Self-Hosting

Self-hosted (on-prem) deployment allows you to run Confident AI entirely within your own infrastructure, giving you complete control over your data and security posture.

On-premise deployments are only available for customers with Enterprise lisences. Talk to us to inquire about one.

Overview

Confident AI supports self-hosted deployments on major cloud providers:

AWS

Deploy on Amazon Web Services using EKS, EC2, or other AWS services.

Azure

Deploy on Microsoft Azure using AKS or other Azure services.

GCP

Deploy on Google Cloud Platform using GKE or other GCP services.

Why self-host?

Self-hosting is beneficial mainly from a security and data standpoint:

Data sovereignty — All data stays within your infrastructure and chosen region. No data is ever sent to Confident AI systems.
Compliance requirements — Meet regulatory requirements (SOC 2, HIPAA, GDPR, FedRAMP) by keeping sensitive data in your controlled environment.
Network isolation — Run entirely within your private network with no public internet exposure.
Custom integrations — Connect to internal systems, self-hosted LLMs, and existing infrastructure without leaving your network.

Network security

All self-hosted deployments follow a fully private model with no inbound internet access:

All services run in private subnets with no direct internet exposure
Load balancer is internal-only, accessible via VPN or network peering to your corporate network
Authentication is entirely internal—user credentials and sessions never leave your network (except for SSO providers like Okta or Azure AD if configured)
Outbound internet access is limited to:
- Pulling container images from your cloud provider’s container registry
- LLM API calls for evaluations (depends on your setup)
- Email/Slack notifications (optional)

Layer	Method
In transit	TLS 1.2+ for all internal and external traffic
At rest	Cloud-native encryption (KMS or equivalent)
Secrets	Cloud secrets manager with encryption

For fully air-gapped deployments without any outbound access, contact Confident AI for offline image delivery and self-hosted LLM evaluation options.

Deployment timeline

Typical enterprise deployment takes 2-4 weeks end-to-end:

Phase	Duration	Notes
Security & Access Review	3-7 days	Approvals for IAM roles, service accounts, and network access
DNS & Certificate Setup	2-5 days	Domain delegation, certificate requests, DNS team coordination
Infrastructure Provisioning	1-2 days	Terraform apply, troubleshooting quota limits or naming conflicts
Kubernetes Deployment	1-2 days	Secrets configuration, image pull access, ingress setup
Testing & Validation	2-3 days	End-to-end testing, security scans, load testing
Go-Live & Handoff	1-2 days	Documentation, runbook review, on-call setup

Common delays: permission requests stuck in approval queues, DNS changes requiring change tickets, security reviews for VPC peering or firewall rules.

Next steps

Self-hosted deployments are only available for Enterprise customers and are not self-served. To get started:

Contact Confident AI here or, for existing users in your private support channel, to discuss your requirements and obtain an Enterprise license
Once approved, we will provide container images for your chosen cloud provider’s registry (AWS ECR, Azure ACR, or GCP Artifact Registry)
Follow the deployment guide for your cloud provider above

Our team will work with you throughout the deployment process to ensure a successful rollout.

Self-hosted (on-prem) deployment allows you to run Confident AI entirely within your own infrastructure, giving you complete control over your data and security posture.

On-premise deployments are only available for customers with Enterprise lisences. Talk to us to inquire about one.

Overview

Confident AI supports self-hosted deployments on major cloud providers:

AWS

Deploy on Amazon Web Services using EKS, EC2, or other AWS services.

Azure

Deploy on Microsoft Azure using AKS or other Azure services.

GCP

Deploy on Google Cloud Platform using GKE or other GCP services.

Why self-host?

Self-hosting is beneficial mainly from a security and data standpoint:

Data sovereignty — All data stays within your infrastructure and chosen region. No data is ever sent to Confident AI systems.
Compliance requirements — Meet regulatory requirements (SOC 2, HIPAA, GDPR, FedRAMP) by keeping sensitive data in your controlled environment.
Network isolation — Run entirely within your private network with no public internet exposure.
Custom integrations — Connect to internal systems, self-hosted LLMs, and existing infrastructure without leaving your network.

Network security

All self-hosted deployments follow a fully private model with no inbound internet access:

All services run in private subnets with no direct internet exposure
Load balancer is internal-only, accessible via VPN or network peering to your corporate network
Authentication is entirely internal—user credentials and sessions never leave your network (except for SSO providers like Okta or Azure AD if configured)
Outbound internet access is limited to:
- Pulling container images from your cloud provider’s container registry
- LLM API calls for evaluations (depends on your setup)
- Email/Slack notifications (optional)

Layer	Method
In transit	TLS 1.2+ for all internal and external traffic
At rest	Cloud-native encryption (KMS or equivalent)
Secrets	Cloud secrets manager with encryption

For fully air-gapped deployments without any outbound access, contact Confident AI for offline image delivery and self-hosted LLM evaluation options.

Deployment timeline

Typical enterprise deployment takes 2-4 weeks end-to-end:

Phase	Duration	Notes
Security & Access Review	3-7 days	Approvals for IAM roles, service accounts, and network access
DNS & Certificate Setup	2-5 days	Domain delegation, certificate requests, DNS team coordination
Infrastructure Provisioning	1-2 days	Terraform apply, troubleshooting quota limits or naming conflicts
Kubernetes Deployment	1-2 days	Secrets configuration, image pull access, ingress setup
Testing & Validation	2-3 days	End-to-end testing, security scans, load testing
Go-Live & Handoff	1-2 days	Documentation, runbook review, on-call setup

Common delays: permission requests stuck in approval queues, DNS changes requiring change tickets, security reviews for VPC peering or firewall rules.

Next steps

Self-hosted deployments are only available for Enterprise customers and are not self-served. To get started:

Contact Confident AI here or, for existing users in your private support channel, to discuss your requirements and obtain an Enterprise license
Once approved, we will provide container images for your chosen cloud provider’s registry (AWS ECR, Azure ACR, or GCP Artifact Registry)
Follow the deployment guide for your cloud provider above

Our team will work with you throughout the deployment process to ensure a successful rollout.