Main section
Cloud or On-Premises?
Find the right CLM deployment
Answer a few quick questions and we'll point you to the deployment model that fits your environment - and then connect you with the right next step.
CLM Deployment Selector
Answer a few quick questions
Question 1
Does your organisation already have a deployment strategy for security services?
Question 2
Can your internal systems reach an external cloud service?
A CLM in the cloud needs your internal systems to reach it via agent or REST API. Fully air-gapped networks cannot.
Question 3
Do you need the CLM to integrate with internal systems, and does your network policy allow that access?
Integrations (LDAP/AD, ITSM, CMDB) let the CLM trigger workflows in your internal systems, which needs the CLM to reach them.
Question 4
Does your environment require certain certifications or audit standards for cloud services?
Some sectors need specific certifications for the systems that handle their data.
Recommended: On-Premises
- Deployed inside your own infrastructure; credentials never leave your perimeter
- Direct in-perimeter reach to LDAP/AD, F5 and ITSM/CMDB systems
- Suited to air-gapped networks and strict integration policies
- Operated by you, inside your own infrastructure; private PKI supported
Recommended: Cloud (SwissSign-hosted)
- Application-as-a-Service on Evertrust Horizon, hosted in Switzerland by SwissSign
- Fastest to start: nothing to deploy, maintenance handled by SwissSign
- Reaches internal systems via agents/connectors where needed
- Sensitive data protected by HSM-backed KMS at SwissSign
| Cloud (SwissSign-hosted) | On-Premises | |
|---|---|---|
| Recommended for | No fixed on-premises requirement; internal systems can reach the cloud; no integration blocked by network policy; no certification constraint on cloud services | On-premises mandated by strategy; air-gapped network; internal integration your policy won't permit from outside; or certification requirements for cloud services |
| Who operates it | SwissSign (Application-as-a-Service) | You, inside your infrastructure |
| Where credentials live | Customer-side agents/connectors; sensitive data protected by HSM-backed KMS at SwissSign | Never leave your infrastructure |
| Internal-system reach | Best for cloud / internet-facing; internal reach needs agents/relays | Direct LDAP/AD, F5, ITSM – in-perimeter |
| Setup effort | Fastest; nothing to deploy | Project with possible SwissSign support |
| Maintenance | Handled by SwissSign | Your responsibility |
| Private PKI | Integrate self-operated private PKIs, or add a new dedicated private PKI instance operated by SwissSign when needed for replacement or new use cases | Integrated as part of your deployment when needed |
| Explore Cloud | Explore On-Premises |