DEPLOYMENT

Your environment.
Your network. Your rules.

Three deployment models. Same platform, same UI, same governance, same evaluation. Cloud when speed matters. Hybrid when sensitive data has to stay put. On-premise when nothing leaves your perimeter - and not as a six-month special-case project, but as a documented deployment path with the same operational maturity as cloud.

Talk to us

Read the deployment docs

CLOUD

AgentX Cloud - all 5 layers managed

Agent · Knowledge · Execution · Deployment · Enterprise

CUSTOMER PERIMETER

Browser · API client

Fastest to go live. Managed by us.

HYBRID

Control plane (AgentX)

Data plane (Customer VPC)

Agent · Knowledge · Execution

CUSTOMER PERIMETER

VPC · IAM · KMS

Data stays. Processing moves. Best of both.

ON-PREM

CUSTOMER PERIMETER · DATACENTER / AIR-GAPPED

All 5 layers in customer perimeter

Agent · Knowledge · Execution · Deployment · Enterprise

Nothing leaves your network.

SHARED RESPONSIBILITY

Who manages what - explicitly.

Every deployment model has a different boundary. We document the boundary up front. No surprises during procurement, no ambiguity during incident response, no "I thought you handled that" moments at 2am.

PLATFORM

Layer

Cloud

Hybrid

On-Premise

Physical infrastructure

AgentX

Customer

Network infrastructure

AgentX

Customer

Operating systems

AgentX

Customer

Container runtime

AgentX

Co-managed

Customer

AgentX platform software

AgentX

AgentX (provided)

Customer (applied)

Software upgrades & patches

AgentX

AgentX (provided)

Customer (applied)

Data plane

AgentX

Customer

Control plane

AgentX

Customer

Monitoring infrastructure

AgentX

Co-managed

Customer

Backups

AgentX

Customer

Disaster recovery

AgentX

Co-managed

Customer

WORKSPACE

Layer

Cloud (AgentX-managed)

Hybrid

On-Premise

Workspace configuration

Customer

Agent design and configuration

Customer

Knowledge base content

Customer

Integration credentials

Customer

RBAC users and permissions

Customer

Business data

Customer

HITL workflow design

Customer

SSO / IdP integration

Customer

SECURITY

Layer

Cloud (AgentX-managed)

Hybrid

On-Premise

Compute & container runtime

AgentX

AgentX (provided)

Customer (applied)

Network infrastructure

Customer

Data-plane nodes

AgentX

Co-managed

Customer + AgentX

Control-plane nodes

Customer

BOUNDARIES IN MSA

The shared responsibility model is part of the master service agreement. Not a marketing summary — a contractual division.

Boundary changes are versioned

If responsibilities shift (e.g., customer takes over patching on hybrid), the change is documented and signed. No drift.

Incident escalation routes follow the boundary

Platform incidents follow AgentX runbooks. Operational incidents follow customer runbooks. Co-managed incidents have joint runbooks.

CLOUD

Managed by us. Fastest path to production

For most teams, cloud is the right starting point. We operate the platform on AWS, multi-region, with operational controls and monitoring in place. Your team manages the workspace, agents, integrations, and business data. You don't manage servers, patches, scaling, or backups.

Regions

US (us-east-1, us-west-2), EU (eu-west-1, eu-central-1), APAC (ap-southeast-1)

Data residency

EU-only or US-only on Cloud tier (Enterprise can pin specific regions)

Encryption

EU-only or US-only on Cloud tier (Enterprise can pin specific regions)

High availability

TLS 1.3 in transit, AES-256 at rest, AWS KMS for key management

Backups

Automated daily backups, retained per workspace policy

Scaling

Automatic horizontal scaling based on load

Updates

Continuous deployment by AgentX with no customer action required

Monitoring

24/7 platform monitoring with on-call rotation

✓ Customer doesn’t require data to stay within own infrastructure

✓ Standard cloud SaaS procurement model is acceptable

✓ IT team wants zero server management overhead

✓ Fastest time-to-deploy — live in days, not weeks

Security controls for cloud deployment detailed in Security →

HYBRID

Your data plane. Our control plane.

Hybrid is for organizations where sensitive data can't leave their infrastructure — but full on-premise operations would mean owning the entire runtime stack. We split the deployment: the agent runtime, knowledge base, and execution layer live in your VPC. The control plane (workspace management, evaluation orchestration, version management) is operated by us, communicating with your runtime over signed, encrypted channels.

Customer infrastructure required

Customer VPC — all agent data, knowledge bases, and run history stay in your environment

Deployment method

AgentX SaaS — orchestration, scheduling, and workspace management

Customer network

Outbound HTTPS only; mutually authenticated; signed payloads

Data residency

Kubernetes cluster in your VPC; minimum 4 nodes, sizing guide provided

LLM provider routing

Outbound 443 to AgentX endpoints only; no inbound ports required

Compatible with

Direct from your VPC to provider APIs or your private LLM endpoint

KMS

Signed OCI images pulled on schedule; rollback supported

IAM

Customer observability stack; AgentX exports OpenTelemetry metrics

Updates

Break-glass access via customer-approved session; full audit trail

Monitoring

Customer's existing observability stack (CloudWatch, Datadog, etc.)

✓ Data residency requirements mandate data stays in own environment

✓ Customer has cloud infrastructure team or willing partner

✓ Full on-prem isn't required (some external connections acceptable)

✓ Customer wants control over patching cadence

Platform architecture detail here ->

ON-PREMISE

Nothing leaves your perimeter.

On-premise isn't a marketing checkbox. It's a documented deployment path with the same operational maturity as cloud. Air-gapped environments supported. Self-hosted LLMs supported. Customer-operated with AgentX providing software packages, runbooks, and escalation support. Required for certain regulated environments — and we support it without making it a six-month project.

Deployment target

Bare-metal, VMware, OpenStack, or air-gapped Kubernetes

Network requirement

No outbound internet required; air-gap mode supported

Compute

Self-managed Kubernetes; bare-metal or VM; full sizing spec provided

Storage

Customer-managed; Postgres + S3-compatible object store required

LLM access

Private LLM endpoints or proxied external APIs; BYOM supported

Upgrades

Customer-controlled; signed OCI images; rollback to prior version supported

Monitoring

Customer-managed; OpenTelemetry export available; no mandatory call-home

Support access

Support tunnels via customer-controlled bastion host; no persistent access

Backups

Customer-managed; snapshot tooling and schedule documentation provided

✓ Regulatory requirement that data and processing stay on-prem

✓ Air-gapped network requirement

✓ Customer has datacenter / private cloud operational maturity

✓ Long-term operational independence preferred over managed convenience

INTEGRATIONS

We connect to what you already run.

Every enterprise process automation engagement requires integrating with the systems your team already uses. ERP. CRM. Helpdesk. Document sources. Storage. Communication. We work with what's already in place — no requirement to migrate to AgentX-preferred tooling.

ERP

Systems

SAP, Oracle, NetSuite, Microsoft Dynamics, Sage, Infor, custom in-house

Mechanism

Native MCP servers where available; API integration; database read access for read-heavy workflows

Common patterns

Document posting, GL coding, vendor master sync, invoice routing

CRM

Systems

Salesforce, HubSpot, Microsoft Dynamics, Pipedrive

Mechanism

MCP servers; OAuth-based API integration

Common patterns

Lead routing, customer data enrichment, account context for support agents

HELPDESK

Systems

Zendesk, Intercom, Freshdesk, HubSpot Service

Mechanism

API integration; webhook triggers for inbound; OAuth-based write access

Common patterns

Ticket classification, agent-drafted responses, escalation routing, knowledge retrieval

DOCUMENT SOURCES

Systems

Shared mailboxes (IMAP/Exchange), SFTP, vendor portals, scanners, document APIs

Mechanism

Direct connection where possible; polling for legacy systems; webhook for modern systems

Common patterns

Invoice intake, contract intake, document classification, OCR + structured extraction

STORAGE

Systems

SharePoint, Google Drive, Microsoft OneDrive, AWS S3, on-prem file shares (SMB/NFS)

Mechanism

Native connectors; OAuth for cloud; SMB/NFS for on-prem

Common patterns

Knowledge base sourcing, document archive, audit log export

COMMUNICATION

Systems

Slack, Microsoft Teams, WhatsApp Business, email (SMTP / Exchange), voice (Twilio, others)

Mechanism

Native channel apps; SMTP for email; webhook-based for custom platforms

Common patterns

HITL approval queues, customer-facing chat, escalation notifications, internal Q&A

✓ 1,000+ pre-built integrations via the MCP marketplace

✓ Custom integrations built during Stage 1 scope if neede

✓ Integration credentials managed in workspace credential vault — never exposed to agent context

Full integration catalogue ->

DATA RESIDENCY

Where your data lives. Documented.

Data residency requirements are increasingly common — GDPR, DORA, regional regulations, internal data classification policies. The deployment model determines residency options. The deployment plan documents exactly where each data class lives.

Data class

Cloud

Hybrid

On-Premise

Conversation history

AgentX region

Customer VPC

Customer

Knowledge base content

AgentX region

Customer VPC

Customer

Agent configuration

AgentX region

Customer VPC

Customer

Workspace metadata

AgentX region

Customer VPC (primary)

Customer

Audit logs

AgentX region

Customer VPC

Customer

Test datasets

AgentX region

Customer VPC

Customer

Eval results

AgentX region

Customer VPC

Customer

Embeddings

AgentX region

Customer VPC

Self-hosted

LLM provider data

Provider region

Provider/Customer

Customer

Integration credentials

AgentX vault

Customer vault

✓ EU residency available on Cloud (EU regions only)

✓ Full customer-controlled residency on Hybrid

✓ Complete on-prem residency on On-Premise

✓ LLM provider routing can be pinned to specific regions per provider (Anthropic EU, OpenAI EU, etc.)

AI governance & compliance framework ->

NETWORK

Network requirements your IT team can verify.

Documented inbound and outbound network requirements per deployment model. No surprises during firewall review. No "it might also need this port" conversations during go-live.

Cloud — Network from customer side

INBOUND (from customer)

HTTPS (443) to AgentX endpoint

WebSocket (443) for streaming connections

OUTBOUND (from agentx to customer

HTTPS to customer integration endpoints (configurable)

Webhook callbacks (configurable, optional)

CONNECTIVITY OPTIONS

Public HTTPS (default)

AWS PrivateLink / Azure Private Endpoint (on request)

IP allowlist available

Hybrid

INBOUND (to customer VPC)

No inbound ports required from AgentX

All traffic is customer-to-endpoint

OUTBOUND (from customer VPC)

HTTPS 443 to api.agentx.ai (control plane)

HTTPS 443 to LLM provider (customer-selected)

All outbound via customer-controlled egress

CONTROL CHANNEL

Mutually authenticated TLS 1.3

Signed JWT payloads; replay protection

Hostname: control.agentx.ai (single FQDN)

On-Premise

INBOUND

No inbound from AgentX — fully air-gapped supported

Client access via internal network only

OUTBOUND

None required (air-gapped default)

Optional: HTTPS 443 to on-prem LLM endpoint

Optional: telemetry opt-in (specific FQDN provided)

UPDATE DELIVERY

Signed tarball via secure file transfer

SHA-256 checksum + GPG signature on every package

Customer applies; rollback supported

OPERATIONS

Install. Upgrade. Patch. Scale. Monitor.

Day-two operations defined per deployment model. You know what changes, who owns it, and what the escalation path looks like before you go live.

Operational specifics by deployment model. The boring details that determine whether a deployment runs cleanly for two years or becomes an ongoing crisis.

Operation

Cloud

Hybrid

On-Premise

Initial install

Zero-touch; workspace created in <24h

Self-service signup

AgentX deploys to customer K8s; guided runbook

Co-deployed with customer infra team (typically 1-2 days)

Customer applies signed package; AgentX support on-call

Customer-deployed from runbook (typically 3-5 days)

Platform upgrades

Software upgrades

Automatic; maintenance window notified 7 days prior

Continuous
AgentX-managed

Signed image pull; customer-scheduled; rollback supported

AgentX provides signed updates; customer applies

Customer-applied package; GPG verified; rollback documented

Customer-applied from signed packages on customer schedule

Security patches

AgentX; critical patches <24h, standard 7-day window

Continuous

AgentX releases patch; customer applies within agreed SLA

Co-managed; AgentX provides; customer applies under SLA

Customer applies; AgentX provides CVE advisory + patch tarball

Customer-applied; AgentX provides patch advisories

Scaling

Auto-scaling; no action required

Automatic

Customer scales K8s nodes; AgentX provides sizing guide

Configurable in customer infra

Customer provisions hardware per sizing guide

Customer-managed capacity planning

Monitoring

AgentX observability stack; customer dashboard

AgentX 24/7

Customer stack; AgentX exports OTel metrics + alerts

Co-monitored; customer can hook own observability

Customer stack; diagnostic bundle on request

Customer monitoring stack; AgentX hooks available

Backups

AgentX automated; daily snapshot, 30-day retention

AgentX-managed
(daily)

Customer-managed; AgentX provides export tooling

Customer-managed (recommended daily)

Customer-managed; RPO/RTO TBD with delivery

Customer-managed (recommended daily)

Disaster recovery

AgentX-managed; RTO/RPO TBD with delivery

AgentX-managed; (RPO 24h, RTO 4h)

Customer DR plan; AgentX runbook provided

Customer DR plan (with AgentX runbook template)

Customer DR plan; offline restore procedure documented

Customer DR plan (with AgentX runbook template)

Support access

S upport escalation

TAM + SRE on-call; shared Slack channel

AgentX 24/7
on-call

Break-glass session; audited; customer-approved

AgentX engineering on call for platform issues

Offline diagnostic bundle; optional VPN session

AgentX engineering on call for platform issues

SIGNED UPDATE PACKAGES

Update packages signed and verified

You control what runs in your environment

Every update — cloud, hybrid, or on-prem — ships as a signed package. GPG signature and SHA-256 checksum on every release. Verify before you apply.

All software updates delivered as signed packages. Customer can verify signatures before applying.

DOCUMENTED UPGRADE PATHS

Documented upgrade paths

No surprise migrations

Every version bump has a documented upgrade path, rollback procedure, and compatibility matrix. We don’t drop breaking changes without a migration guide and a minimum 90-day notice window.

Every version has a documented upgrade path from the prior LTS version. No skip-version surprises.

DEFINED ESCALATION ROUTES

Defined escalation routes

You always know who to call

P1 incidents have a direct pager to the on-call SRE. P2/P3 go through your TAM. Escalation SLAs are documented in the MSA and verified during onboarding.

Customer support contacts, AgentX support contacts, severity definitions — documented in MSA. Not improvised when something goes wrong.

SLA & SUPPORT

Commitments documented in the MSA. Not the marketing page.

What we commit to, what support looks like, and what you can hold us to. All in writing before you sign.

SLAs vary by tier and deployment model. Marketing-grade uptime numbers don't mean much without the underlying contractual definitions. Here's the framework. Specific numbers are in the MSA — and we'll walk through them in the procurement conversation.

What we commit to (Enterprise tier)

Availability

Cloud uptime

TBD with delivery / legal — documented in MSA before signature

SLA-grade target with credit-back commitment in MSA

Incident response

Hybrid platform availability

P1: 30-min acknowledgement; P2: 4h; P3: next business day

SLA on AgentX control plane availability

Maintenance windows

Incident Notification

7-day advance notice; customer-agreed scheduling for P1 ops

Within timelines aligned to DORA and standard breach notification expectations (referenced in Security and AI Governance pages)

Data export

Support response

On-demand export of all customer data in standard formats

P1 / P2 / P3 / P4 severity-based response time commitments

Uptime reporting

Software update cadence

Monthly report + public status page; historical incident log available

LTS releases with defined support windows

Service credits

Security patch SLA

Automatic credit for availability breaches; no claim filing required

Critical / High / Medium / Low severity-based deployment timelines

What support looks like

Named TAM

Designated technical account manager

Dedicated Technical Account Manager from day 1; attends your weekly ops review

on Enterprise tier

Shared Slack channel

Dedicated Slack / Teams channel

Direct line to AgentX engineering during business hours; async coverage outside

with AgentX engineering and customer success

SRE on-call

Weekly delivery review

24/7 on-call rotation for P1 incidents; escalation path to engineering lead

during initial deployment phase

Onboarding

Monthly operational review

Structured 30-day onboarding; includes network validation, runbook walkthrough, and first agent deploy

post-deployment, transitioning to quarterly after stability

Quarterly business review

Customer success manager\

TAM-led QBR; covers platform health, upcoming roadmap, and open items

for non-technical escalations and renewal cycle

Security questionnaire support

Engineering escalatio

Direct answers from engineering; no sales filter; response SLA in MSA

via TAM for production-impact issues

Roadmap input

Runbook library

Enterprise customers get direct input into quarterly roadmap; blockers escalated to product

customer-accessible runbooks for common operational scenarios

Specific SLA percentages (availability, RTO, RPO) are TBD with delivery and legal, and will be documented in your MSA before signature. Numbers on this page are illustrative of the support model, not contractual commitments until countersigned.

Specific SLA percentages, response times, and credit-back terms are documented in the master service agreement and may vary by tier, deployment model, and engagement scope. We don't publish marketing-grade SLA numbers on this page because the underlying contractual definitions matter more than the headline percentage.

EXIT

How you leave. Documented up front.

Exit terms are in the MSA before you sign. We don't make leaving hard — your data is yours, your configuration is yours, and the transition period is defined.

DORA requires it. Procurement requires it. Common sense requires it. Every engagement comes with a documented exit strategy — data return, configuration export, transition support, contract terms. The exit plan exists before you sign, not after you decide to leave.

DATA RETURN

All customer data — run history, knowledge bases, embeddings, agent configurations, and audit logs — exported in standard formats (JSON, CSV, Parquet) within 30 days of termination. Secure transfer method agreed in exit plan. AgentX-held copies purged within 30 days of confirmed receipt, with written confirmation.

All customer data exported in standard formats: knowledge base content (PDF, JSON, original formats), conversation history (JSON, CSV), audit logs (JSON, CEF), agent configurations (JSON, YAML), evaluation results (PDF, JSON). Export delivered within SLA defined in MSA.

CONFIGURATION EXPORT

Agent definitions, workflow configurations, integration mappings, and prompt templates exported as version-controlled YAML/JSON. Compatible with standard workflow tools to reduce re-build effort. API access maintained for 90 days post-termination for migration purposes.

Agent definitions, workflows, integration configurations, RBAC settings, HITL rules — all exportable as structured files. Reconstructable in a successor system (with reasonable engineering effort — not "click to migrate to competitor X" guarantees, because that depends on the competitor).

TRANSITION SUPPORT

90-day transition period (TBD with delivery) included in Enterprise exit terms. TAM remains point of contact through transition. Read-only access to platform maintained during migration window. Architecture documentation and integration specs provided to successor team.

Up to 90 days of transition support after termination notice, included in Enterprise tier. Includes: read-only access to historical data, documentation of running workflows, transition consultations with successor vendor or in-house team, runbook handover.

CONTRACT TERMS

Exit provisions are in the MSA before signature, not negotiated at termination. Data portability, purge timeline, transition period length, and post-termination API access window are all documented. No lock-in clauses, no data hostage provisions.

Exit-related provisions in MSA cover: notice periods, data retention after termination, data destruction certificates, indemnification for transition cooperation, last-mile data return obligations. Reviewed by procurement before signature — no surprises later.

The other enterprise deep dives.

Deployment is one of four enterprise pillars. The others cover delivery model, security controls, and AI-specific governance.

AI governance & compliance framework at /enterprise/ai-governance

DORA-aligned exit provisions detailed in here ->

HOW WE WORK

How We Work →

Our delivery model, scoping process, and what the first 90 days look like. How we work with enterprise IT teams from evaluation through production.

See process →

HOW WE WORK

How We Work →

Four-stage delivery model. Deployment is Stage 3, and the runbook differs by deployment model.

See process →

SECURITY

Security →

Encryption, access control, AI-native security primitives, audit trail, and what we certify. The full control matrix your security team wants to read.

See security →

SECURITY

Security →

The security controls for each deployment model. Encryption, access control, audit, AI-native primitives.

See security →

GOVERNANCE

AI Governance →

GDPR, DORA, and AI Act readiness. Model governance, human-in-the-loop controls, and the compliance framework for regulated industries. (Page coming soon.)

See governance →

GOVERNANCE

AI Governance →

The governance controls that operate regardless of deployment model. Model risk, explainability, regulatory alignment.

See governance →

READY FOR THE INFRASTRUCTURE CONVERSATION?

Bring your IT lead. We'll bring the architecture diagrams.

A 45-minute call. We'll walk through which deployment model fits your environment, what the network and integration requirements look like for your specific setup, and what your team would need to provide for hybrid or on-prem. We bring reference architectures. You bring your environment constraints. We match them.

Talk to us

Browse all integrations →

Start Your AI Automation Journey Today

Get Started - Free

View Pricing

Your environment. Your network. Your rules.