Skip to main content
Artie follows a split plane architecture where the control plane and data plane are separated:
  • Control plane — Dashboard, orchestration, pipeline configuration, monitoring, and metrics.
  • Data plane — All data processing: reading from your source, buffering changes, and writing to your destination. No customer data leaves the data plane.
Only metadata (table names, column schemas, pipeline status) is sent from the data plane to the control plane.
Diagram comparing cloud and on-premise deployment models. Cloud deployment routes data through Artie's data plane. On-premise deployment keeps data in the customer's network, with only metadata sent to Artie's control plane.

How data flows

Artie replicates database changes in near real-time using a reader-buffer-writer pattern:
  1. Change capture (reader) — Artie connects to your source database and subscribes to its transaction log to capture changes. During backfills, a separate process scans full tables and writes directly to the destination while CDC continues in parallel.
  2. Buffering (Kafka) — Each change event is published to an internal Kafka queue. This buffer enables parallelism and absorbs throughput spikes when downstream systems are slow.
  3. Flush to destination (writer) — When a flush condition is met, Artie writes the buffered data to the destination using idempotent upserts or merges, commits the Kafka offset, and resumes reading.
  4. Metadata to control plane — Only pipeline configuration, status, and metrics are sent to the control plane. No row-level data is transmitted.

Deployment options

Cloud

Both the control plane and data plane run in Artie’s cloud infrastructure. The data plane is co-located in the same region as your databases to minimize egress costs and latency.
  • Fully managed with minimal operational overhead
  • Data flows from your source, through Artie’s data plane, to your destination

BYOC (on-premise)

The data plane runs inside your cloud account or private network. Artie hosts the control plane and manages upgrades and scaling. This is the most common on-premise model. You host the data plane infrastructure (Kubernetes, Kafka, persistent storage), while Artie manages operations remotely.
  • All database connections originate inside your environment
  • Production data never leaves your VPC
  • Control plane communicates with the data plane over HTTPS (TLS 1.3) via authenticated endpoints

Security

Networking

Artie supports multiple methods for connecting to your sources and destinations:
  • PrivateLink — Traffic stays within the cloud provider’s private backbone with no public internet exposure. Supported on AWS, Azure, and GCP.
  • IP allowlisting — Artie provides fixed IP ranges that you allowlist on your database firewall.
  • SSH tunnels — Customer-initiated outbound SSH tunnels with no inbound firewall rules required.
All communication is secured with HTTPS and TLS 1.3 encryption. For details, see Connection options.

Encryption

  • In transit — All traffic between planes and between Artie and your databases is encrypted with TLS 1.3.
  • At rest — Data at rest is encrypted with AES-256.