A primer on designing PCI-ready, DORA-proof sandboxes with multi-tenant networks, policy-as-code, and exportable evidence packs on your cloud.
Regulators started using sandboxes to speed up innovation without giving up oversight. And fintech businesses have benefitted tremendously from it.
The FCA's model was one of the first, enabling live market tests under supervision. In 2023, the UK made its Digital Sandbox permanent after two successful pilot, providing 200 synthetic, public, or anonymized datasets and more than 1,000 APIs. That shift from one-off pilots to continuous capability matters because it lets you test models, data pipelines, and controls before they hit production.
A BIS study found that firms participating in sandboxes were 50% more likely to secure funding and had a 15% increase in the amount of capital raised overall. They were also more likely to survive compared to their non-sandboxed peers.
Sandboxes can lower uncertainty and shorten time-to-market for compliant products.
Singapore was also among the first few, launching its framework in 2016. Since then, it has expanded its approach with MAS Sandbox Express and later Sandbox Plus, streamlining approvals for low-risk activities and supporting later-stage pilots.
But at the same time, compliance requirements are getting stricter. PCI DSS 4.0 introduces future-dated requirements with more explicit authentication, encryption, and monitoring expectations by March 31, 2025. Designs that are compliant in test but brittle in production won't survive. In regulated payments, compliance must be by design.
In the EU, DORA applies from January 17, 2025, pushing financial entities and their critical IT providers to prove operational resilience, testing, incident reporting, and third-party risk management. Building your sandbox on infrastructure that can demonstrate these controls isn't optional anymore.
What Makes Atmosphere Different for Regulatory Sandboxes
Atmosphere is an OpenStack-based platform built specifically for the demands of regulated environments. For sandboxes, what matters most is strong multi-tenancy, policy-driven networks, first-class identity management, key management, and repeatable automation. This lets you partition experiments, gate data movement, and reproduce results.
What sets Atmosphere apart is deployment flexibility. You can run it on-premise in your datacenter, hosted in a single-tenant environment, or in a multi-tenant public cloud. That choice matters for fintech companies operating under strict jurisdictional requirements or those needing direct control over their infrastructure. If your regulator requires data residency or you need to maintain custody of encryption keys, the on-premise and hosted editions give you that control without forcing you to build everything from scratch.
The platform also integrates with existing infrastructure, supporting multi-cloud strategies that are common in financial institutions. If you've already invested in other cloud environments or have legacy systems that need to coexist with your sandbox, Atmosphere can bridge those environments rather than forcing a wholesale migration.
Instead of using traditional processes, you can spin up a new instance quickly. Here’s what makes it easy:
- Projects and quotas (OpenStack tenants) isolate experiments with per-project limits for compute, storage, and GPUs. Neutron/OVN provides per-project networks, routers, and security groups to control east-west traffic. Octavia handles north-south traffic with L7 policies you can adjust during staged rollouts.
For real-time fintech applications where latency matters, the platform supports advanced network offloading features like SR-IOV, DPDK, and ASAP2. These enable high-performance, low-latency network connections that matter when you're testing fraud detection models or payment processing systems where milliseconds count.
- Keystone is your control point for identity and RBAC. Federation via Keycloak (SAML/OIDC) is available in Hosted and On-Premise editions for single sign-on and just-in-time role mapping. The Cloud edition uses Keystone without the Keycloak layer.
- Barbican manages secrets and encryption keys. Cinder supports volume encryption (LUKS), and Ceph provides durable, auditable backing storage for block and object data. Barbican is available in Hosted and On-Premise editions.
- Magnum and Kubernetes give you CNCF-conformant clusters on demand. Model services, scoring APIs, and data prep jobs can run alongside VMs hosting legacy components, all under the same identity and network policies.
The platform bundles Prometheus and Grafana for time-series metrics and integrates with ELK/Loki for logs. Every decision you make in the sandbox generates telemetry you can turn into evidence packs later.
*Edition note: Federation (Keycloak), Barbican-backed encryption workflows, and mTLS patterns are supported in Hosted and On-Premise. The Cloud edition uses Keystone locally and provides TLS for APIs and load balancers, with per-project network isolation and security groups.
Three Sandbox Modes, One Control Plane
Different policy questions need different sandbox configurations. You can run all three on the same Atmosphere control plane and keep them cleanly separated.
The first two map to how the FCA's Digital Sandbox handles synthetic data at scale and how most live sandboxes throttle scope under supervision. Build for both from day one.
Migration Path: From Sandbox to Supervised Live
When an experiment is ready for a small live cohort, the move is procedural rather than architectural.
Regulators want to see that your live trial is simply your sandbox with tighter scope and the same controls switched from "test" to "enforced."
Getting Started
Treat the sandbox as long-lived product infrastructure: projects, networks, identity, keys, telemetry, and evidence. The regulatory environment (FCA, MAS, RBI) now expects it, and resilience regimes (PCI 4.0, DORA) require it.
Most of the heavy lifting is design and discipline. If you need support, the VEXXHOST professional services team can help. Be it with implement encryption and key rotation or assembling the evidence pack alongside your engineers.
Atmosphere gives you the isolation, policy hooks, and automation to run that program from day one. The deployment flexibility means you can choose the model that fits your compliance requirements, whether that's on-premise for data residency, hosted for managed operations, or public cloud for speed. The multi-cloud integration capabilities let you expand your sandbox scope while leveraging existing infrastructure investments. And the advanced networking features ensure your tests reflect real-world performance characteristics. The rest is governance and craft.
