[ezekg]

Sounds overly complicated. Use at-work encryption (i.e. encrypt it in the database), on top of encryption in-transit and at-rest, hosted/managed by a reputable database vendor. If that won't fly, then I agree with the (enterprise) self-hosted offering another commenter mentioned.

[alliewithane]

The problem is that I cannot do that. I need to run code on the data which means I can access the data theoretically any time and thus my client is super uncomfortable with that considering I need to access their code base.

[ezekg]

Are they uncomfortable with you accessing their data, or are they uncomfortable with you storing their data unencrypted, risking their IP in case of a breach? Two different things.

The former means they aren't a fit for SaaS (i.e. offer self-hosting), and the latter means you can use at-work encryption, only decrypting the data to process it.

Without more info on what you're actually building, I can't really be of more help here.

[alliewithane]

It's the latter. It's pretty much an agent for their GitHub repo. The agent needs access to their code and keeps some kind of knowledge that it generated in a tree database. Wouldn't it be considered a red flag that I can access their data whenever I want? If I used at-work encryption that just means that I have the ability to access to data whenever I want. However if they did some sort of self-hosting then I can only access it temporarily via APIs and thus I can only access the data temporarily when &they want.