Cloud vs Self-Hosted Deployment

Govyn runs the same governance engine in two deployment models: Govyn Cloud (managed SaaS) and self-hosted (open-source, your infrastructure). The core proxy — policy evaluation, budget enforcement, rate limiting, loop detection, smart model routing — is identical in both. The difference is operational: who manages the infrastructure, what additional features are available, and where your data lives.

This page provides a detailed comparison to help you choose the right deployment model for your team. The short version: if you want zero-ops governance with a dashboard, choose Cloud. If you need maximum control and data sovereignty, choose self-hosted. If your needs are complex, you can run both — hybrid deployments use the same policy format.

Quick comparison

The table below compares all four tiers across features, limits, and operational characteristics.

Feature	Self-Hosted (OSS)	Cloud (Starter)	Cloud (Team)	Cloud (Enterprise)
Price	$0 + infra	$29/mo	$99/mo	Custom
Setup time	5 minutes	2 minutes	2 minutes	Guided
Agents	Unlimited	10	Unlimited	Unlimited
Log retention	24 hours	7 days metadata	30 days metadata	90 days
Dashboard	CLI only	Full dashboard	Full dashboard	Full dashboard
Smart routing	Yes	Yes	Yes	Yes
Approval queue	No	No	Yes	Yes
Session replay	No	No	Yes	Yes
RBAC / Teams	No	No	Yes	Yes
Anomaly detection	No	No	Yes	Yes
BYOK keys	N/A (your keys)	Yes	Yes	Yes
SSO / SCIM	No	No	No	Yes
Support	Community	Email	Priority	Dedicated
Data residency	Your servers	US (default)	US (default)	Custom
SLA	None	99.5%	99.9%	99.99%

Govyn Cloud

Govyn Cloud is the managed SaaS deployment. You create an account, connect your LLM provider API keys, and point your agents at the Cloud proxy URL. Govyn handles the infrastructure — servers, database, monitoring, backups, scaling, and updates.

Zero operational overhead. No servers to manage, no containers to deploy, no logs to rotate, no patches to apply. The proxy runs on Govyn's infrastructure with automatic scaling, redundancy, and monitoring. You focus on building agents. Govyn handles the governance infrastructure.

Full dashboard included. Every Cloud plan includes the web dashboard with real-time cost monitoring, agent activity feeds, policy management, and API key management. The dashboard is the primary interface for teams — it provides visibility into agent behavior that the CLI alone cannot match. Cost charts, activity timelines, and drill-down views make it easy to understand what your agents are doing and how much they cost.

Automatic updates. New features, security patches, and performance improvements are deployed automatically. You always run the latest version without lifting a finger. There is no version management, no migration scripts, and no downtime during updates.

Managed backups and monitoring. Govyn Cloud includes automated database backups, infrastructure monitoring, and incident response. If something goes wrong with the proxy infrastructure, the Govyn team responds — not yours. Uptime SLAs range from 99.5% (Starter) to 99.99% (Enterprise).

Team features. On the Team plan and above, Cloud includes session replay (view complete conversation flows for debugging and auditing), approval queue (require human approval before high-stakes actions), RBAC (role-based access control for team members), and anomaly detection (automatic cost spike and behavioral anomaly alerts). These features require persistent storage and a web interface, which is why they are Cloud-only.

BYOK key management. Bring your own provider API keys. Keys are encrypted at rest with AES-256-GCM and never exposed through the dashboard or API. When you list your configured keys, only a preview of the last 4 characters is shown — the full key is never decrypted for display.

Self-hosted

The self-hosted deployment runs the open-source Govyn proxy on your own infrastructure. It is fully functional without Govyn Cloud — no account required, no external dependencies, no data leaves your network.

Full control. You control the hardware, the network, the configuration, and the data. The proxy runs as a single Node.js process. Deploy it on a VM, in a Docker container, on Kubernetes, or on any platform that runs Node.js 18+. Configuration is a single YAML file. There is nothing to install beyond the govyn npm package.

Zero external dependencies. The self-hosted proxy requires no database, no Redis, no message queue, and no third-party services. It stores state in memory and writes logs to stdout or a file. This makes deployment trivially simple. Run npx govyn init to generate a config file, add your API keys, and run npx govyn start. Total setup time: under five minutes.

Complete data sovereignty. No telemetry, no phone-home, no usage reporting, no analytics callbacks. The proxy makes exactly one outbound connection per request: to the upstream LLM provider. Every request, response, log, and policy configuration stays on your servers. This is non-negotiable for teams with strict data residency requirements, air-gapped environments, or regulated industries.

MIT license. The self-hosted proxy is fully open source under the MIT license. You can inspect the source code, fork it, modify it, and redistribute it. There are no usage limits, no agent caps, no feature gates, and no time-limited trials. The source code is available on GitHub.

Same governance engine. The policy evaluation engine is identical in self-hosted and Cloud deployments. Budget limits, rate limits, model allowlists, loop detection, smart model routing, and content filtering all work the same way. Policies are YAML files — portable between deployment models.

# Self-hosted setup (complete)
npx govyn init          # Generate govyn.yaml
# Edit govyn.yaml: add API keys, define policies
npx govyn start         # Proxy running on localhost:4000

# Or with Docker
docker run -v ./govyn.yaml:/app/govyn.yaml -p 4000:4000 govynai/govyn

When to choose Cloud

Govyn Cloud is the right choice when you want governance without operational overhead. Specific scenarios where Cloud is the better fit:

Teams with multiple members. When more than one person needs to see agent costs, review activity, manage policies, or approve actions, the web dashboard is essential. The CLI works well for a single developer, but teams need shared visibility. Cloud provides that out of the box with role-based access control.

Production deployments. Production agents need reliable infrastructure with uptime guarantees, automatic failover, and incident response. Cloud provides 99.5% to 99.99% SLA depending on your plan. You do not need to set up monitoring, configure alerting, or maintain on-call rotations for your proxy infrastructure.

Compliance and audit requirements. Teams that need to demonstrate governance controls to auditors, compliance officers, or customers benefit from the dashboard's audit trail, session replay, and notification history. These provide documentary evidence that governance policies are in place and enforced.

No ops bandwidth. If your team does not have dedicated infrastructure engineers, Cloud eliminates an entire category of operational work. No server provisioning, no container management, no security patching, no capacity planning. This is especially valuable for small teams and startups where every engineer writes product code.

Advanced features. If you need approval workflows (human-in-the-loop for high-stakes agent actions), session replay (conversation-level debugging), anomaly detection (automated cost spike alerts), or RBAC (fine-grained team permissions), these are Cloud-only features available on Team and Enterprise plans.

When to choose self-hosted

Self-hosted deployment is the right choice when control and data sovereignty outweigh operational convenience.

Data sovereignty required. Regulated industries (healthcare, finance, government, defense) often require that data never leave a specific jurisdiction or network boundary. Self-hosted Govyn keeps everything — requests, responses, logs, policies, API keys — on your infrastructure. No data transits external servers.

Air-gapped environments. Networks that have no outbound internet access (except to the LLM provider) cannot use a cloud service. Self-hosted Govyn runs entirely within the network boundary. The only external connection is to the upstream LLM API, which you control.

Maximum control. If you need to customize the proxy behavior, inspect the source code, audit the security posture, or integrate with internal systems at a level deeper than APIs allow, self-hosted gives you full access. Fork the repo, modify the code, deploy your custom build.

Single developer or prototype. If you are a solo developer building a prototype, the self-hosted proxy with CLI-based policy management is the fastest path. No account creation, no onboarding flow, no credit card. Run npx govyn init and start building.

Cost-conscious teams. The self-hosted proxy is free. If you have existing infrastructure and ops capability, running the proxy yourself costs only the incremental VM or container resources — typically $5-20 per month. For teams with many agents and tight budgets, this can be significantly cheaper than a Cloud subscription.

Infrastructure costs comparison

Understanding the total cost of each deployment model requires looking beyond the sticker price. Cloud plans have a fixed monthly cost with everything included. Self-hosted has a $0 software cost but requires infrastructure and operational investment.

Govyn Cloud costs

Cloud pricing is simple: a fixed monthly fee that includes the proxy infrastructure, dashboard, database, log storage, monitoring, backups, and support. There are no per-request charges, no bandwidth fees, and no hidden costs. Starter is $29/month. Team is $99/month. Enterprise is custom pricing based on your requirements.

The only variable is the plan tier, which determines agent limits, log retention, and feature access. For most teams, $29-99/month for complete governance infrastructure is less than the cost of a single engineer-hour spent managing self-hosted infrastructure.

Self-hosted costs

Self-hosted software cost is $0. Infrastructure costs depend on your scale and requirements:

Compute: A basic VM or container ($5-20/month). The proxy is lightweight — a single-core VM with 512MB RAM handles thousands of requests per minute.
Monitoring: DIY (free, your time) or a managed service ($10-50/month depending on provider). Without monitoring, you have no visibility into proxy health or uptime.
Log storage: If you want to retain logs beyond 24 hours, you need external storage. A simple file-based solution is free but requires disk space. A managed logging service adds $10-30/month.
Updates: Manual. You monitor releases, test updates, and deploy them yourself. This costs engineer time, not dollars.
Backups: DIY. The proxy itself is stateless (YAML config is your backup), but if you add custom logging or monitoring, those need backup procedures.

Break-even analysis

If your self-hosted infrastructure costs $15/month and you spend 2 hours per month on maintenance at $75/hour loaded cost, the effective monthly cost is $165 — more than the Team plan. If you have existing infrastructure and ops automation, the marginal cost of running the proxy might be close to $0, making self-hosted the cheaper option.

The break-even depends on three factors: whether you already have infrastructure you can use, whether you already have ops automation and monitoring, and how much your engineering time costs. Teams with mature DevOps practices lean self-hosted. Teams without lean Cloud.

Migration paths

Moving between deployment models is straightforward because policies are YAML files that work identically in both environments. No vendor lock-in, no proprietary formats, no migration tools required.

Self-hosted to Cloud

Create a Govyn Cloud account at the dashboard and set up your organization.
Import your policies. Copy your govyn.yaml policy definitions into the Cloud policy editor, or use the API to import them programmatically.
Configure API targets. Add your LLM provider API keys through the dashboard's BYOK key management interface.
Update agent configuration. Change each agent's base URL from your self-hosted proxy address to the Cloud proxy URL. Update the auth token to a Cloud-issued key.
Verify. Send a test request through the Cloud proxy and confirm it appears in the dashboard activity feed.

You can migrate agents incrementally — move one agent at a time while keeping others on the self-hosted proxy. This lets you validate the Cloud setup without disrupting all agents simultaneously.

Cloud to self-hosted

Export your policies from the dashboard as YAML. The export includes all policy definitions, budget limits, rate limits, and model restrictions.
Deploy the self-hosted proxy. Run npx govyn init, paste your exported policies into the generated govyn.yaml, and add your provider API keys directly to the config file.
Update agent configuration. Change each agent's base URL from the Cloud proxy URL to your self-hosted proxy address.
Verify. Send a test request and confirm the proxy evaluates policies correctly.

Note that Cloud-only features (dashboard, session replay, approval queue, anomaly detection, RBAC) are not available in the self-hosted deployment. If you depend on these features, consider a hybrid deployment instead.

Hybrid deployment

Hybrid deployment routes some agents through Govyn Cloud and others through a self-hosted proxy. Both deployment models use the same YAML policy format, so you can share policy definitions across them. This gives you the flexibility to match each agent's deployment model to its requirements.

Common hybrid patterns:

Production on Cloud, development on self-hosted. Production agents route through Cloud for dashboard visibility, SLA guarantees, and team features. Development and staging agents route through a local self-hosted proxy for fast iteration, no cost, and complete isolation from production data.

Sensitive workloads on self-hosted, standard workloads on Cloud. Agents that handle PII, financial data, or classified information route through a self-hosted proxy in a controlled network. Other agents route through Cloud for convenience. Both enforce the same policies — only the deployment infrastructure differs.

Multi-region with Cloud as primary. Cloud handles most traffic with its managed infrastructure. A self-hosted proxy in a specific region handles agents that must stay within that region's network boundary for compliance. Policy files are version-controlled in git and deployed to both environments.

Gradual Cloud adoption. Start with self-hosted to evaluate Govyn with zero commitment. As your team grows and needs dashboard visibility, approval workflows, or session replay, migrate agents to Cloud one by one. Keep the self-hosted proxy running for development or as a fallback.

# Same policy file works in both deployment models
# govyn.yaml (shared across self-hosted and Cloud)
policies:
  - name: daily-budget
    type: budget
    rule:
      limit: 50.00
      period: daily
      action: block

  - name: model-allowlist
    type: model_filter
    rule:
      allowed:
        - gpt-4o-mini
        - gpt-4o
        - claude-3-5-sonnet
      action: block

  - name: rate-limit
    type: rate_limit
    rule:
      max_requests: 100
      window: 1m
      action: block

In a hybrid setup, each agent only needs to know which proxy URL to call. The proxy handles everything else — policy evaluation, provider routing, cost tracking, and logging. Agents do not need to know whether they are talking to Cloud or a self-hosted instance.

Frequently asked questions

Can I switch from self-hosted to Govyn Cloud later?

Yes. Govyn policies are YAML files that work identically in both deployment models. To migrate from self-hosted to Cloud, create a Govyn Cloud account, import your YAML policies, configure your API targets (provider keys), and update your agents to point at the Cloud proxy URL. The migration can be done incrementally — move one agent at a time.

Can I switch from Govyn Cloud to self-hosted?

Yes. Export your policies from the dashboard as YAML, deploy the self-hosted proxy with those policies, and redirect your agents to the new proxy URL. Your policies are portable because they use the same YAML format in both environments. Note that Cloud-only features like session replay, approval queues, and anomaly detection are not available in the self-hosted version.

Is the self-hosted version truly free?

Yes. The self-hosted proxy is MIT licensed and free forever. There are no usage limits, no telemetry, no feature gates, and no time-limited trials. You pay only for your own infrastructure to run it — typically a small VM or container. The proxy has zero external dependencies: no database, no Redis, no third-party services.

What features are Cloud-only?

The web dashboard, session replay, approval queue, RBAC and team management, anomaly detection with configurable alerts, BYOK (bring your own key) management, SSO/SCIM (Enterprise), and email/priority/dedicated support. The core governance engine — policy evaluation, budget limits, rate limits, loop detection, smart model routing — works identically in both deployment models.

Does the self-hosted proxy require a database?

No. The self-hosted proxy runs as a single Node.js process with a YAML configuration file. It stores state in memory and logs to stdout/files. No database, no Redis, no message queue, no external services. This makes deployment trivial — a single Docker container, a systemd service, or even npx govyn start.

How does data residency work on Govyn Cloud?

By default, Govyn Cloud runs in US data centers. On the Enterprise plan, you can choose custom data residency regions. With self-hosted deployment, data never leaves your infrastructure — you have complete control over where data is stored and processed. For teams with strict data sovereignty requirements, self-hosted is the recommended deployment model.

Can I run a hybrid deployment?

Yes. You can route some agents through Govyn Cloud and others through a self-hosted proxy. Both use the same YAML policy format, so you can share policies across deployment models. This is useful for teams that want the Cloud dashboard for production agents but need self-hosted proxies for development, testing, or air-gapped environments.

What SLA does Govyn Cloud offer?

Starter plans include a 99.5% uptime SLA. Team plans include a 99.9% uptime SLA. Enterprise plans include a 99.99% uptime SLA with dedicated support and custom SLA terms. Self-hosted deployments have no SLA — uptime depends on your infrastructure and operations.

How much does self-hosted infrastructure cost?

The proxy is lightweight and runs on minimal infrastructure. A basic VM ($5-10/month on most cloud providers) handles thousands of requests per minute. You may also want monitoring (DIY or a managed service), log storage, and backup infrastructure. Total self-hosted cost typically ranges from $5-50/month depending on scale and monitoring requirements.

Does Govyn Cloud see my LLM API keys?

Yes, Govyn Cloud must hold your provider API keys to forward requests on behalf of your agents. Keys are encrypted at rest using AES-256-GCM and are never exposed through the API or dashboard (only a preview of the last 4 characters is shown). If key custody is a concern, self-hosted deployment keeps all keys on your own infrastructure.

Start with Cloud Deploy Self-Hosted