Deployment Models


Air-gapped. On-premises. Swiss-hosted. Your choice, your custody.

Where the system runs decides who could ever touch your archive. We build all four custody models; the architecture review determines which one fits your risk posture.

The four models

1 — Air-gapped

No internet path at all. Models, software, and updates arrive on verified offline media through a defined procedure. Highest custody, highest operational discipline — suited to the most sensitive family, legal, medical, and board archives.

Trade-off: updates and support are slower by design; every change follows the offline procedure.

2 — On-premises, private network

The system runs in your building, reachable only from your internal network. Maintenance happens in windows you approve; remote support, if permitted at all, follows an explicit, logged access path.

Trade-off: your building provides power, cooling, and physical security — we specify what is needed.

3 — Swiss-hosted dedicated

Your own single-tenant hardware in a certified Swiss data centre — when you cannot or do not want to host it yourself. Data residency is contractual; hardware is yours; nothing is shared.

Trade-off: physical custody sits with the facility; stronger than any shared platform, weaker than your own building.

4 — Hybrid, policy-gated

Local systems by default; clearly approved external models only for tasks classified as non-sensitive — enforced by a routing policy, with logs that show which request went where and why.

Trade-off: requires an explicit data-classification policy; we help you write it before anything is routed.

Custody comparison of the four deployment models Air-gapped no internet path offline updates maximum custody On-premises your building your network controlled maintenance Swiss-hosted dedicated hardware certified Swiss facility contractual residency Hybrid local by default policy-gated routing logged decisions ← stronger custody   ·   more operational flexibility →
Custody strength versus operational flexibility. The review places your archive on this line deliberately.

Custody properties compared

PropertyAir-gappedOn-premisesSwiss-hostedHybrid
Documents leave your custodyneverneverto your own hardware in a Swiss facilitynever for sensitive classes
Internet exposurenonenone by defaultcontrolled, single-tenantpolicy-gated per data class
External model usenonenonenoneapproved tasks only, logged
Update pathoffline mediaapproved windowsapproved windowsapproved windows
Physical securityyour buildingyour buildingcertified facilityper component
Typical fitestate, board, medical archivesfamily offices, law firmsinstitutions without server roomsteams with mixed workloads

All four models include the same governance layer: access control, audit logs, source-grounded retrieval, and evaluation before reliance.

Not sure which model fits?

That is precisely what the architecture review answers — with your archive, your users, and your obligations on the table.

Request a confidential architecture review