Hybrid Deployment
Keep sensitive data on your infrastructure. Let MCP-S handle the rest.
The Best of Both Worlds
Organizations adopting AI assistants face a tension: SaaS is simple to operate, but compliance and security teams need tool execution — API calls, database queries, internal system access — to stay within the corporate network.
MCP-S Hybrid deployment resolves this by splitting the architecture:
- On your infrastructure — the runtime that executes tool calls. Your API keys, database credentials, and internal data never leave your network.
- On MCP-S SaaS — the management plane. Admin console, user management, SSO, permissions, audit logs, and updates are all handled for you.
You get the data control of on-prem with the operational simplicity of SaaS.
How It Works
MCP-S is built as a set of independent microservices. In a hybrid deployment, only the runtime service is deployed in your Kubernetes cluster. It handles the MCP protocol and executes tool calls inside your network.
Everything else — the admin portal, user authentication, permission management, audit logging, and the backing database — runs on MCP-S SaaS. The on-prem runtime communicates with SaaS through a secure, authenticated channel.
Your users connect their AI assistants (Claude, Cursor, or any MCP-compatible client) directly to the on-prem runtime. Authentication is handled seamlessly through the SaaS layer — users see no difference from a fully hosted deployment.
Why Hybrid?
Data Residency and Compliance
Tool execution happens entirely within your network. When an AI assistant reads a Slack message, queries a database, or calls an internal API, that data flows through your infrastructure — not through a third-party cloud. This satisfies data residency requirements, SOC 2 controls, and internal security policies without the burden of managing a full on-prem deployment.
Minimal Operations
The on-prem footprint is a single stateless Kubernetes pod. No database to maintain, no migrations to run, no certificates to rotate. The runtime pulls its configuration from SaaS and executes tools locally. Upgrades are a container image bump.
Full Feature Parity
Hybrid deployments support the full MCP-S feature set:
- All 50+ built-in MCP servers (Slack, GitHub, Jira, Salesforce, databases, and more)
- Custom MCP server proxying
- OAuth and API key authentication per tool
- Role-based access control with group-level permissions
- AI-powered guardrails and content filtering
- Complete audit logging of every tool invocation
- Token optimization and cost management
- Prompt and resource management
Enterprise SSO
Your existing identity provider (Okta, Azure AD, Google, Auth0, Keycloak, or ADFS) works out of the box. Users authenticate through SSO as they would with any SaaS application — no separate credentials for the on-prem component.
Centralized Management
Admins manage everything from the same MCP-S admin console used in fully hosted deployments. Adding a new tool, adjusting permissions, reviewing audit logs — all done from the browser. Changes propagate to the on-prem runtime automatically.
Architecture Overview
┌─────────────────────────────────┐ ┌─────────────────────────┐
│ MCP-S SaaS │ │ Your Infrastructure │
│ │ │ │
│ Admin App ─── db-service │◄───▶│ Runtime │
│ SSO ──────── Connect │ │ (tool execution) │
│ Audit Logs Permissions │ │ │
│ Updates User Management │ │ Claude ──▶ Runtime │
│ │ │ Cursor ──▶ Runtime │
└─────────────────────────────────┘ └─────────────────────────┘
Managed by MCP-S Managed by you
Requirements
- A Kubernetes cluster (EKS, GKE, AKS, OpenShift, or any conformant distribution)
- An ingress controller (nginx, Traefik, or equivalent)
- Outbound HTTPS access to
*.mcp-s.com
The on-prem runtime is lightweight — a single pod typically runs on 1 CPU core and 1 GB of memory.
Get Started
Hybrid deployment is available on MCP-S Enterprise plans. Contact your account team or reach out to us to enable it for your organization.
Already set up? See the Hybrid Deployment Technical Guide for installation instructions.