Outbound-only by design.

Built for regulated environments that cannot accept inbound firewall rules.

How it connects

CUSTOMER ENV AD · Okta AWS · SaaS PeopleSoft Legacy apps outbound mTLS no inbound rule HYBRID CONNECTOR Gateway (HCG) customer-managed inside your VPC signed events SHA-256 · ECDSA EVIDENCE STORAGE Customer S3 your AWS account your region customer-controlled ✓ No inbound ports ✓ Customer-managed gateway ✓ Evidence stays in your account ✓ BYO-KMS encryption ✓ Hash-chained audit trail ✓ Customer-controlled retention

How it works — step by step

  1. The Hybrid Connector Gateway (HCG) is a lightweight agent that runs inside your network or VPC — entirely customer-managed.
  2. The HCG initiates all connections outbound over mTLS. No inbound listener. No inbound firewall rule. No VPN tunnel required.
  3. The gateway fans revoke actions to target systems (AD, Okta, AWS, Salesforce, etc.) and performs a read-back verification on each one to confirm the state change.
  4. Execution status and policy metadata are sent to the SidentiQ control plane. No raw identity data leaves your environment by default configuration.
  5. A signed, hash-chained Evidence Pack is written directly to your S3 bucket — in your AWS account, in your chosen region.
  6. Encryption keys and retention periods are entirely customer-controlled. SidentiQ cannot read evidence without customer-provided key access.