Skip to main content
OdinLabs
ProductInnovation SprintPricingDocsSecurity
  • Product
  • Innovation Sprint
  • Pricing
  • Docs
  • Security

No credit card required

Built in the Netherlands • Get started

  • Your data never leaves your infrastructure
  • ·Built in the Netherlands
  • ·EU jurisdiction by default
  • ·Open source core
OdinLabs

ODIN is AI you own. Deploy on your infrastructure, structure your organizational knowledge, and scale your team's capabilities. Built by Odin Labs in the Netherlands.

Product

  • How It Works
  • Use Cases
  • Pricing
  • Product

Company

  • About Us
  • Contact
  • Partners
  • Blog

Resources

  • Documentation
  • Integrations
  • Compare Tools
  • Security

Legal

  • Privacy Policy
  • Terms of Service
  • Cookie Policy

© 2026 Odin Labs Projects B.V. — Amsterdam, Netherlands. All rights reserved.

Designed for environments with audit, governance, and on-prem requirements.

  1. docs
  2. /
  3. Concepts

Sovereign Cloud Workspace overview

Composition, deployment model, and the per-tenant network isolation that makes the workspace sovereign.

Last updated · 2026-06-04

The Sovereign Cloud Workspace (SCW) is the surface where AI-driven development actually happens on Odin. Your developers open a browser, log in, and operate inside a per-tenant environment that ships with code-server, the Odin Agent Runtime, and a workspace CLI bridge — all on infrastructure you control.

Composition

The workspace is composed from three primitives. Each is its own audit surface; they cooperate via a shared governance contract.

  • code-server — VS Code in the browser, running as uid 1000 on a per-tenant Docker network. Workspace volume survives restarts. Reachable at code.<tenant>.<cloud>.
  • Odin Agent Runtime — the odin-agent CLI inside the workspace. Per-tenant skill manifest; per-tenant provider keys; per-tenant budget cap.
  • Workspace CLI bridge — HTTP bridge that lets the Command Center (uid 1001) write into the code-server tree (uid 1000) without breaking ownership.

Deployment model

SCW ships as a deployable stack, not a hosted SaaS:

  • EU cloud default — Hetzner-NL (Amsterdam) with per-tenant data residency.
  • On-prem — same compose contract deploys to your Kubernetes / bare-metal / VPC. Customer-owned database, customer-owned files, no vendor egress.

Per-tenant network isolation (structural)

Each tenant runs in its own Docker bridge network. Cross-tenant DNS resolution is a structural impossibility, not a firewall rule. The deployer attaches the per-tenant odin-postgres alias to each tenant's network at provision time; the same pattern applies to odin-control-tower. The cron at */5 * * * * re-attaches aliases that get stripped by container recreates.

Audit surfaces

Every primitive emits to the tenant's BrainDB:

  • code-server file writes → workspace audit namespace
  • odin-agent spawns + tool calls → agent audit namespace
  • workspace-CLI HTTP requests → cross-uid bridge audit

Provisioning a new SCW tenant

Operators provision via the Control Tower wizard (~5 minutes end-to-end) or the API:

POST /api/tenants
{
  "slug": "demo-fintech",
  "enabledHubs": ["coding", "compass", "academy"],
  "region": "eu-nl"
}

Where to go next

  • BrainDB write contract — what gets audited
  • Odin Agent Runtime quickstart — running your first /deliberate inside the workspace
  • Sovereign Cloud Workspace product page
← Back to all docsQuestion or feedback? →