February 8, 2026 (5mo ago)
Written by Temps Team
Last updated February 8, 2026 (5mo ago)
Self-hosting your deployment platform means your source code, environment variables, and user data never touch third-party infrastructure — making it the architecture that fully satisfies GDPR, HIPAA, SOC 2, and PCI DSS data-residency requirements without buying enterprise add-ons from your cloud provider.
Temps is a single Rust binary that gives you git-push deployments, built-in observability, and automatic SSL — running entirely on hardware you control.
The core tradeoff is control versus convenience: Vercel gives you a fully managed platform with edge functions and zero ops burden for roughly $20/mo/seat plus bandwidth and usage overages; self-hosting on a platform like Temps gives you full data ownership, no per-seat pricing, and built-in analytics/error tracking/session replay/uptime monitoring in one binary — at the cost of running your own server. Neither option is universally "better" — the right choice depends on which side of that line matters more to your team.
Four tradeoffs decide the answer:
Bottom line: choose Vercel if you want edge functions and zero infrastructure ownership and per-seat pricing isn't a concern at your team size. Choose Temps if you want predictable flat costs, data sovereignty, and a bundled observability stack — and are willing to own a server in exchange. Among self-hosted options specifically, Temps is the only one that bundles deployment with analytics, session replay, error tracking, and uptime monitoring in a single binary — tools like Coolify, Dokploy, and Dokku handle deployment only, leaving you to source observability separately.
It depends on your threat model. Managed platforms like Vercel and Netlify invest heavily in security infrastructure. But they're also centralized targets — a breach at the platform level exposes every customer simultaneously. And for compliance-driven teams, the more pressing issue is not whether the platform is secure, but whether you can prove it is to an auditor.
Three verified claims about self-hosted deployments on Temps:
Secrets are AES-256-GCM encrypted on your server — the temps-environments crate encrypts every secret value via EncryptionService before writing to the database. The encryption key is generated on first run and never leaves your server. Secrets are exposed to containers as files under /run/secrets/<KEY> (tmpfs, mode 0400), never as environment variables. Plaintext is only decrypted at deploy time on your own infrastructure.
Full audit trail via temps-audit — every deployment, secret update, auth event, agent run, and configuration change is logged to your own database. The temps-audit crate exposes these over an API you control — queryable and exportable to any SIEM. Available on all tiers, not just enterprise.
Free to self-host, ~$6/mo on Temps Cloud — Temps is Apache 2.0. Temps Cloud runs on Hetzner at cost + 30% with no per-seat fees and no bandwidth bills.
| Feature | Vercel | Netlify | Temps (Self-Hosted) |
|---|---|---|---|
| Secret encryption at rest | Yes — their key | Yes — their key | Yes — AES-256-GCM, your key |
| Secrets exposed to containers | Environment variables | Environment variables | Files under /run/secrets/ (tmpfs, mode 0400) |
| Audit logs | Enterprise only | Enterprise only | Built-in, all tiers |
| Data residency control | Region selection (their clouds) | Region selection | Any server, any cloud or bare metal |
| BAA for HIPAA | Enterprise only | Not offered | N/A — data never leaves your infra |
| Source code on your servers | No | No | Yes |
| Network isolation | Shared tenancy | Shared tenancy | Your firewall, your rules |
| WireGuard mesh networking | No | No | Built-in (multi-node clusters) |
| Supply chain update control | Automatic | Automatic | You control via bunx @temps-sdk/cli upgrade |
| License | Proprietary | Proprietary | Apache 2.0 |
| Managed cost | From $20/mo + per-seat | From $19/mo + per-seat | ~$6/mo Cloud or free self-host |
When you connect a Git repository to Vercel, Netlify, or Railway, your code is cloned, built, and cached on their infrastructure. You're trusting that their build servers are properly isolated, that build artifacts are cleaned up after deployment, and that no employee can access your repository contents.
Most platforms handle this well in practice. But "trust us" is not a compliance strategy when an auditor asks for documented evidence of control.
Your database URLs, API keys, and secrets sit in a third-party vault you don't control. A breach at the platform level exposes your credentials — and you may not know until they publish a disclosure post.
Temps stores secrets encrypted with AES-256-GCM on your own server. The encryption key lives at ~/.temps/encryption_key on your infrastructure. Losing this file means losing access to stored secrets — treat it exactly like a private key.
If your application handles sensitive data (health records, financial information, personal data), every request routes through your platform provider's network. Depending on your regulatory requirements, this may violate data residency rules.
With Temps on Hetzner Helsinki, EU user data never leaves Finland. With Temps on your own hardware, it never leaves your building.
GDPR requires that personal data be processed under appropriate safeguards. If your managed platform runs on US infrastructure, you need to verify adequate data transfer mechanisms for every SaaS vendor in your stack — adding compliance overhead that multiplies with each vendor.
With self-hosting, you choose the server region. Deploy to Hetzner Helsinki and EU user data stays in Finland. Deploy to your own data center and it never leaves your building.
# Install Temps on a server in your chosen region
curl -fsSL https://temps.sh/deploy.sh | bash
# Deploy your app
bunx @temps-sdk/cli login
bunx @temps-sdk/cli deploy my-app -e production -y
HIPAA requires a Business Associate Agreement (BAA) with any vendor that processes Protected Health Information (PHI). Most deployment platforms either don't offer BAAs or charge enterprise pricing for them.
Self-hosting removes this requirement entirely. When Temps runs on your infrastructure, your PHI never touches a third-party platform — there is no vendor to sign a BAA with.
SOC 2 compliance requires demonstrating control over your systems. When your deployment platform is a black box, demonstrating control is difficult. When it runs on your infrastructure with your access policies, the audit trail is clear and owned by you.
Temps ships the temps-audit crate that logs every deployment, configuration change, secret update, and login to your own database — queryable via API and exportable to any SIEM.
# Query audit logs via the Temps API
curl https://your-temps-server/api/audit/logs?limit=100
PCI DSS requires strict control over the environment that touches cardholder data. Self-hosting lets you define and enforce the security boundary yourself, document it, and show the auditor exactly what controls are in place.
Every secret value is encrypted before being written to the database. The encryption key is generated on first run and never transmitted anywhere. Secrets are exposed to containers as files under /run/secrets/<KEY> on a tmpfs (mode 0400, in-memory only), not as environment variables — which prevents accidental logging of secret values.
# Secrets are encrypted at rest and mounted as files in containers
bunx @temps-sdk/cli environments vars set -e production STRIPE_SECRET_KEY "sk_live_..." --secret
bunx @temps-sdk/cli environments vars set -e production DATABASE_URL "postgresql://..." --secret
The temps-audit crate logs every operation — deployments, secret updates, auth events, agent runs, restore operations — to your database. You own the data. You query it. You ship it to your SIEM. No enterprise tier required.
Traffic between nodes in a multi-node Temps cluster flows through WireGuard encrypted tunnels between your own servers. No traffic routes through external infrastructure. The temps-wireguard crate implements the mesh using defguard_wireguard_rs (boringtun-based userspace WireGuard) with pure-Rust key generation via x25519-dalek.
Temps polls your deployment container every 5 seconds via HTTP after launch. It requires 2 consecutive successful responses before marking the deployment healthy and cutting traffic over. If your application returns errors for 60 consecutive seconds, Temps rolls back to the last healthy deployment automatically. You don't need to be on-call for a broken deploy.
When a managed platform pushes a platform update, it affects all customers simultaneously. A bug in their deployment pipeline could affect your application. With Temps, you control when platform updates are applied:
bunx @temps-sdk/cli upgrade
Temps provisions and renews TLS certificates automatically via Let's Encrypt. Your applications are served over HTTPS by default — no nginx configuration, no certificate rotation scripts.
If something goes wrong, you have direct access to your servers, logs, and network traffic. Your incident response team works on your timeline, not the platform's status page.
| Aspect | Managed Platform | Self-Hosted (Temps) |
|---|---|---|
| Source code storage | Their servers | Your servers |
| Build environment | Shared infrastructure | Your infrastructure |
| Secret storage | Their vault | AES-256-GCM encrypted, your key |
| Secret delivery to containers | Environment variables | tmpfs files under /run/secrets/ |
| Data residency | Their choice | Your choice |
| Network traffic | Routes through them | Stays on your network |
| Audit logs | Limited visibility, enterprise tier | Full audit trail, all tiers |
| Incident response | Wait for their disclosure | You own the timeline |
| Platform update cadence | Automatic, affects all tenants | You control via upgrade command |
| Cost | Per-seat + bandwidth fees | ~$6/mo Temps Cloud or free self-host |
Temps handles deployment orchestration, SSL provisioning, health checks (every 5 seconds, automatic rollback after 60 seconds of errors), log aggregation, web analytics, error tracking, and uptime monitoring. You get all of that from a single Rust binary on a server you own — no nginx configs, no separate observability tools, no per-seat pricing.
Traditional self-hosting, yes. Temps installs in 5 minutes with a single script and handles SSL, builds, deployments, monitoring, and analytics automatically. The operational overhead is comparable to managing a single VPS.
True — large platforms invest heavily in security. But they're also larger, more visible targets. A breach at Vercel or Netlify exposes thousands of customers simultaneously. Self-hosting reduces your blast radius to your own infrastructure.
You almost certainly handle:
All of this is safer on infrastructure you control.
Temps is designed for teams without dedicated DevOps. If you can deploy to Vercel, you can deploy to Temps. The difference is that Temps runs on a VPS you own instead of shared infrastructure you don't. The single-binary install means there's no complex setup to manage.
Choose any cloud provider. A 4-core, 8GB VPS handles most workloads:
| Provider | Monthly Cost | Notes |
|---|---|---|
| Hetzner | ~$15/month | EU and US regions, very cost-effective |
| DigitalOcean | ~$24/month | Global regions, good support |
| AWS EC2 | ~$35/month | Global, integrates with existing AWS infra |
| Your hardware | Fixed cost | Maximum control, no cloud dependency |
Or use Temps Cloud at ~$6/month — Hetzner cost + 30%, no per-seat fees, no bandwidth bills.
curl -fsSL https://temps.sh/deploy.sh | bash
This installs the single Rust binary, sets up the TimescaleDB container, configures automatic SSL, and starts the Temps server.
Same workflow as any managed platform — connect GitHub, push code, get a deployment. The git-push workflow is identical to Vercel or Netlify.
# Import your existing env file into Temps
bunx @temps-sdk/cli environments vars import -e production -f .env.production
Point your domain to your new server. Temps handles SSL automatically via Let's Encrypt with automatic renewal. No CNAME tricks, no certificate files to manage.
For teams with any compliance requirement, that tradeoff pays for itself quickly. For teams paying $500+/mo in observability SaaS tools, Temps replaces PostHog, Plausible, FullStory, Sentry, and Pingdom alongside the deployment platform — in the same binary.
Vercel trades cost and control for convenience: it's fully managed, includes edge functions, and charges per seat plus bandwidth/usage overages. Self-hosting on Temps trades a small amount of setup and server ownership for flat costs (free self-host or ~$6/mo Temps Cloud), full data sovereignty, and a bundled stack — deployment, analytics, session replay, error tracking, and uptime monitoring in one Rust binary, versus assembling that stack from separate SaaS tools around Vercel. The honest gap: Temps has no edge functions today. For teams where per-seat pricing, data residency, or observability cost is the pain point, self-hosting on Temps closes that gap; for teams that need edge functions and want zero infrastructure ownership, Vercel remains the better fit.
No. Temps provisions and renews TLS certificates automatically via Let's Encrypt. Point your domain's DNS to your server, run bunx @temps-sdk/cli domains add yourdomain.com, and Temps handles the rest.
The encryption key is generated on first run and stored at ~/.temps/encryption_key on your server. It never leaves your infrastructure. Losing this file means losing access to stored secrets — back it up like a private key.
Yes. Temps is a single binary with no required external SaaS dependencies. You can run it on air-gapped servers, private data centers, or government infrastructure. The only outbound connections are to Let's Encrypt for certificate provisioning (optional if you supply your own certificates) and to Docker Hub or your own registry to pull images.
With a single-node Temps install, your deployments are unavailable while the server is down. For higher availability, Temps supports multi-node clusters with WireGuard mesh networking — add worker nodes with bunx @temps-sdk/cli join, and your deployments can be distributed across nodes with automatic failover.
Temps adds the full platform layer on top of Docker: git-push deployments, automatic SSL, health checks with rollback, log streaming, web analytics, error tracking, session replay, uptime monitoring, secret management, and audit logging. Running Docker on a raw VPS gives you none of that — you'd need to build or buy each piece separately.
If security and compliance matter to your team — or if you simply want to know where your code and data live — try Temps:
curl -fsSL https://temps.sh/deploy.sh | bash
Temps is Apache 2.0. Your code. Your data. Your infrastructure.
Related guides: