Compare plans
Pick how you want to run VaultGuard. Self-host the open-source Community Edition on your own AWS for free, or let us run it for you on VaultGuard Cloud. Every plan ships with the same client-side content encryption, per-file permissions, and managed access-revocation primitives. Try Pro free for 14 days before you decide.
Plans at a glance
| Capability | Community Edition Self-host · free | Pro Cloud · Pro Edition | Enterprise Cloud · Pro Edition + SSO |
|---|---|---|---|
| Price | Free, self-hosted | €12 / user / month | Custom |
| Where it runs | Your own AWS | Our AWS (managed) | Dedicated infra |
| License | Sustainable Use License | Cloud ToS | Commercial contract |
| User cap | Your deployment limit | Up to 100 | By agreement |
| Storage | Your AWS configuration | 100 GB included | By agreement |
| Trial | Clone + deploy | 14-day free trial | Sales call |
Security you get on every plan
The same client-side encryption and access-control primitives — with operations and limits determined by your deployment.
| Capability | Community Edition Self-host · free | Pro Cloud · Pro Edition | Enterprise Cloud · Pro Edition + SSO |
|---|---|---|---|
| Client-side content encryption (AES-256-GCM + managed KMS keys) | |||
| Per-file permissions with role inheritance | |||
| Visual permission graph + in-Obsidian access management | |||
| Session, permission, and renewable-lease revocation | |||
| Time-bound key leases (1h default, configurable) | |||
| Multi-vault support per organization | |||
| Plugin allowlist enforcement | |||
| Cognito auth (federate to your IdP) | |||
| Local at-rest encryption via OS keychain | |||
| TLS 1.2+ in transit (TLS 1.3 when negotiated) |
AI in your vault
Use AI on your notes through the same encryption, permissions, and audit gates — on every plan.
| Capability | Community Edition Self-host · free | Pro Cloud · Pro Edition | Enterprise Cloud · Pro Edition + SSO |
|---|---|---|---|
| Built-in Claude chat panel (bring your own Anthropic key or Claude subscription) | |||
| AI agent bridge — scoped MCP server for Claude Code / Cursor / Claudian | |||
| Every AI file access permission-checked and audit-logged |
Running it day-to-day
What you get back when we run the infrastructure for you.
| Capability | Community Edition Self-host · free | Pro Cloud · Pro Edition | Enterprise Cloud · Pro Edition + SSO |
|---|---|---|---|
| In-Obsidian admin (users / permissions / settings / recovery) | |||
| Hosted web admin panel (admin.vaultguard.cloud) | |||
| Share links — send a teammate a clickable link to a specific file | |||
| Basic audit log (GET /audit/logs) | |||
| Advanced audit — dashboards, alerts, CSV export, per-user / per-file reports | |||
| Audit retention | 30 days (configurable) | 1 year | Custom |
| Stripe-backed billing | |||
| Transactional email (invites, password reset) | Your SES | Managed | Managed |
| Org signup | Single-tenant lockdown | Multi-tenant | Custom |
| Managed AWS infrastructure | |||
| Managed security update process | |||
| Managed backup operations | |||
| Uptime target | None | 99.9% target | Custom by agreement |
| Support target | Community (GitHub) | Email, 1-business-day target | Priority by agreement |
Enterprise-only
| Capability | Community Edition Self-host · free | Pro Cloud · Pro Edition | Enterprise Cloud · Pro Edition + SSO |
|---|---|---|---|
| SAML / OIDC SSO integration | |||
| SOC 2 / HIPAA evidence packages | Available by agreement | ||
| Dedicated infrastructure | |||
| Custom data residency | |||
| Custom key rotation & retention policies |
Who handles what
What stays on your plate if you self-host, and what we take off it on Cloud.
| Capability | Community Edition Self-host · free | Pro Cloud · Pro Edition | Enterprise Cloud · Pro Edition + SSO |
|---|---|---|---|
| Deploy the backend | You (terraform apply) | Us | Us (or you, with license) |
| Patch Lambda runtimes / dependencies | You | Us | Us |
| Rotate KMS keys | You | Us | Us / custom |
| Run backups | You | Us | Us |
| Monitor uptime / page on-call | You | Us | Us |
| Pay AWS bill | You | — | Custom |
| Compliance evidence | You | — | Us |
Which plan fits you?
For most teams, Pro is the best place to start. You get the full security stack, admin panel, user permissions, secure note sharing, readable audit trails, managed backup operations, and a 99.9% uptime target — without managing AWS yourself.
Start with Pro and try it free for 14 days →
Choose Community Edition only if you are a solo user or technical team that wants to self-host and manage AWS, backups, patches, and uptime yourself.
Choose Enterprise if you need SSO, dedicated infrastructure, or signed compliance attestations.
What you get if you self-host
- The same client-side content encryption, per-file permissions, and access-revocation primitives as Pro
- Your data stays in your own AWS account
- The same plugin connects automatically — no special build
- One-command Terraform deploy; infrastructure code is open for you to audit
- Cost: just your AWS bill
- You're the on-call: patching Lambda runtimes, rotating KMS keys, running backups, and monitoring uptime is on you
What's not included in self-hosted version
- No web admin panel — every user invite, permission change, and recovery flow happens inside Obsidian, which gets painful past a handful of users
- No share links — teammates can't get a one-click URL to a specific note; they navigate the folder tree themselves
- No audit dashboards, alerts, or CSV exports when your compliance team asks for an audit trail
- No managed uptime commitment, backup operations, or patch pipeline — AWS deprecations and incident response land on you
- No single sign-on or signed compliance attestations — those live on Enterprise