> ## Documentation Index
> Fetch the complete documentation index at: https://docs.promptguard.co/llms.txt
> Use this file to discover all available pages before exploring further.

# Self-Host vs Cloud

> An honest capability matrix of PromptGuard managed Cloud versus a self-hosted / air-gapped deployment — what is identical, what differs, and why the cloud-only pieces are cloud-only.

<Info>
  The **detection engine is the same binary** in both places. Self-hosting does not give you a cut-down firewall — the `/guard` engine, policy enforcement, dashboard, audit trail, and RBAC all run locally with no outbound connectivity. What differs is the *managed* surface around it: metering, hosted inference, the control plane, and a small amount of proprietary tooling that is stripped from customer images. This page is the honest line-by-line.
</Info>

## Capability matrix

| Capability                                                     | Cloud (managed) |         Self-hosted        | Notes                                                                                  |
| -------------------------------------------------------------- | :-------------: | :------------------------: | -------------------------------------------------------------------------------------- |
| `/guard` detection engine (regex + heuristics)                 |        ✅        |              ✅             | Identical code path                                                                    |
| Policy enforcement + custom policies                           |        ✅        |              ✅             |                                                                                        |
| Dashboard, event logging, Interactions                         |        ✅        |              ✅             |                                                                                        |
| Audit trail with hash-chain integrity                          |        ✅        |              ✅             |                                                                                        |
| Policy cache                                                   |        ✅        |              ✅             |                                                                                        |
| Org / project RBAC                                             |        ✅        |              ✅             | App-layer, not Postgres RLS (see below)                                                |
| IP allowlist                                                   |        ✅        |              ✅             |                                                                                        |
| Webhooks (HMAC-signed)                                         |        ✅        |              ✅             |                                                                                        |
| Prometheus `/metrics`                                          |        ✅        |              ✅             | Aggregate gauges, safe to scrape internally                                            |
| Helm chart (K8s)                                               |        ✅        |              ✅             | `deploy/helm/promptguard`                                                              |
| **Managed ML inference**                                       |     ✅ hosted    | ⚙️ bring-your-own endpoint | Cloud runs hosted classifiers; self-host points at a local TGI/vLLM or runs regex-only |
| **LLM-judge detectors** (LLM Guard, agentic, hallucination)    |     ✅ hosted    | ⚙️ bring-your-own endpoint | Same knobs — supply your own inference URL/token in-network                            |
| **Red-team attack engine + self-test UI**                      |        ✅        |              ❌             | Stripped from non-cloud builds                                                         |
| **Stripe billing + per-request quota metering**                |        ✅        | ❌ (signed license instead) | Self-host runs uncapped under an annual license                                        |
| **Shadow AI agent auto-update / staged rollout / kill-switch** |        ✅        |              ❌             | Control-plane feature                                                                  |
| **Managed log-retention scheduler**                            |        ✅        |        ⚙️ you run it       | Bring your own `pg_cron` / scheduler                                                   |
| Hosted status page + uptime monitoring                         |        ✅        |        ⚙️ you run it       | Point your own uptime monitor at `/health`                                             |
| SSO / SCIM (OIDC via WorkOS)                                   |        ✅        |         ⚙️ optional        | Works self-host if you wire `WORKOS_*`                                                 |
| GeoIP enrichment                                               |        ✅        |         ⚙️ optional        | Needs an IP-geo source; degrades gracefully when absent                                |
| Zero-egress / air-gapped operation                             |        —        |              ✅             | The reason to self-host in the first place                                             |

Legend: ✅ available · ⚙️ available but you operate/supply it · ❌ not available · — not applicable

## Why the cloud-only items are cloud-only

<AccordionGroup>
  <Accordion title="Red-team attack engine & self-test UI">
    The offensive red-team engine is proprietary attack tooling that is **stripped from non-cloud images at build time** (`DEPLOYMENT_MODE ≠ cloud`). It is internal IP we do not ship inside customer environments. The defensive detectors it exercises are fully present in self-host; only the built-in "attack yourself" harness is cloud-only. You can still run your own adversarial spot-checks against your live config by POSTing known-attack payloads to `/guard` in CI.
  </Accordion>

  <Accordion title="Managed ML and LLM-judge inference">
    On Cloud we operate the classifier and LLM-judge inference for you. Self-hosted, there is **no bundled local transformer yet** — so ML is bring-your-own: set `DETECTION_ML_BASE_URL` (and the LLM-guard / PII-redactor equivalents) to a model server you run inside your network, or run with `ML_INFERENCE_MODE=off` for the (substantial) rule engine alone. This is a deliberate deployment choice, not a capability gap: the detector code is identical, it just calls *your* endpoint so no traffic leaves your network.
  </Accordion>

  <Accordion title="Stripe billing & quota metering">
    Cloud enforces per-plan monthly request quotas through Stripe-backed subscriptions. A self-hosted instance has no reason to phone a billing provider, so it runs on a **signed, node-locked annual license** and is metered-but-uncapped: the counter increments for your own visibility, but requests are never hard-capped. No license behaves like the Free tier (10k requests/month); a lapsed/invalid license fails **closed** on billable requests (`503 LICENSE_INACTIVE`) while `/health` and `/docs` stay up.
  </Accordion>

  <Accordion title="Shadow AI agent auto-update & staged rollout">
    Staged rollout, kill-switch, and auto-update for the Shadow AI desktop agents are **control-plane** features: they need the hosted release/telemetry backend to target cohorts and halt a bad release. An air-gapped fleet distributes agent updates through your own MDM instead.
  </Accordion>
</AccordionGroup>

## Two things that behave differently self-hosted

<Warning>
  **RLS is enforced in the app, not Postgres.** On a vanilla self-hosted Postgres, the Supabase-managed `ROW LEVEL SECURITY` statements are skipped. Access control (org/project RBAC, IP allowlists) is enforced at the **application layer** instead — which is why you must not expose the database directly to untrusted clients. On managed Cloud (Supabase), RLS is additionally active as defense-in-depth.
</Warning>

<Warning>
  **Pin a stable node identity.** Self-host licenses are node-locked. Containerized deployments must set a stable `PROMPTGUARD_NODE_ID` (e.g. `uuidgen` once, then reuse) — the default hardware fingerprint changes on each container redeploy and would invalidate a node-locked license.
</Warning>

## Choosing a model

| You want…                                                                 | Deploy                                       |
| ------------------------------------------------------------------------- | -------------------------------------------- |
| Fastest start, we run everything, red-team self-test, managed inference   | **Cloud**                                    |
| Data must never leave your network; regulated/PHI-adjacent workloads      | **Self-hosted, air-gapped**                  |
| Your own infrastructure but you're fine with outbound to hosted inference | **Self-hosted with `ML_INFERENCE_MODE=api`** |

Air-gapped and self-hosted deployments are an Enterprise-tier capability. See the [Compliance](/security/compliance) page for the zero-egress audit path, or [contact sales](mailto:sales@promptguard.co) to scope a deployment.

## Next steps

<CardGroup cols={2}>
  <Card title="Enterprise Setup" icon="building" href="/production/enterprise-setup">
    Organizations, SSO, RBAC, and audit logs
  </Card>

  <Card title="Compliance" icon="clipboard-check" href="/security/compliance">
    Zero-egress audit, SBOM, and certification status
  </Card>

  <Card title="Shadow AI Deployment Modes" icon="user-shield" href="/shadow-ai/deployment-modes">
    Personal, fleet, and air-gapped agent deployment
  </Card>

  <Card title="Reliability" icon="heart-pulse" href="/production/reliability">
    Fail-open vs fail-closed behavior
  </Card>
</CardGroup>
