Platform vs Self-Hosted
Decision guide for choosing the managed sovseal Platform or a self-hosted deployment.
Choosing between the managed sovseal Platform and a Self-Hosted edge function depends on your operational priorities. Because both paths enforce client-side encryption, your choice does not affect the zero-knowledge guarantees: the server remains blind to your plaintext regardless of hosting.
Feature Matrix
| Feature | Platform (Managed) | Self-Hosted |
|---|---|---|
| Read Latency | 0 RTT (Local vector search) | 0 RTT (Local vector search) |
| Write Latency | Local commit (3.8ms p50) | Local commit (3.8ms p50) |
| Replication Sync | Managed write-behind queue | Self-operated Hono Edge Function |
| Replication Storage | Managed Supabase + storage bucket | Your Postgres + S3/Object Storage |
| Key Custody | Client-only (OS keychain; HKDF subkeys) | Client-only (OS keychain; HKDF subkeys) |
| Key Authorization | sov_live_ API key (DB-backed) | Custom auth or static token |
| High Availability | Built-in, global edge routing | DIY routing & cluster setup |
| Replication Latency | Managed queue draining | Bound by your infrastructure capacity |
| Maintenance Ops | Zero-ops (updates managed by sovseal) | Self-managed schema migrations & runtime updates |
Compliance & Security Decision Tree
Use this guide to align your choice with regulatory and security mandates:
Do your security policies prohibit
external cloud storage of ciphertext?
/ \
/ \
[Yes] [No]
/ \
▼ ▼
Use Self-Hosted Does your app fall under
(Fully sovereign) strict regulatory frameworks?
/ \
/ \
[Yes] [No]
/ \
▼ ▼
Which one? Use Platform
/ \ (Fastest setup)
/ \
[GDPR / SOC 2] [FedRAMP / HIPAA]
/ \
▼ ▼
Use Platform Use Self-Hosted
(ZK structure makes (Ensures strict VPC/
compliance simple) GovCloud isolation)GDPR Compatibility
Under GDPR, sovseal's Platform tier is compliant by construction. Because the managed server only stores client-side AES-256-GCM ciphertext and SHA-256 path hashes:
- Plaintext personal data (PII) is never processed or held on our servers.
- Right to erasure (forgetting) is handled deterministically via client-side rollback or local deletion tombstones.
- No cross-border data transfer concerns exist since the plaintext never leaves the host machine.
HIPAA & FedRAMP Alignment
If you operate in environments where company policy dictates that even encrypted payloads cannot reside on third-party SaaS servers, the Self-Hosted deployment allows you to run the edge replication endpoint directly inside your private VPC or GovCloud environment.
Cost & Resource Comparison
| Metric / Workload | Platform | Self-Hosted |
|---|---|---|
| Setup Time | <5 minutes | 15–30 minutes |
| Infrastructure Costs | Usage-based (Managed storage & sync) | Your compute, Postgres, and storage billing |
| Scale Limits | Auto-scaling (No manual intervention) | Constrained by local DB connection pools |
| Support SLA | Included in Pro/Team tiers | Community + GitHub |
Migration Paths
Moving between the managed Platform and Self-Hosted tiers requires no source code modification beyond updating the SDK configuration block.
Platform to Self-Hosted
- Deploy the Deno Edge Function schema to your infrastructure.
- Export your local LanceDB snapshot directory or allow the in-flight write-behind queue to drain.
- Update the SDK client configuration to point the
replicationUrlto your new endpoint:
import { sovseal } from "@sovseal/sdk";
const memory = new sovseal({
replicationUrl: "https://your-domain.com/v1/v2-agent-state",
apiKey: process.env.MY_SELF_HOSTED_TOKEN,
});Self-Hosted to Platform
- Register for a managed project at sovseal.com/dashboard and generate a
sov_live_API key. - Re-point your SDK client configuration:
const memory = new sovseal({
replicationUrl: "https://api.sovseal.com/v2/agent-state",
apiKey: process.env.SOVSEAL_API_KEY, // sov_live_...
});- The client background worker will automatically synchronize existing local LanceDB records to the Platform.