Two planes
Management Plane
Hosted by Ona. Handles coordination, identity, and configuration:- Authentication and identity
- Organization management
- Guardrail enforcement
- Runner coordination
- Dashboard and API
Runners
Run on Ona Cloud or in your own infrastructure (AWS, GCP). Handle everything that touches your code:- Environment provisioning
- Source code access
- Secret injection
- Agent execution
- Build and test execution
Why the split
The separation exists for three reasons: Data sovereignty. Your source code and SCM credentials are handled by runners, not the management plane. With a self-hosted runner, all sensitive assets stay in your VPC. With Ona Cloud, code runs on Ona-managed infrastructure separate from the management plane. You choose the trade-off between convenience and control. Compliance. Audit logs track every action. Guardrails are defined centrally and enforced at the runner level. The management plane sets the rules; runners enforce them during execution. Flexibility. You can deploy runners in different regions and cloud providers. Each runner can have different environment classes with different compute specs. The management plane coordinates across all of them.Data flow
The diagram below shows what stays in each plane:
Next steps
- Core components - what each part of Ona does
- Runners overview - deploy a runner in your infrastructure
- Guardrails - configure guardrails and compliance controls