On-prem, hybrid, or cloud?
Choose the right deployment model
Gatekeeper supports four distinct deployment architectures — from fully cloud-hosted with zero infrastructure overhead, to completely air-gapped with no internet dependency. Every model ships the same feature set. Your choice depends on data sovereignty, regulatory requirements, and operational preferences.
Cloud-hosted
Supabase Cloud
Gatekeeper runs on Supabase Cloud infrastructure. No server management required. Updates are automatic. Data is stored in the cloud region you select.
Best for
Most commercial organisations, SMBs, and MSPs without strict data sovereignty requirements.
Self-hosted
On-premise
Supabase runs on your own servers. The platform connects to the internet for CVE feeds and optional AI services. All data stays in your data centre.
Best for
Organisations with data sovereignty requirements, financial institutions, DORA-regulated entities, and government (BBN1/BBN2).
Hybrid
Agents on-prem, flexible backend
Remote node agents are deployed on-site for local scanning, while the Gatekeeper backend can be cloud-hosted or self-hosted. Ideal for distributed or multi-site organisations.
Best for
MSPs with clients in multiple locations, organisations with branch offices, and distributed government bodies.
Air-gapped
Fully isolated
Completely isolated from the internet. All components run on-site. CVE feeds imported offline. Agent communication uses internal networking only. No external dependencies.
Best for
Defence networks, critical OT/ICS infrastructure, BBN3 government, and highly regulated environments prohibiting cloud connectivity.
Feature comparison
What each model includes
| Capability | Cloud-hosted | Self-hosted | Hybrid | Air-gapped |
|---|---|---|---|---|
| Data stays on your servers | Stored in selected cloud region | Backend data location depends on backend choice | ||
| Internet access required | For CVE feeds & AI; can restrict to specific IPs | Backend and optional AI require internet | ||
| Live CVE feed updates | Via periodic offline bundle import | |||
| AI assistant | Local LLM required; cloud AI disabled | |||
| Zero server management | Depends on backend choice | |||
| Multi-site remote agents | Agents communicate via internal LAN only | |||
| Multi-tenant (MSP) | ||||
| Automatic platform updates | Frontend updates automatic; backend manual | |||
| BIO BBN3 compatible | Only if internet-connected services are disabled | |||
| Full compliance module |
Decision guide
Which model is right for you?
If...
Do you have strict data sovereignty or BBN3 requirements?
Then: Air-gapped deployment.
If...
Do you need data on your own servers but can allow controlled internet access?
Then: Self-hosted (on-premise) deployment.
If...
Do you manage multiple client sites or have distributed branch offices?
Then: Hybrid deployment with remote node agents per site.
If...
Do you want zero infrastructure management and maximum ease of use?
Then: Cloud-hosted deployment — sign up and start immediately.
Not sure yet?
Talk to us about your requirements
We can advise on the right deployment model based on your regulatory context and IT constraints.
Explore more solutions
See how Gatekeeper fits your specific environment
NIS2 for Municipalities
Art. 21–23 compliance for local government
BIO for Government
Baseline Informatiebeveiliging Overheid
MSP Multi-tenant
Multi-tenant architecture for service providers
Air-gapped Deployment
Fully isolated, zero internet dependency
Healthcare
Medical device security & NEN 7510
Finance & DORA
ICT risk management for financial services
Utilities & OT
SCADA/ICS security for critical infrastructure
Education
Campus network security & BYOD management