDB Atlas (M10)	Tenants, users, encrypted BYOK, usage
Storage	Azure Blob	Tenant-scoped documents and artifacts
AI (BYOK)	OpenAI, Together, Anyscale	Customer keys; billed on your provider account

Security & data protection

Area	Practice
Data in transit	TLS 1.2+ end-to-end
Secrets at rest	Fernet encryption for BYOK keys
Tenant isolation	API checks + `tenant_id/` blob paths
Logging	No keys, passwords, or raw prompts in app logs
Ops	Azure Monitor; Atlas backups; blob soft-delete