# Deployment Options

> Canonical page: https://saig.terraxon.eu/docs/deployment/
> Last updated: 2026-06-16

## Options

| Option | Description |
|--------|-------------|
| **EU SaaS** | Hosted in EU (Hetzner, Germany). Fully managed by Terraxon. Fastest time to value. |
| **Private VPC** | Your cloud, your rules. Docker Compose or Kubernetes. Terraxon supports, you control. |
| **On-Premise** | Governance, PII detection, OCR, and policy evaluation run locally. Provider egress controlled by sovereignty policy. |
| **Air-Gapped** | Fully isolated, no external provider calls. Suitable for local or approved in-environment model setups. |
| **Hybrid** | Gateway on-premise for data sovereignty. Management plane in cloud for convenience. |

## Infrastructure requirements

- Docker Compose or Kubernetes
- PostgreSQL 16 (Keycloak), SQLite or PostgreSQL (audit)
- Redis 7 (optional — attachment store, OCR queue, cache)
- Reverse proxy (Caddy recommended)
- OIDC provider (Keycloak included)

## Local processing

All PII detection uses local NER models and regex — no calls to external NLP APIs. Audit records are written locally. Policy evaluation runs in-process. The only external calls are to configured LLM providers when forwarding governed requests.