Deployment Options

Fluvial runs on your infrastructure or ours. Docker containers, PostgreSQL database, full control.

Your Infrastructure or Ours

Fluvial is usually deployed as Docker containers. You can deploy on your own servers or use our cloud hosting. Most consultancies handling sensitive client data choose their own infrastructure.

What Gets Deployed

A complete Fluvial deployment consists of:

  • Application container - Python Application Server (Using Granian for http)
  • PostgreSQL database - Client data, assessments, documents, audit logs
  • Dagu orchestration - Workflow scheduling and automation tasks
  • GraphQL service - Specialist Go application for complex queries
  • Caddy reverse proxy (optional for on-premises) - TLS termination and HTTP routing
C4Container

    System_Ext(external, "External Systems", "APIs, webhooks")
    Person(users, "Users", "Consultants, clients, vendors")

    Container_Boundary(fluvial, "Fluvial Deployment") {
        Container(caddy, "Caddy", "Reverse Proxy", "TLS, routing")
        Container(app, "Application", "Python/Granian", "Business logic, API")
        Container(graphql, "GraphQL", "Go", "Complex queries")
        Container(dagu, "Dagu", "Orchestration", "Workflows, automation")
        Container(postgres, "PostgreSQL", "Database", "")
    }

    Rel(users, caddy, "HTTPS", "")
    Rel(caddy, app, "HTTP", "")
    Rel(external, caddy, "HTTPS", "Webhooks in")
    Rel(app, graphql, "HTTP", "Query data")
    Rel(app, dagu, "HTTP", "Trigger workflows")
    Rel(app, postgres, "SQL", "")
    Rel(graphql, postgres, "SQL", "")
    Rel(dagu, postgres, "SQL", "")
    
    UpdateLayoutConfig($c4ShapeInRow="3", $c4BoundaryInRow="1")

All components run as standard Docker containers. No proprietary infrastructure. No vendor lock-in.

For on-premises deployments, you can use your existing reverse proxy infrastructure (nginx, Apache, HAProxy) instead of Caddy, or your existing PostgreSQL servers. We include both in our reference deployment for convenience—Caddy handles TLS certificates automatically—but neither is required.

On-Premises Deployment

Deploy on your own servers when:

  • Client contracts require data residency in specific jurisdictions
  • Your firm maintains its own security-cleared infrastructure
  • You need complete control over access, backups, and disaster recovery
  • Regulatory requirements prohibit cloud hosting

What You Need:

  • Docker-compatible infrastructure (Linux servers, Kubernetes cluster, or similar)
  • PostgreSQL 14 or later (or use our containerised version)
  • Network access control (internal only, VPN, or public with authentication)
  • Standard backup procedures for PostgreSQL databases

What You Control:

  • Exact server locations and jurisdictions
  • Network security policies
  • Backup retention and encryption
  • Access logging and audit procedures
  • Integration with your existing identity management

We provide the Docker images. You manage the infrastructure. Updates deploy as new container versions you control when to install.

Cloud Deployment

Use our cloud hosting when:

  • You want to start quickly without infrastructure setup
  • Your firm doesn’t maintain internal server infrastructure
  • Client data sensitivity permits cloud storage
  • You need someone else to handle security patches and updates

Our cloud deployment runs the identical containers. The application is the same. Only the infrastructure management differs.

What We Handle:

  • Server provisioning and scaling
  • Security updates and patches
  • Database backups and redundancy
  • TLS certificates and network security
  • Monitoring and uptime management

What You Control:

  • User access and permissions
  • Data content and retention
  • Integration configuration
  • Workflow definitions and business rules

Data isolation between clients is architectural—not procedural. Each client’s data exists in separate database schemas with enforced access boundaries.

Hybrid Approaches

Some firms run both:

  • Cloud hosting for pilot projects and demonstrations
  • On-premises for production client work
  • Cloud for public-facing vendor portals, on-premises for client assessment databases

The application is identical. Data can migrate between deployments using standard PostgreSQL tools.

Public Response Collection with Private Data Storage

A common pattern: your assessment database stays on-premises behind corporate firewalls, but vendors and respondents need convenient public access to submit questionnaire responses.

The approach:

  1. Publish questionnaires to cloud - Export questionnaire structures from your on-premises deployment and publish them to our SaaS infrastructure
  2. Respondents use public URL - Vendors access the questionnaire through a standard HTTPS URL, no VPN required
  3. Responses remain in cloud temporarily - Submitted answers stay in the cloud deployment only as long as needed for collection
  4. Import to on-premises - Pull completed responses into your on-premises system via API or export
  5. Cloud data deleted - Once imported, remove the cloud copy if required by data policies

Benefits:

  • Assessment database stays within your infrastructure and jurisdiction
  • Respondents don’t need VPN access or security clearance
  • No firewall configuration to expose internal systems
  • Vendor experience matches modern SaaS expectations
  • You control when and what data moves between deployments

How it works technically:

The API provides endpoints to export questionnaire definitions and import response data. A typical workflow:

flowchart LR
    A[On-Premises Server] -->|1. Export questionnaire| B[Questionnaire JSON]
    B -->|2. Import structure| C[Cloud Deployment]
    D[Vendor/Respondent] -->|3. Submit responses| C
    C -->|4. Export responses| E[Responses JSON]
    E -->|5. Import responses| A
    A -->|6. Optional: Delete| C

Alternatively, configure automated synchronisation using Dagu workflows that check for completed responses and import them on a schedule.

Data governance:

  • Only questionnaire structure and responses transfer—your reference databases and analysis stay on-premises
  • You decide retention policy for cloud copies (delete immediately after import, retain for audit, etc.)
  • Response data includes complete audit trail showing when submitted and imported
  • Access controls ensure only authorised staff can export/import between deployments

This approach suits consultancies where:

  • Client data must stay within controlled infrastructure
  • Vendor assessment processes involve external parties without security clearance
  • Regulatory requirements prevent storing responses in cloud permanently
  • You want the convenience of cloud access without full cloud data residency

Technical Requirements

Minimum specifications for on-premises deployment:

  • 4 CPU cores (8 recommended for multiple concurrent assessments)
  • 8GB RAM (16GB recommended)
  • 5GB storage plus database growth (varies by assessment volume)
  • PostgreSQL 14+ (we provide containerised version if needed)
  • Docker 20.10+ or equivalent container runtime

Network requirements:

  • HTTPS access for users (internal network or internet-facing)
  • Outbound access if using external integrations (cyber ratings, webhooks)
  • PostgreSQL port access between containers (internal only)

Scaling:

  • Application containers scale horizontally (add more instances)
  • Database scales vertically (larger server) or via PostgreSQL replication
  • Typical consultancy deployment serves 50-200 concurrent users on modest infrastructure

Security Considerations

On-premises advantages:

  • Physical control over servers
  • Integration with existing corporate authentication (LDAP, Active Directory, SAML)
  • Network isolation within your security perimeter
  • Audit logs stored within your infrastructure
  • Backup encryption using your own key management

Cloud advantages:

  • Professional security operations team
  • Automated security patching
  • Distributed infrastructure and redundancy
  • SOC 2 Type II compliance (our hosting)
  • Regular penetration testing

Both deployment models support:

  • TLS encryption for all connections
  • Role-based access control within the application
  • Complete audit trails of data access and changes
  • Regular security updates (you control timing for on-premises)

Data Sovereignty

Where your data lives matters for regulatory compliance and client contracts.

On-premises: Data resides exactly where you place the servers. UK servers keep data in the UK. Swiss servers keep data in Switzerland. You control jurisdiction completely.

Cloud: Our hosting uses European data centres by default. Other regions available for clients with specific requirements. Data never crosses defined boundaries.

Both models maintain complete client data isolation. Client A cannot access Client B’s data through any combination of application features or API calls.

Migration and Portability

Your data isn’t trapped:

  • PostgreSQL database exports to standard SQL dumps
  • Documents export as files with metadata
  • API access to all structured data
  • No proprietary data formats

Move from cloud to on-premises (or reverse) using standard database migration tools. Move from Fluvial to another system by exporting via API or database access.

We don’t hold data hostage. The application is valuable because it’s useful, not because extraction is difficult.

Support and Updates

On-premises deployments:

  • New container images released monthly (security) and quarterly (features)
  • You control when to deploy updates
  • Technical support for deployment issues
  • Access to documentation and deployment guides

Cloud deployments:

  • Security updates applied within 48 hours
  • Feature updates deployed during scheduled maintenance windows
  • Guaranteed uptime SLA
  • Incident response and troubleshooting included

Both models include access to API documentation, integration support, and workflow configuration assistance.

Getting Started

To evaluate on-premises deployment:

  1. We provide test Docker images and deployment documentation
  2. Your infrastructure team deploys to test environment
  3. Validate integration with your systems (authentication, backups, monitoring)
  4. Pilot project with real assessment data
  5. Production deployment when satisfied

To use cloud hosting:

  1. Account provisioning (hours, not days)
  2. User access configuration
  3. Begin building assessments immediately

Most consultancies start with cloud hosting for evaluation, then choose deployment model based on client requirements and internal capabilities.

Cost Implications

On-premises:

  • Infrastructure costs (servers, storage, network)
  • Internal staff time for deployment and maintenance
  • Your backup and disaster recovery procedures
  • Control over total cost

Cloud:

  • Predictable monthly fee per user or project
  • No infrastructure management overhead
  • Included backups and redundancy
  • Cost scales with usage

Neither model requires expensive professional services for initial deployment. Both use standard technologies your infrastructure team already understands.

Fluvial gives you deployment choice because client requirements differ. Consultancies working with defence contractors may need air-gapped infrastructure. Firms assessing consumer technology vendors may find cloud hosting perfectly adequate. The application remains identical; only the infrastructure changes.