Self-hosted,
airgap-compatible.

The same product as the SaaS edition, deployed on your infrastructure. Not a separate tier, but a $20 per agent per month add-on to Standard, with a 20-agent minimum, billed annually. For regulated industries, government, and teams whose security review won’t clear shared SaaS.

Join the early-access list Pricing

< 4 wk

Self-hosted onboarding

$20

Per agent per month, on top of Standard

Supported AI providers (BYO)

Security & deployment

What's actually built

Specific capabilities, not vague trust language. If a control isn't here, it isn't shipped.

Custom roles, 21 permissions

Per-permission RBAC with team scoping. Build a role for a finance approver who can only see their own department's requests; build another for a security reviewer who can read every audit event but edit nothing.

MFA + OIDC/SAML SSO + SCIM

TOTP, SMS, recovery codes, verified-domain OIDC/SAML SSO, SCIM provisioning, controlled JIT, and a session model with idle timeout, absolute lifetime, and recent-auth re-prompts.

IP allowlist, audit, SIEM export

Per-org CIDR allowlist on logins. Auth + operational audit trails with NDJSON streaming endpoint for Splunk, Datadog, or your SIEM of choice.

GDPR Article 17 erasure + DSAR

Documented APIs for right-to-be-forgotten and data subject access requests. Erasure is atomic, idempotent, and produces a SHA-256 proof record so future DSARs can match without retaining identity.

Self-hosted via Helm

Production Helm chart with signed-license enforcement, certificate-revocation list, instance fingerprinting, clock-rollback defense, and optional telemetry. Airgap-compatible.

Bring your own AI provider

Anthropic, AWS Bedrock, Azure OpenAI, Ollama, vLLM, or any OpenAI-compatible endpoint. Disable AI entirely with one env var for regulated and airgap environments.

Deployment

SaaS or self-hosted, same product

Pick the deployment that matches your governance posture. The product surface is identical; the self-hosted add-on gets you the signed-license path with BYO AI.

Managed SaaS

Hosted Anthropic-backed AI, automatic updates, multi-region storage on request, standard MSA. Best when SaaS is acceptable to your security organization.

Self-hosted (+$20 / agent / mo)

Helm chart on your Kubernetes cluster. Signed-license enforcement with offline grace period. Optional telemetry, opt-out by default. BYO AI provider or AI fully disabled. 20-agent minimum, billed annually. FedRAMP authorization-boundary discussions on request.

Scope a self-hosted deployment

Send us your requirements: security review, deployment topology, FedRAMP boundary, AI provider preference. We come back with an implementation plan and a license sized to your team, not a generic deck.