Sovereign cloud vs SaaS for AI annotation — when each makes sense
The four deployment models in detail
Model 1: Multi-tenant SaaS
What it is: vendor operates the platform; multiple customers share infrastructure with logical tenant isolation; vendor holds keys + has operational access.
Typical cost: lowest unit cost. Volume discounts apply.
Onboarding time: 24-48 hours from contract.
Compliance ceiling: GDPR baseline. SOC 2 (with caveats). NOT suitable for PDPL-restricted categories (KSA health, biometric, gov data). NOT suitable for HIPAA without BAA. NOT suitable for government classified.
Best for:
- General-purpose AI startups
- Non-PII or anonymised data
- Pre-Series-A teams with tight budget
- Public-domain or synthetic data corpora
Worst for:
- KSA-resident PII processing
- EU GDPR-bound regulated industry data
- US HIPAA-bound health data
- Government classified workloads
Model 2: Customer-VPC SaaS (single-tenant)
What it is: vendor deploys platform instance into customer’s VPC (AWS / Azure / GCP); customer holds network perimeter; vendor still operates platform + holds some operational access.
Typical cost: 1.5-2.5x multi-tenant SaaS unit cost.
Onboarding time: 1-3 weeks.
Compliance ceiling: GDPR + most PDPL workloads. SOC 2 with audit. HIPAA with BAA. Government cleared workloads require additional controls.
Best for:
- Mid-market enterprise with cloud-first IT
- GDPR-bound EU customers
- Healthcare with HIPAA BAA in place
- Financial services with sector regulator approval
- AI startups graduating from SaaS to enterprise
Worst for:
- Air-gapped / classified workloads
- Customers without cloud expertise
- Workloads under $100K/year (overhead doesn’t justify)
Model 3: Sovereign tenancy
What it is: full platform deployment in customer’s cloud account; customer holds keys via their KMS; vendor has zero independent access; customer + vendor split operational responsibility per agreement.
Typical cost: 2-4x multi-tenant SaaS unit cost.
Onboarding time: 2-6 weeks.
Compliance ceiling: PDPL-restricted categories (KSA health, biometric, government). HIPAA with BAA + customer-managed keys. EU GDPR. UAE TDRA. Egypt NTRA. Most government except classified.
Best for:
- KSA buyers under PDPL Article 29 (cross-border restriction)
- Healthcare with sensitive patient data
- Foundation-model labs protecting IP + training data
- Government non-classified workloads
- Sensitive financial workloads
- Customers with sovereign data policy
Worst for:
- Customers without cloud capability
- Air-gapped requirement (use on-premise instead)
- Very small workloads (<$200K/year)
Model 4: On-premise
What it is: platform installed on customer’s own infrastructure in customer’s facility. No internet. No vendor access. Customer holds everything.
Typical cost: 3-6x multi-tenant SaaS unit cost (one-time + ongoing).
Onboarding time: 4-12 weeks.
Compliance ceiling: classified government. Defense. Intelligence. Air-gapped sovereign. Maximum restriction.
Best for:
- Government classified workloads
- Defense + military
- Intelligence services
- Critical infrastructure with air-gap requirement
- Customers with sovereign data policy + no cloud trust
Worst for:
- Cloud-first customers
- Small workloads
- Customers without internal IT capability to run + maintain
Decision framework
Step 1: What’s your regulatory exposure?
| Regulation | Recommended deployment |
|---|---|
| None / public-domain data | Multi-tenant SaaS |
| GDPR | Customer-VPC SaaS (EU region) |
| GDPR + sensitive category | Sovereign tenancy (EU) |
| US HIPAA | Customer-VPC SaaS + BAA, or sovereign |
| KSA PDPL non-restricted | Customer-VPC SaaS (KSA region) |
| KSA PDPL restricted | Sovereign tenancy or on-premise |
| KSA government non-classified | Sovereign tenancy |
| KSA government classified | On-premise air-gapped |
| Defense / intelligence | On-premise air-gapped |
Step 2: What’s your data sensitivity?
| Data type | Recommended deployment |
|---|---|
| Public domain | Multi-tenant SaaS |
| Anonymised PII | Multi-tenant SaaS or customer-VPC |
| Identifiable PII | Customer-VPC or sovereign |
| Health PII (PHI) | Sovereign + BAA + customer-managed keys |
| Biometric (face, voice, fingerprint) | Sovereign or on-premise |
| Financial PII | Customer-VPC or sovereign |
| Sensitive financial (private banking, trade) | Sovereign |
| Trade secrets / FM IP | Sovereign or on-premise |
| Government internal | Sovereign or on-premise |
| Government classified | On-premise air-gapped |
Step 3: What’s your customer side preferred?
For B2B AI vendors, your customer’s customer often dictates:
- “We require sovereign tenancy” — most KSA government + healthcare + sovereign customers
- “We require on-premise” — defense, classified, some critical infrastructure
- “Multi-tenant SaaS is fine” — most US/EU startups + mid-market
- “Customer-VPC SaaS preferred” — enterprise with cloud-first IT
Listen to the customer’s customer; align deployment.
Step 4: What’s your acceptable cost?
Order-of-magnitude cost multiplier (vs multi-tenant SaaS baseline):
| Model | Multiplier | Reason |
|---|---|---|
| Multi-tenant SaaS | 1x | Shared infrastructure |
| Customer-VPC SaaS | 1.5-2.5x | Dedicated tenant, vendor still operates |
| Sovereign tenancy | 2-4x | Customer cloud + customer keys + dedicated ops |
| On-premise | 3-6x (plus customer infra cost) | Full isolation + customer operates |
The cost gap is real. But for the workloads that need sovereign or on-premise, the cost is non-discretionary.
Common decision mistakes
Mistake 1: Under-deploying (using SaaS when sovereign required)
PDPL-restricted KSA data on US-hosted SaaS = direct regulatory exposure. Save money on the deployment + lose 100x in fines + reputational damage.
Mistake 2: Over-deploying (using on-premise when SaaS would suffice)
Public-domain data on air-gapped on-premise = unnecessary cost + slow onboarding + restricted iteration. Use what the regulation + sensitivity actually demand.
Mistake 3: Treating deployment as a one-time decision
Workloads evolve. A startup that begins on multi-tenant SaaS may need to graduate to sovereign as it adds enterprise + government customers. Plan for the migration path.
Mistake 4: Choosing on price alone
Cheapest deployment that doesn’t meet compliance = invalid choice. Choose on compliance + sensitivity first; price-optimise within the valid options.
Mistake 5: Ignoring the customer’s customer
Your customer might be willing to use SaaS, but their customer (a KSA government buyer, a EU patient, a US Fortune-500 with strict supply-chain compliance) might not. Anchor on the downstream regulatory exposure.
What Annota8 is designed to support
The four deployment patterns are scoped per engagement. Default position and what each requires from a customer:
- Multi-tenant SaaS — default, fastest, lowest unit cost
- Customer-VPC SaaS — single-tenant in customer’s AWS / Azure / GCP
- Sovereign tenancy — full customer-cloud deployment with customer-managed keys (scoped per engagement)
- On-premise — air-gapped installation in the customer’s facility, where the customer’s security team owns the runtime environment
Not every pattern is implemented out of the box today; sovereign and on-premise patterns are scoped, designed, and delivered against the customer’s specific environment. Talk to us about your deployment posture rather than assuming a tier from this list is shrink-wrapped.
See sovereign deployment + on-premise deployment for operational detail.