VPC and On-Premises Deployment Options
Parsewise is deployed as a managed cloud service by default. For enterprise customers with stricter data residency, network isolation, or regulatory requirements, Parsewise also supports VPC (Virtual Private Cloud) and on-premises deployment models. This page covers each option, the security controls available in each, and how to evaluate which model fits your organization.
Deployment Models
Parsewise offers three deployment models. Each provides the same platform capabilities: the Parsewise Data Engine, Navi, extraction agents, and the full API surface. The difference is where infrastructure runs and who manages it.
Cloud (Multi-Tenant)
The default deployment. Parsewise hosts and operates all infrastructure in its own cloud environment. Data is encrypted in transit (TLS 1.2+) and at rest (AES-256). Customer data is logically isolated. No customer data is used to train models. A standard DPA is available for all customers.
This model suits teams that can operate under Parsewise’s standard security posture (SOC 2 Type II, GDPR compliant) without requiring dedicated infrastructure or network-level isolation.
VPC (Dedicated Tenant)
Parsewise deploys a dedicated instance within a cloud VPC, either in the customer’s own cloud account or in a Parsewise-managed account isolated to that customer. Network traffic stays within the VPC boundary. No shared infrastructure with other tenants.
VPC deployments support:
- Network isolation. All processing occurs within a defined VPC boundary. Ingress and egress rules are configurable per customer requirements.
- Regional hosting. Infrastructure can be provisioned in specific cloud regions to meet data residency obligations (see below).
- Customer-managed encryption keys. Available on request for customers requiring control over key management.
- Private connectivity. VPC peering or private link configurations to connect Parsewise to internal systems without traversing the public internet.
This model suits organizations that require dedicated infrastructure and network-level isolation but do not need to host software within their own data centers.
On-Premises
Parsewise deploys within the customer’s own data center or private cloud infrastructure. The customer controls the physical and network environment. Parsewise provides the software, configuration support, and ongoing updates.
On-premises deployments support:
- Full data sovereignty. All data, models, and processing remain within the customer’s physical infrastructure. No data leaves the premises.
- Air-gapped environments. Deployments that have no connectivity to the public internet, where required by policy or regulation.
- Integration with existing security stacks. Connects to the customer’s identity providers, logging systems, SIEM, and monitoring infrastructure.
This model suits organizations in highly regulated sectors (defense, certain government agencies, financial institutions with on-prem mandates) where cloud or VPC options do not satisfy internal policy.
Deployment Options Comparison
| Capability | Cloud (Multi-Tenant) | VPC (Dedicated) | On-Premises |
|---|---|---|---|
| Infrastructure operator | Parsewise | Parsewise or customer | Customer |
| Network isolation | Logical tenant isolation | Full VPC boundary isolation | Physical isolation |
| Data residency control | Parsewise-selected region | Customer-selected region | Customer-controlled |
| Encryption at rest | AES-256 (Parsewise-managed keys) | AES-256 (customer-managed keys available) | Customer-managed |
| Encryption in transit | TLS 1.2+ | TLS 1.2+ | TLS 1.2+ |
| SSO / SAML | Enterprise plan | Yes | Yes |
| Custom DPA | Standard DPA included; custom on request | Custom DPA | Custom DPA |
| Custom SLA | Standard | Custom | Custom |
| Air-gapped support | No | No | Yes |
| SOC 2 Type II | Yes | Yes | Shared responsibility |
| GDPR compliant | Yes | Yes | Yes (customer responsibility for physical controls) |
| Onboarding model | Self-serve or guided | White-glove | White-glove |
Regional Data Residency
Enterprise customers can select the geographic region where their Parsewise instance is hosted. Currently available regions:
- European Union (EU)
- United States (US)
- Additional regions on request
Regional data residency means all document storage, processing, model inference, and metadata remain within the selected region. This applies to both VPC and on-premises deployments. For the managed cloud tier, Parsewise operates within a defined region; customers requiring a specific region should contact sales to confirm availability.
Data residency is relevant for organizations subject to GDPR, Schrems II considerations, sector-specific regulations (e.g., BaFin, PRA, FINMA), or internal policies that restrict cross-border data transfer.
Authentication: SSO and SAML
Parsewise supports Single Sign-On (SSO) and SAML 2.0 authentication for enterprise customers across all deployment models.
- SAML 2.0 integration with identity providers such as Okta, Azure AD, Google Workspace, and other standards-compliant IdPs.
- Role-based access control. Map IdP groups to Parsewise roles to control who can access projects, documents, agents, and results.
- Centralized user provisioning. Manage Parsewise access through your existing identity infrastructure. No separate credentials to maintain.
SSO and SAML are available on Enterprise plans. Teams evaluating Parsewise can confirm IdP compatibility during the onboarding process.
Custom Agreements
Enterprise deployments include the option to negotiate custom legal and operational agreements.
Custom Data Processing Agreements (DPAs). The standard Parsewise DPA covers data handling, retention, sub-processors, and breach notification. Customers with specific regulatory requirements (financial services, healthcare, government) can negotiate custom DPA terms. Parsewise does not train on customer data under any agreement.
Custom Service Level Agreements (SLAs). VPC and on-premises customers can define SLAs covering uptime targets, incident response times, support escalation paths, and maintenance windows. SLA terms are documented as part of the enterprise contract.
White-glove onboarding. Enterprise deployments include dedicated onboarding covering use-case scoping, document package configuration, agent design and tuning, integration setup (API, auto-ingestion, DB connectors), and ongoing support via dedicated Slack channels, email, and phone.
Choosing a Deployment Model
The right deployment model depends on your organization’s regulatory requirements, internal security policies, and operational preferences.
Cloud (multi-tenant) is appropriate when your security and compliance team can work within Parsewise’s standard security posture (SOC 2 Type II, GDPR, AES-256 encryption, no-training-on-data policy, standard DPA) and does not require dedicated infrastructure or network-level isolation.
VPC (dedicated) is appropriate when you need network isolation, a specific hosting region for data residency, customer-managed encryption keys, or private connectivity to internal systems, but do not require on-prem hosting.
On-premises is appropriate when policy or regulation requires all data and processing to remain within your own physical infrastructure, including air-gapped environments with no public internet connectivity.
All three models provide the same Parsewise platform capabilities: the Parsewise Data Engine processing 25,000+ pages per run, Navi, configurable extraction agents, cross-document reasoning, full source attribution, and API access.
Ready to see Parsewise in action? Request a demo or contact sales to discuss your use case.