Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.provisionr.io/llms.txt

Use this file to discover all available pages before exploring further.

Who Sovereign Is For

Sovereign deploys Provisionr into your own AWS account within your AWS Organization. You own and control the infrastructure entirely — your data never leaves your environment, and the license bills through AWS Marketplace with no separate Provisionr invoice. Sovereign gives you the same automation and compliance capabilities as Growth and Scale, on infrastructure you manage. Sovereign is the right choice if your organization requires:
  • Infrastructure in your own AWS account — not a shared or Provisionr-managed account
  • Any AWS region for data residency (not limited to US or EU)
  • Full control over network boundaries, encryption keys, access controls, and data retention
  • Direct audit access to the infrastructure by your security and compliance teams
  • AWS EDP eligibility — both the license fee and infrastructure costs count toward your committed spend

Plan Comparison

GrowthScaleSovereign
Pricing$100 per
100 policies		$2,000/mo Flat~$3,600/mo
($5/hr Marketplace)
Active PoliciesPay-as-you-growUnlimitedUnlimited
Sync FrequencyEvery 24 hoursEvery 3 hoursEvery 3 hours
JIT Access Expiration≤24 hours≤60 mins≤60 mins
Audit Log Retention3 years3 yearsCustom
InfrastructureIsolated GCP
(Provisionr project)		Isolated AWS
(Provisionr account)		Dedicated AWS
(Customer account)
Infrastructure CostsIncludedIncludedYour responsibility
Avg ≤$500/mo
Managed byProvisionrProvisionrYou (or a partner)
High availabilityYour responsibility
Region choiceGCP 8 regionsAWS US or EU
GCP 8 Regions		Any AWS region
Cloudflare edge protectionOpt-In
AWS EDP eligiblePrivate Offer

Deployment Overview

Your AWS Organization
└── Your Provisionr Account (isolated)
    ├── Fargate (compute — runs Provisionr)
    ├── RDS PostgreSQL (database — your data stays here)
    ├── S3 (audit log storage)
    └── IAM Roles (per-tenant access control)
Provisionr connects outbound to your identity systems — Google Workspace, Okta, Slack, GitLab — the same way it does on our hosted plans. The difference is that all data at rest lives in your RDS instance, in your account, in your chosen AWS region.

Data Sovereignty, Residency, and Compliance

Identity governance is sensitive by nature. Provisionr manages group membership across your identity ecosystem — touching Google Workspace, Okta, Slack, GitLab, and more. For many organizations, particularly those in regulated industries or with strict vendor data policies, having that data processed and stored outside their own infrastructure is not acceptable. Sovereign addresses this directly:
  • Your policy definitions, audit logs, sync history, and user data never leave your AWS account
  • You control network boundaries, encryption keys, access controls, and data retention
  • Your security and compliance teams can audit the infrastructure directly — it lives in your environment, not ours
  • Deployments can satisfy requirements under HIPAA, SOC 2, ISO 27001, FedRAMP, and other frameworks where data residency and infrastructure control are evaluated

Authentication Gateway

When you deploy Provisionr Sovereign, you configure container environment variables with the OIDC client ID and client secret for your Identity Provider (IdP) — for example, your Okta or Google Workspace application credentials. A Sovereign workspace authenticates directly with your IdP using the OIDC client credentials you provide. It does not communicate with Provisionr HQ for authentication.

Billing and Support Data

When you subscribe to Provisionr Sovereign through AWS Marketplace, AWS shares your subscription information with Provisionr for billing and support purposes. This includes your AWS account ID, subscription start date, and usage data for metering your license fee. This is necessary to operate the license metering and billing through AWS Marketplace. You can choose to share additional information with us for support purposes, such as contact information and workspace metadata, but this is optional and not required for the product to function. Your data remains fully isolated in your AWS account regardless of what information you choose to share with Provisionr.

Pricing

Sovereign is licensed through AWS Marketplace at a metered rate of $5/hr for the Provisionr software license — billed through your AWS account and settled against your existing AWS spend, including any Enterprise Discount Program (EDP) commitments. If your organization has an AWS Enterprise Discount Program agreement, your Provisionr Sovereign license fee and infrastructure costs both count toward your committed AWS spend. For organizations with large EDP commitments, this can make Sovereign meaningfully less expensive in net terms than it appears at list price — worth raising with your AWS account team during procurement.

Infrastructure Costs

In addition to the Provisionr license fee, you pay for the AWS resources running in your account. Infrastructure costs vary based on the size of your deployment but typically run less than $500/month for most organizations. This includes:
  • AWS Fargate (compute for the Provisionr application)
  • Amazon RDS for PostgreSQL (your workspace database)
  • Amazon S3 (audit log and export storage)
  • Application Load Balancer and supporting networking
You can use Reserved Instances, Savings Plans, or existing EDP credits to reduce infrastructure costs further — these are your resources, so all standard AWS cost optimization tools apply.

Total Cost of Ownership

Approx. MonthlyApprox. Annual
Policy Control license~$3,600~$43,200
AWS infrastructure~$500~$6,000
Total~$4,100~$49,200
Monthly estimates are based on 720 billing hours. Actual billing reflects metered hours and will vary slightly by month. AWS Marketplace invoices are issued by AWS alongside your other AWS charges. Infrastructure costs are estimates. Your actual AWS costs depend on instance sizing, region, data transfer, and usage patterns.

Add-Ons

There are no additional charges from Provisionr based on policy count, user count, or sync frequency. Your infrastructure costs are based on the high-availability configuration and region that you choose for your deployment. Sovereign customers receive priority ticket support as part of their license. Since the Provisionr Support and Platform Infrastructure teams do not have access to your workspace infrastructure or data, we cannot provide support inside of your workspace. Instead, support is provided through email and scheduled video calls. The following SKUs are available as add-ons for Provisionr support and services:
  • Advisor Services - $1,000 per engagement or $10,000 per year
    • Dedicated account manager who knows your workspace and provides personalized support
    • Collaborative quarterly business reviews with product roadmap insights and feedback sessions
    • Ad hoc consultations and proactive recommendations as your use of Provisionr evolves
    • Audit and compliance support with optional bespoke training sessions for your team
  • Professional Services
    • Dedicated support for large-scale rollouts and migrations
    • Migrating from checklists and spreadsheets to Provisionr policies
    • Custom policy design and implementation for complex use cases
    • Virtual training sessions for your team

AWS Regions and Data Residency

You choose any AWS region to deploy Provisionr in. Your data stays in that region, including backups unless you specify another region for backups. This gives you direct control over data residency for compliance with regional regulations including HIPAA, GDPR, PIPEDA, and sector-specific frameworks. Available regions include any AWS region where Fargate and RDS are supported:
Region NameAWS Identifier
US East (Ohio)us-east-2
US East (N. Virginia)us-east-1
US West (N. California)us-west-1 (usw1-az1 & usw1-az3 only)
US West (Oregon)us-west-2
Canada (Central)ca-central-1
Canada West (Calgary)ca-west-1
Mexico (Central)mx-central-1
Africa (Cape Town)af-south-1
Asia Pacific (Hong Kong)ap-east-1
Asia Pacific (Mumbai)ap-south-1
Asia Pacific (Tokyo)ap-northeast-1 (apne1-az1, apne1-az2, & apne1-az4 only)
Asia Pacific (Seoul)ap-northeast-2
Asia Pacific (Osaka)ap-northeast-3
Asia Pacific (Hyderabad)ap-south-2
Asia Pacific (Singapore)ap-southeast-1
Asia Pacific (Sydney)ap-southeast-2
Asia Pacific (Thailand)ap-southeast-7
Asia Pacific (Jakarta)ap-southeast-3
Asia Pacific (Melbourne)ap-southeast-4
Asia Pacific (Malaysia)ap-southeast-5
China (Beijing)cn-north-1 (cnn1-az1 & cnn1-az2 only)
China (Ningxia)cn-northwest-1
Europe (Frankfurt)eu-central-1
Europe (Zurich)eu-central-2
Europe (Ireland)eu-west-1
Europe (London)eu-west-2
Europe (Paris)eu-west-3
Europe (Milan)eu-south-1
Europe (Spain)eu-south-2
Europe (Stockholm)eu-north-1
South America (São Paulo)sa-east-1
Israel (Tel Aviv)il-central-1
Middle East (Bahrain)me-south-1
Middle East (UAE)me-central-1
AWS GovCloud (US-East)us-gov-east-1
AWS GovCloud (US-West)us-gov-west-1

Sync Frequency

Sovereign syncs every 3 hours — the same frequency as Scale and the highest supported before hitting vendor rate limits on connected identity systems like Google Workspace, Okta, and Slack. You can also trigger an on-demand sync for any individual policy at any time using the CLI, so you are never blocked waiting for the next scheduled window.

Just-in-Time Access Expiration

The always-on container lets Provisionr run continuous background jobs that evaluate and revoke time-limited group memberships in near real-time, rather than waiting for the next scheduled sync window. For organizations managing temporary access grants, contractor offboarding, or time-boxed elevated permissions, this is a meaningful security improvement over daily sync.

What You Are Responsible For

Sovereign gives you infrastructure control. With that comes operational responsibility. Your team is responsible for:
  • Provisioning and maintaining the AWS account
  • Applying infrastructure updates and version upgrades on your schedule
  • Monitoring resource utilization and scaling as needed
  • Managing AWS IAM roles and network security groups
  • Backup and recovery configuration within your RDS instance
  • High availability and disaster recovery for your deployment
Provisionr publishes new releases on a regular schedule. Sovereign customers control when they apply upgrades — you are never automatically updated without your involvement.

Professional Services

If your team does not have the AWS expertise to deploy and maintain a Sovereign environment, or if you would prefer to focus on using Provisionr rather than running it, our Professional Services partners can help. Provisionr’s certified implementation partners offer:
  • Initial deployment — scoping, architecture review, and deployment into your AWS account
  • Ongoing management — day-to-day infrastructure monitoring, patching, and version upgrades on your behalf
  • Policy design — working with your identity and security teams to design your initial policy library
  • Compliance support — documentation and evidence packages for audit and certification requirements
Professional Services engagements are scoped and priced separately from your Provisionr license. Contact sales@provisionr.io to be connected with a certified implementation partner in your region.

Getting Started

  1. Contact sales@provisionr.io to confirm Sovereign is the right fit for your requirements
  2. Receive a private offer or find Provisionr on the AWS Marketplace
  3. Subscribe through your AWS account
  4. Work with a Professional Services partner to deploy into your environment
  5. Connect your identity integrations and activate your first policies
We recommend starting with a Baseline or Growth workspace to design and test your policies in a hosted environment before deploying Sovereign. You can run hosted and Sovereign workspaces in parallel, and export and import policies between them. Our Professional Services partners can also perform a database dump and restore to move your entire workspace configuration from hosted to Sovereign.
For pricing, procurement, and implementation questions, contact sales@provisionr.io.