Ewii
Schedule a Review

EWII SECURE MCP VPN

The secure connectivity layer for AI operators.

Reach your customers’ on-prem databases without firewall changes, credential exposure, or VPN hardware. Hub on your side. Signed Client on theirs. Encrypted, identity-verified traffic over outbound port 443.

Book a Demo Schedule an Architecture Review
End-to-end connectivity overview: operator AI platform connects to the Ewii Hub on the operator side, which establishes an outbound TLS 1.3 connection on port 443 across the customer firewall (labelled UNCHANGED — NO INBOUND RULES) to the signed Client container on the customer side, which talks to the customer’s on-prem database. Three forest-green semantic stamps mark OPERATOR HOLDS KEYS, IDENTITY-VERIFIED, and the firewall UNCHANGED stamp.

Built on

  • ChaCha20-Poly1305 Application-layer AEAD
  • SPIFFE / X.509 Workload identity
  • QUIC + TLS 1.3 Transport
  • Canadian Datacenters Data sovereignty
  • 01

    Outbound-only

    Your customers’ firewalls don’t change. Ewii’s Client opens a single outbound connection on port 443. No inbound rules, no port-forwarding, no DMZ.

  • 02

    Zero-trust by design

    SPIFFE workload identity. Short-lived X.509 certificates. No shared secrets, no static API keys. Every request is identity-verified at the workload boundary.

  • 03

    Built for regulated industries

    Canadian datacenters. Protected B-aligned. Signed tenant-specific Client containers with Cosign. Defense-in-depth encryption your auditor can read.

HOW IT WORKS

Hub on your side. Client on theirs. Three steps.

A schematic flow diagram showing the Ewii Hub on the operator side connecting to the Client on the customer side via outbound port 443, with the neutral relay band between them holding ciphertext only and a SPIFFE SVID identity claim validated at the Hub.
FIG. 1 Hub-Client connectivity overview

See the full architecture →

FOR YOU, THE OPERATOR

A productized connectivity layer to ship in your platform.

White-labelable. SLA-backed. We start every engagement with an Architecture Review so your team and ours agree on the deployment shape before you commit.

Read the operator brief →

FOR YOUR CUSTOMERS

A signed container that opens one outbound connection.

Their data stays on their infrastructure. Their security team approves it once. We wrote this page so an operator can copy the URL into their own change-management package.

Read the customer brief →

USE CASES

Built for regulated industries.

GOVERNMENT

Canadian Protected B

ITSG-33-aligned, Canadian KMS, security-questionnaire-ready.

 FINANCIAL SERVICES

PCI-DSS

Cardholder-data isolation, end-to-end audit trail, defense-in-depth.

 HEALTHCARE

HIPAA / PHIPA

Air-gapped database access, BAA-ready Hub, encryption in transit and at rest.

 MORE

Other industries

Energy, telecom, defense — talk to us about your sector.