Deployment options
VaultPAM is available in three deployment models. The right choice depends on your data sovereignty requirements, IT operations capacity, and connectivity constraints.
Comparison
| Factor | SaaS | On-premises | Hybrid |
|---|---|---|---|
| Data location | GCP europe-central2 (Warsaw, Poland) -- data does not leave the EU | Your own data centre | Control-plane in your DC; connector layer in cloud or mixed |
| Maintenance | Managed by VaultPAM -- no patching required | Full responsibility of your IT team | Shared; cloud components managed by VaultPAM |
| Connectivity | Outbound-only connector; no inbound firewall changes | Internal network; no external dependency | Connector phones home to control-plane |
| Compliance posture | EU data residency, GDPR Art. 32 covered by platform DPA | You control the stack; you own the evidence | Partial coverage; check with your DPO |
| Time to value | Minutes (sign up, install connector) | Days to weeks (infrastructure provisioning) | Days (hybrid onboarding path) |
SaaS
VaultPAM SaaS runs on Google Cloud Platform in the europe-central2 (Warsaw, Poland) region. All tenant data -- session recordings, audit logs, credentials, and configuration -- is stored within this region. Data does not leave the EU.
This deployment satisfies GDPR data residency requirements for EU-based organisations and aligns with NIS2 Article 21 obligations without additional customer action.
Getting started with SaaS
- Go to app.vaultpam.com and sign up for a free trial.
- Complete your organisation profile (name, timezone, billing contact).
- Download and install the connector on a machine inside your network.
- Register your first resource (RDP, SSH, or web target).
- Launch your first session to confirm the data path is working.
To receive written confirmation that your data is stored exclusively in the EU, contact support@vaultpam.com to request a Data Processing Agreement (DPA). The DPA specifies GCP europe-central2 as the sole processing region.
On-premises
The on-premises model runs the entire VaultPAM control-plane on your own infrastructure. You are responsible for provisioning, patching, and backing up all components.
Prerequisites
- Kubernetes cluster (K8s 1.28+) or Docker Compose environment
- PostgreSQL 15+ database
- Accessible MinIO-compatible object store (or AWS S3) for recordings
- Outbound internet access from the control-plane host (for licence validation)
Getting started with on-premises
- Obtain the on-premises deployment package from support@vaultpam.com.
- Provision the required infrastructure (PostgreSQL, object store, K8s or Compose).
- Run the installer and specify on-premises mode.
- Set the CONTROL_PLANE_URL environment variable on each connector to point to your instance.
- Log in to your self-hosted instance and complete organisation setup.
- Install the first connector and register your first resource.
- Verify the audit log records your setup activity.
Hybrid
The hybrid model places the VaultPAM control-plane on-premises while allowing connectors to operate in cloud-hosted environments (or vice versa). This is common when you want to keep audit data on-premises but have workloads in AWS, Azure, or GCP.
Getting started with hybrid
- Deploy the control-plane on-premises following the on-premises steps above (steps 1-5).
- For each cloud environment, install a connector on a VM or Kubernetes pod inside that VPC.
- Configure each connector to reach your on-premises control-plane (VPN or private link recommended).
- Register cloud-hosted resources in the console.
- Verify connectivity by launching a test session against a cloud resource.
Which should I choose?
- SaaS - you want the fastest time to value and EU data residency without managing infrastructure.
- On-premises - regulations or internal policy require data to stay on your own hardware.
- Hybrid - you have mixed environments and want a single control-plane for all of them.
When in doubt, start with SaaS. Migration to on-premises or hybrid is supported with data export tooling.