SaaS, hybrid or on-premise: deploying GottaPhish your way
GottaPhish is delivered as a fully managed SaaS by default, but that is not the only option. For regulated, sensitive, or sovereignty-conscious organizations, certain components can be deployed inside your own environment — so you keep control of the data that matters most while we keep the platform running smoothly.
Three deployment models
There is no single right answer for every organization. Your regulatory exposure, internal security policy, and appetite for operational overhead determine which model fits. GottaPhish is available in three shapes.
1. Full SaaS (the default)
Everything runs in GottaPhish's managed, EU-hosted infrastructure. You log in to the console, build campaigns, and read results — no servers to provision, patch, or scale. This is the fastest path to value and suits the large majority of customers.
- Zero infrastructure to maintain on your side.
- Automatic updates, new templates, and threat coverage.
- Data hosted in France/EU with encryption in transit and at rest.
2. Hybrid (sensitive data stays in-house)
In a hybrid model, the management console remains managed by GottaPhish, but the components that touch your employees' personal data can be deployed in your own environment. The idea is simple: keep the sensitive datastore under your roof, while the day-to-day orchestration stays effortless.
Components that can be deployed on-premise or in your own cloud tenant include:
- The mail-sending relay / connector — so simulated emails originate from infrastructure you control and align with your own sending policy.
- The landing-page infrastructure — so any page an employee interacts with is served from your environment.
- The datastore holding employee identities and results — names, addresses, click and submission events, and per-user outcomes never have to leave your network.
Hybrid is the sweet spot for many CISOs: the operational simplicity of SaaS, with personal and behavioral data kept inside the organization's own boundary.
3. On-premise / self-hosted
For the most demanding environments, GottaPhish components can be deployed entirely within your infrastructure, including air-gapped or fully self-hosted configurations. This model is available for organizations in defense, government, and banking, or any sector where data must never traverse a third party's systems.
- Runs in your datacenter or sovereign cloud.
- Supports segregated and air-gapped networks.
- Aligns with internal accreditation and classification requirements.
What stays managed
Even in hybrid and on-premise models, the management console — campaign design, scheduling, template libraries, and reporting logic — remains a managed capability. This keeps the parts that benefit from continuous improvement (new lures, evolving attacker techniques, UI) always current, while the parts that carry sensitive data can be placed exactly where your policy requires.
Think of it as a clear division of responsibility:
- GottaPhish operates the console, the template and threat intelligence, and the update pipeline.
- You can operate the sending path, the landing pages, and the personal-data store — if and when you need to.
Choosing the right model
A few questions usually settle it:
- Does regulation or internal policy forbid employee data leaving your network? If yes, lean hybrid or on-premise.
- Do you have the operational capacity to host components? SaaS removes that burden entirely; hybrid is a middle ground.
- Is air-gapped operation a hard requirement? Then on-premise / self-hosted is the path.
There is no lock-in to a single choice. Many organizations start with SaaS to prove value quickly, then move sensitive components in-house as their program matures.
How GottaPhish helps
For regulated or sovereignty-conscious organizations, a rigid SaaS-only tool forces an unwelcome choice between a credible awareness program and keeping sensitive data under your own control. GottaPhish is built so that deployment flexibility never costs you capability: whether you run the full managed SaaS, keep personal data in a hybrid setup, or self-host in an air-gapped environment, you get the same campaign engine, the same up-to-date threat coverage, and the same reporting. Our expert support team works hands-on with your security and compliance stakeholders to map the right deployment model to your obligations, then helps you set up campaigns, design scenarios, and interpret the results. Talk to us about which components you want to keep in-house, and we will tailor a deployment that fits.
