Self-Hosted · Air-Gap Ready

Complete Data Sovereignty
for Regulated Research

Deploy the full DocShield PHI redaction platform on your own infrastructure. No external connections required. Your patient data never leaves your network perimeter — not for processing, not for storage, not for anything.

Talk to Our Team View Cloud Option
Air-Gapped
Tri-Agency Compatible
PIPEDA / PHIPA
Zero External Connections
Air-gapped ready
Your Infrastructure
DocShield API Running · port 8443
AI Redaction Engine Running · GPU enabled
Audit Logger Running · append-only
Web Dashboard Running · port 3000
Identity Provider (SSO) Running · SAML 2.0
5 / 5 services healthy · No outbound connections Isolated

Who It's For

Built for research environments
where the cloud isn't an option

DocShield Self-Hosted is purpose-built for institutions with strict data residency requirements, federal funding obligations, or contractual prohibitions on cloud processing.

Academic Research
NIH-Funded Research Programs
Federal grants increasingly require data to remain within institutional boundaries and meet specific cybersecurity frameworks. DocShield Self-Hosted satisfies NIH Data Management and Sharing Policy requirements without externalizing PHI.
NIH Data Management & Sharing Policy (2023)
Tri-Agency & TCPS 2 data requirements
Institutional data governance policy
Healthcare Systems
Hospital Research Networks
Multi-site hospital networks conducting clinical research operate under strict information security frameworks from hospital IT. DocShield Self-Hosted integrates with existing enterprise infrastructure, including on-premises AD, PKI, and SIEM systems.
Hospital information security policy compliance
On-premises Active Directory integration
SIEM and DLP integration required
Federally Funded Research
CIHR & Tri-Agency Grantees
Research programs funded by CIHR, NSERC, or SSHRC must meet Tri-Agency data governance expectations and TCPS 2 requirements for protecting participant information. DocShield Self-Hosted ensures patient data never leaves your institution's infrastructure.
Tri-Agency data governance compliance
TCPS 2 participant data protection
Data residency within Canada

Deployment Options

Deploy on the infrastructure
you already trust

DocShield Self-Hosted ships as a fully containerized application. Choose the deployment model that matches your infrastructure and compliance posture.

Docker Compose
Fastest Setup
The simplest deployment path. A single docker compose up command starts all DocShield services in minutes. Ideal for single-site labs, pilot deployments, or teams without dedicated Kubernetes infrastructure.
Docker 24+
8 CPU cores minimum
32 GB RAM
SSD storage
Kubernetes
Enterprise Scale
Production-grade deployment with Helm charts for AWS EKS, Azure AKS, GCP GKE, or on-premises Kubernetes clusters. Includes horizontal auto-scaling, rolling updates, resource quotas, and network policy templates for zero-trust segmentation.
Kubernetes 1.27+
Helm 3.x charts
AWS / Azure / GCP
On-premises K8s
Bare Metal
Maximum Performance
Direct installation on physical servers for maximum throughput and minimum latency. Recommended for high-volume processing environments where GPU acceleration is needed and virtualization overhead is unacceptable. Ansible playbooks included.
RHEL 8/9 or Ubuntu 22.04
NVIDIA CUDA optional
Ansible playbooks
16+ CPU cores
Air-Gapped
Maximum Isolation
Complete deployment bundle for networks with no internet connectivity. Includes all container images, OS packages, model weights, and cryptographic verification checksums packaged for offline installation. Designed for classified and CUI environments.
Zero internet required
Offline bundle included
Checksum verified
FIPS 140-2 crypto

Architecture

Designed to integrate with
your existing environment

DocShield Self-Hosted is not a black-box appliance. Every component is configurable, auditable, and designed to slot into your existing security architecture.

Active Directory & LDAP Integration
Connects directly to your institutional directory for authentication and group-based access control. Supports SAML 2.0, OIDC, and Kerberos.
SIEM & DLP Integration
Exports structured audit events via syslog (RFC 5424), webhook, or direct Splunk HEC. Configurable alerting for policy violations.
PKI & Certificate Management
Integrates with your internal PKI for TLS certificates. Supports HSM-backed key storage via PKCS#11 for FIPS 140-2 environments.
Immutable Audit Logging
Append-only audit logs stored locally with cryptographic hash chaining. Export to your institutional records retention system on a configurable schedule.
Your Network Boundary
Internal Network — No Outbound Traffic
DocShield Web Dashboard
Browser-based UI · Internal DNS only
Redaction API Service
REST + gRPC · mTLS enforced
AI Model Runtime (CPU/GPU)
All model weights bundled offline
Audit Log Store
Append-only · Hash-chained records
Your Identity Provider (AD/LDAP)
SAML 2.0 · OIDC · Kerberos
Your SIEM / Log Aggregator
Syslog · Splunk HEC · Webhook

Compliance

Meets the requirements of
the most regulated environments

DocShield Self-Hosted is documented and tested against the privacy and security frameworks that govern health research in Canada and beyond.

Healthcare & Privacy
Standards covering protected health information and patient privacy across North American jurisdictions.
HIPAA
HIPAA / HITECH
All 18 PHI identifiers · Safe Harbor and Expert Determination methods · BAA provided
PIPEDA
PIPEDA
Canadian federal private-sector privacy law · Data residency maintained within your jurisdiction
PHIPA
PHIPA / FIPPA
Ontario health information custodian requirements · No data leaving provincial boundary
SOC 2
SOC 2 Type II
Third-party audit of security, availability, and confidentiality controls · Report available under NDA
ISO 27001
ISO 27001 / 27017 / 27018
Information security management · Cloud security controls · PII protection in cloud environments
Canadian Research Governance
Frameworks governing federally funded and provincially regulated health research in Canada.
Tri-Agency
Tri-Agency Data Governance (CIHR / NSERC / SSHRC)
Canadian federal research funding agencies require data management plans and safeguards for personal health information · DocShield supports compliant de-identification for data sharing obligations
TCPS 2
Tri-Council Policy Statement (TCPS 2)
Ethical conduct framework for research involving humans in Canada · Requires appropriate data security and access controls for identifiable participant information
Law 25
Quebec Law 25 (formerly Bill 64)
Quebec's modernized privacy law requiring strict governance of personal information · Applies to any organization handling data of Quebec residents, including research institutions
PIPA
Alberta PIPA
Alberta's Personal Information Protection Act governs private-sector handling of personal information · Relevant for research conducted by Alberta-based private organizations and CROs

Technical Specifications

Sizing guide for your
deployment environment

Requirements vary by document volume and GPU availability. Contact our team for a detailed sizing assessment for your specific environment.

Minimum Requirements (CPU-only)
CPU8 cores (x86_64)
RAM32 GB
Storage200 GB SSD
OSRHEL 8/9, Ubuntu 22.04
Throughput~500 pages/hour
Concurrent usersUp to 50
Recommended (GPU-accelerated)
CPU16+ cores (x86_64)
RAM64 GB
GPUNVIDIA A10G or equivalent
Storage500 GB NVMe SSD
Throughput~10,000 pages/hour
Concurrent usersUnlimited
Security & Networking
Encryption in transitTLS 1.3 (mTLS supported)
Encryption at restAES-256-GCM
Key managementPKCS#11 / HSM optional
Inbound ports443 (HTTPS), 8443 (API)
Outbound portsNone required
FIPS modeSupported
Supported Integrations
AuthenticationSAML 2.0, OIDC, LDAP
EHR systemsFHIR R4, HL7 v2
SIEM exportSyslog, Splunk, Datadog
Secret managementHashiCorp Vault, AWS Secrets
Certificate authorityInternal CA, EJBCA, ACME
MonitoringPrometheus / Grafana
Enterprise Deployment

Your data stays
on your terms

Talk to our enterprise team about your specific compliance requirements, infrastructure environment, and deployment timeline. We provide white-glove onboarding including security architecture review, STIG hardening guidance, and initial deployment support.

Book an Architecture Call Contact Enterprise Sales

Custom contracts · BAA and DPA provided · STIG hardening guides included · White-glove onboarding