enterprise-deployment

SecureAI is a fully managed service hosted on Google Cloud Platform. For most organizations, no on-premises infrastructure is required -- you access SecureAI through a web browser, and your SecureAI team handles hosting, scaling, and maintenance.

This FAQ covers the infrastructure requirements for both the standard hosted deployment and optional self-hosted or hybrid configurations.

Standard hosted deployment (recommended)

With the standard deployment, SecureAI runs entirely on managed infrastructure. Your organization needs:

• Modern web browser -- Chrome, Firefox, Edge, or Safari (latest two major versions). No desktop client or browser plugin is required.
• Internet connectivity -- users need HTTPS access (port 443) to your SecureAI instance URL. If your organization uses a web proxy or firewall, allow outbound traffic to *.secureai.app (or your custom domain).
• Identity provider (optional but recommended) -- if you use SSO, your IdP (Okta, Azure AD, Google Workspace, Auth0) must be reachable from SecureAI. See Does SecureAI support Google, Microsoft, Okta, or Auth0 login? for setup details.

There is no server, database, or container infrastructure to provision on your side.

Network and firewall requirements

Organizations with restrictive network policies should allow:

Direction	Destination	Port	Purpose
Outbound	Your SecureAI instance URL	443 (HTTPS)	User access to the application
Outbound	Your identity provider	443 (HTTPS)	SSO authentication (if configured)
Inbound (optional)	Your SCIM endpoint	443 (HTTPS)	Automated user provisioning (if configured)

If you use IP allowlisting, configure your corporate egress IPs in the SecureAI admin panel to restrict access to approved networks.

Self-hosted model providers (optional)

Some organizations choose to run their own AI model providers (such as Ollama or vLLM) to keep prompts entirely within their network. If you use self-hosted models, you need:

• GPU-equipped server -- most LLMs require NVIDIA GPUs with sufficient VRAM. Requirements depend on the model:
  • 7B parameter models: 1x NVIDIA A10 or equivalent (24 GB VRAM)
  • 13B--30B parameter models: 1x NVIDIA A100 (40--80 GB VRAM)
  • 70B+ parameter models: multiple A100s or H100s
• Model hosting software -- Ollama, vLLM, or a compatible OpenAI-format API server.
• Network path -- SecureAI must be able to reach your model server's API endpoint over HTTPS. If your model server is behind a VPN or private network, you will need a secure tunnel or VPN peering with your SecureAI instance.

For setup instructions, see Adding Custom Model Providers.

On-premises deployment (Enterprise plan)

For organizations that require full control over the deployment environment, SecureAI offers an on-premises option on Enterprise plans. On-premises deployment requires:

Compute

• Kubernetes cluster (v1.27+) -- EKS, GKE, AKS, or self-managed. Minimum 3 nodes.
• Per-node minimum: 4 vCPUs, 16 GB RAM, 100 GB SSD.
• Scaling: additional nodes for larger user bases. Your account team will provide sizing guidance based on expected concurrent users.

Storage

• PostgreSQL 15+ -- managed (RDS, Cloud SQL, Azure Database) or self-hosted. Stores conversations, user data, audit logs, and configuration.
• Object storage -- S3-compatible storage (AWS S3, GCS, MinIO) for uploaded documents and knowledge-base files.
• Persistent volumes -- for Kubernetes pod storage (standard StorageClass with ReadWriteOnce support).

Networking

• Load balancer -- Layer 7 (ALB, Ingress controller, or equivalent) with TLS termination.
• DNS -- a domain or subdomain pointed at the load balancer.
• TLS certificate -- for HTTPS. Bring your own certificate or use cert-manager with Let's Encrypt.
• Outbound internet (optional) -- required only if using cloud-hosted AI model providers (OpenAI, Anthropic, Google). Not needed if using exclusively self-hosted models.

GPU infrastructure (if running models locally)

If your on-premises deployment includes self-hosted model inference, provision GPU nodes in your Kubernetes cluster. See the "Self-hosted model providers" section above for GPU sizing.

Hybrid deployment

Some organizations use a hybrid approach:

• SecureAI application runs on managed infrastructure (standard hosted deployment).
• AI model inference runs on-premises or in a private cloud, keeping prompts within the corporate network.

This gives you managed infrastructure for the application layer while maintaining data residency for model interactions. Contact your account team to configure VPN peering or private connectivity between SecureAI and your model servers.

How to deploy internally

1. Choose your deployment model -- hosted (default), on-premises, or hybrid. Most organizations start with hosted.
2. Configure SSO -- connect your identity provider so users can log in with existing credentials. See How to Configure OIDC SSO or How to Configure SAML SSO.
3. Set up network access -- update firewalls and proxy rules per the table above.
4. Add model providers -- connect to cloud AI providers or your self-hosted models. See Adding Custom Model Providers.
5. Provision users -- add users manually, via CSV import, or through SCIM provisioning. See User Management.
6. Configure security policies -- set up content filtering, data retention, and access controls. See Content Filtering and Safety Settings and Configuring Data Retention Policies.

For on-premises deployments, your account team provides a deployment guide, Helm charts, and configuration templates specific to your infrastructure.

Related articles

• Is SecureAI just OpenWebUI? -- what SecureAI adds on top of OpenWebUI
• How is data encrypted in SecureAI? -- encryption and data residency
• Adding Custom Model Providers -- connecting cloud and self-hosted models
• How to Configure OIDC SSO -- single sign-on setup
• Setting Up IP Allowlisting -- restricting access to approved networks