A system controls access to data for customer of a multi-tenant software as a service (SaaS) system. A multi-tenant SaaS system cloud includes a metadata store. A customer- controlled storage realm includes a customer-controlled key management system (KMS) and a data store for storing encrypted customer data objects. An agent at a user endpoint identifies customer data for storage in the customer data store, transmits metadata and telemetry information related to the customer data to a SaaS application interface (API), and provides a storage reference for a SaaS metadata store. The agent is pre-configured with credentials from the KMS for storing customer data objects in the data store. The customer-controlled storage realm is not in direct communication with the SaaS system cloud.