Three deployment shapes — managed in our AWS, BYOC in your AWS, or on-prem. Same engine, same UI, same SDKs. Single-tenant by default. Air-gapped if you need it.
We host it. Single-tenant AWS account per customer. SOC 2, HIPAA-ready, GDPR-aligned. Most teams start here and never leave.
Nexus runs in your AWS account. Your VPC, your IAM, your KMS. We deploy and operate it via cross-account roles. You own the data plane completely.
Helm chart, Postgres, Redis, S3-compatible storage, an LLM endpoint. Runs in any Kubernetes — EKS, GKE, AKS, OpenShift, your data-center cluster.
| Component | BYOC (AWS) | Self-managed (K8s) |
|---|---|---|
| State store | RDS Postgres 14+ | Postgres 14+ |
| Event bus | SQS | NATS / Kafka / Redis Streams |
| Cache | ElastiCache Redis | Redis 6+ |
| Object storage | S3 | S3-compatible (MinIO, etc.) |
| Secrets | Secrets Manager | Vault / sealed-secrets / your KMS |
| Identity | Cognito + your IdP | OIDC / SAML 2.0 IdP |
| LLM | Bedrock (or any OpenAI-compatible) | Bedrock-VPC, Azure OpenAI, vLLM, Ollama, … |
| Compute | ECS Fargate or EKS | K8s 1.27+ |
| Egress | Optional | Optional (offline updates supported) |
Self-hosted isn't a stripped-down build. The same engine runs all three modes — same canvas, same agents, same MCP, same SDKs, same monitoring. The deploy target changes, the product doesn't.
@nexus/engine is the executor in all three modes. The graph format and run semantics are byte-identical.
Image-pull updates with semver guarantees. We support N-1 versions. Rollback is a single helm/CFN command.
Same response SLA tiers in all modes. Self-managed customers get a quarterly architecture review.
30 minutes with our deploy team. We walk through your AWS or K8s topology, identify the gaps, and write a deployment plan you can take to your security team.