get-started
SaaS vs self-hosted
VaultTerm runs in two deployment modes from the same image — hosted SaaS with billing-catalog entitlements, or self-hosted on-prem with a signed offline license. Only configuration differs.
Updated Jun 23, 2026
VaultTerm ships as one product that runs in two deployment modes. The image is the same, the
features are the same; what differs is configuration — chiefly where the instance gets its
entitlements and where its keys live. The mode is selected with the DEPLOYMENT_MODE environment
variable.
The two modes
- SaaS (
DEPLOYMENT_MODE=saas) — we host and operate VaultTerm for you. Entitlements come from the billing catalog, and you start in minutes with nothing to run. - Self-hosted / on-prem (
DEPLOYMENT_MODE=onprem) — you run VaultTerm on your own infrastructure as a Docker Compose unit, including fully air-gapped. Entitlements come from a signed offline license file, and you hold your own keys.
Side by side
| Aspect | SaaS (saas) | Self-hosted / on-prem (onprem) |
|---|---|---|
| Who operates it | VaultTerm hosts and runs it | You run it on your infrastructure |
| How it runs | Hosted service | Docker Compose unit, air-gapped capable |
| Entitlements / plan tier | From the billing catalog | From a signed offline .vtlic license |
| Encryption keys | Managed for you | Your keys, in your own HSM |
| Network | Internet-connected | Your network, including no egress |
| Time to start | Fastest — nothing to install | Install once on your infrastructure |
| Image and features | Same | Same |
Which to choose
- Choose SaaS if you want the fastest start with no infrastructure to operate, and you are comfortable with a hosted service drawing entitlements from the billing catalog. See Billing and plans.
- Choose self-hosted / on-prem if you need the data and the keys to stay on your own infrastructure, need to run air-gapped, or have a regulatory reason to operate it yourself. Your encryption keys live in your own HSM, and entitlements come from a signed offline license rather than a network call. See Self-hosting overview and Licensing and activation.
What stays the same
Because both modes run the same image, you do not give up features by self-hosting. The audited access broker, envelope encryption, the tamper-evident audit trail, teams, roles, and JIT access all work identically in either mode — see Core concepts. Moving between modes is a configuration change, not a different product.
Where to go next
- Plan an installation in Self-hosting overview.
- Understand offline entitlements in Licensing and activation.