We don't offer self-host. Here's what we offer instead.
Self-hosting Pro isn't on the menu today and probably won't be soon — Pro is built directly on Cloudflare's edge runtime (Workers, D1, KV, R2) and that architecture doesn't translate cleanly to a Docker-Compose-on-your-VPS install we could support without becoming a much bigger company. That's the honest answer. Below is what we offer to the security-conscious buyer who would normally reach for self-host first.
What you'd want self-host for, and what we substitute
Data never leaves my infrastructure
Substitute: minimum-data-by-design + per-region residency. Our scan schema stores only country (from CF-IPCountry) and device class — never IP, never user agent, never sub-day timestamps. There is no behavioral data to leak. For regulated buyers we also offer single-region D1 placement (EU-only / APAC-only) — see /security/.
I want to hold the encryption keys
Substitute: Agency-tier add-on for per-tenant encryption keys. Today every tenant's data is encrypted at rest by Cloudflare; the optional add-on lets Agency customers supply a key we use to wrap a per-tenant DEK, so a Cloudflare-side breach yields ciphertext we can't decrypt without your key. (Roadmap; ETA Q3 2026.) The nightly D1 → R2 backup is already AES-256-GCM encrypted with a key you can rotate at any time — see backup key handling.
I need to audit every change
Substitute: shipped audit log + export. Every mutation (code create/edit/delete, team invite/role change, billing event) is recorded in audit_log with actor + timestamp + scope. The full log is exposed via GET /api/user/export as part of your data ZIP. Retention: 180 days rolling. Public-stats share-tokens have an independent revocation log.
I need data isolation per client
Substitute: Agency tier already isolates each team into its own scope (codes, scans, members, audit log). The Vault/Agency per-tenant D1 shard model (ADR-0010) splits each Agency-tier tenant onto a dedicated D1 database under the hood as soon as they cross a usage threshold — the API surface stays identical.
I need contractual data-handling commitments
Substitute: standard DPA + EU Standard Contractual Clauses available for all paying tiers. Sub-processor list is published at abundera.ai/legal/subprocessors/ with 30-day change notification. Custom Enterprise contracts (security questionnaire support, custom retention windows, contractual SLAs with financial credits) available — email enterprise@abundera.ai.
I need an SSO / SCIM integration
Substitute: on the roadmap (Q3 2026) for Agency + Custom Enterprise tiers. SAML 2.0 + SCIM 2.0 user provisioning. Today, Team and Agency use email-link invites with role-based access (owner / admin / member). Sign-in is delegated to abundera.ai's identity layer.
When self-host really is the right answer
Some buyers genuinely need self-host and we won't pretend otherwise:
- Air-gapped networks with no outbound internet.
- Specific regulators (some defense, some healthcare jurisdictions) that prohibit any third-party hosting regardless of contractual posture.
- Single-tenant infrastructure mandate from a procurement policy that doesn't accept logical isolation, only physical.
For those buyers, the right move today is the free static QR generator at qr.abundera.ai — it's a standalone HTML+JS bundle, runs entirely in the browser, makes zero outbound requests. Static codes can't be edited after print, but they also don't depend on us being online. That's the trade-off.
If your situation doesn't quite fit any of the above, email enterprise@abundera.ai — there's often a configuration of the substitute controls above that closes the gap.
Still think self-host is the only path?
Email enterprise@abundera.ai with the specific requirement that's blocking you. We answer everything; we'll tell you honestly if we can't meet it instead of pretending.
Email enterprise@abundera.ai