CASE 106 · ARGON · 2025
Third-party SaaS, pulled inside the VPC boundary.
A B2B finance company sent customer data to four third-party SaaS vendors over the public internet — analytics, observability, error tracking, fraud signals. Their security team had been quietly uncomfortable. We moved every integration where the vendor supported it to PrivateLink, with audit trails per direction.
B2B finance
SECURITY
2025
RESULTS
What changed, by the numbers.
EGRESS TO PUBLIC INTERNET
−81%
VENDORS ON PRIVATELINK
4 / 4
CUSTOMER QUESTIONNAIRE TIME
−74%
DATA-FLOW DIAGRAM CLARITY
HIGH
HOW IT WENT
The data-flow diagram had been the trigger. Drawing it had been an unflattering exercise — customer data left the VPC for four different third-party endpoints, each over HTTPS but each on a different vendor’s public IP range. The CISO had asked "could we draw this with PrivateLink instead?"
Three of the four vendors supported PrivateLink natively. The fourth required a custom integration over an AWS-hosted proxy that maintained the integration on PrivateLink at the customer end and went over the public internet at the vendor end (we kept that vendor on a roadmap to migrate fully).
Public-internet egress of customer data dropped 81%. Customer security questionnaires got faster to answer because the data-flow diagram now has fewer red arrows. The audit narrative is easier to tell: data leaves our VPC only to PrivateLink endpoints, and each PrivateLink connection is named and logged.
RELATED · SAME DOMAIN
Other engagements in this space.
READY WHEN YOU ARE
Let's get your AWS bill (and architecture) in order.
The discovery call is free. You walk away with at least one concrete idea — even if we never work together.