ADE containerized deployment on AWS, Azure, or GCP: how it works, ZDR by architecture, responsibility boundaries, HIPAA support, and production scale evidence.
Private VPC deployment means the ADE processing engine runs inside the customer's own cloud environment rather than on LandingAI's hosted infrastructure. Document data never leaves the customer's cloud perimeter during processing, which is a structurally different guarantee from hosted Zero Data Retention and satisfies a stricter class of enterprise data governance requirements.
What Changes in a VPC Deployment
In hosted ADE (US or EU), documents travel to LandingAI's infrastructure for processing. In a VPC deployment, ADE is containerized and deployed within the customer's own AWS, Azure, or GCP account.
Because the app runs entirely inside the customer's cloud environment, LandingAI has no access to documents submitted for processing or to the extracted results. The customer's network controls, IAM policies, and egress rules govern what the deployed container can reach.
The containerized app exposes the same ADE Parse, Parse Jobs, and Extract APIs used in hosted deployment, so no changes to calling code are required when migrating from hosted to VPC. Air-gapped deployments, where the container operates with no outbound internet access, are supported under enterprise agreement.
ZDR by Architecture vs. Hosted ZDR
Per the ADE ZDR documentation, both hosted ADE and the containerized VPC app support Zero Data Retention, but the mechanism differs:
| Deployment | ZDR Mechanism | LandingAI Sub-processor Scope |
|---|---|---|
| Hosted US/EU | In-memory processing; LandingAI and all sub-processors retain nothing | LandingAI manages ZDR across all sub-processors |
| Containerized VPC | ZDR by architecture; no data leaves customer's cloud environment | Customer is responsible for ZDR of their own sub-processors |
In a VPC deployment, LandingAI is not responsible for zero data retention related to customer infrastructure or any sub-processors the customer integrates, such as their own LLM API keys. The customer's organization manages those responsibilities.
HIPAA Support in VPC Deployments
The ZDR documentation confirms that the ZDR option, including VPC deployment, provides the technical safeguards required to support processing Protected Health Information (PHI) and Personally Identifiable Information (PII) in compliance with HIPAA. A Business Associate Agreement (BAA) with LandingAI is required for HIPAA compliance regardless of deployment path; BAA initiation is available through the Organization Settings page once ZDR is enabled.
Deployment Path Selection
Four deployment paths are available, each suited to a different data governance posture:
- Hosted US (AWS Ohio, us-east-2). Managed by LandingAI; ZDR available on Team and Enterprise plans. Suitable for organizations with standard data handling requirements or that accept LandingAI's sub-processor chain.
- Hosted EU (AWS Ireland, eu-west-1). Same managed model with EU data residency; ZDR available on custom pricing plans. Suitable for organizations subject to GDPR data localisation requirements.
- Containerized VPC. ADE deployed inside the customer's own AWS, Azure, or GCP account. ZDR by architecture. Suitable for organizations whose policies prohibit document data transiting third-party infrastructure. Requires an enterprise agreement.
- Virtual Private LandingAI (VPL). A completely separate LandingAI environment provisioned for a single customer. Available on the Enterprise plan. Suitable for organizations that require dedicated infrastructure isolation within LandingAI's operational model rather than deploying within their own cloud account.
Contact LandingAI through the enterprise contact page to initiate a VPC or VPL deployment.
What the VPC Deployment Covers
The containerized ADE app supports the full ADE capability set within the customer's VPC:
- Layout-aware document parsing returning Markdown and hierarchical JSON with page and coordinate grounding for every extracted chunk
- Asynchronous Parse Jobs processing for documents up to 1 GB or 6,000 pages per document
- Schema-defined field extraction with confidence scores and bounding-box citations per extracted value
- Confidence scoring per extracted field for automated review routing
The full supported file types and supported languages are available in VPC deployment, consistent with hosted ADE.
FAQ
Does VPC deployment mean LandingAI cannot access my documents? In a containerized VPC deployment, the ADE app runs entirely within the customer's own AWS, Azure, or GCP account, so LandingAI has no access to documents submitted for processing or to extracted results. This is the architectural distinction from hosted ZDR, where processing occurs on LandingAI's infrastructure under a no-retention policy.
What is the difference between VPC deployment and hosted ZDR? Hosted ZDR means documents are processed on LandingAI's infrastructure in-memory and never stored, including by sub-processors; VPC deployment means documents never leave the customer's cloud environment at all. The hosted ZDR guarantee is a policy and technical control; VPC ZDR is a network architecture guarantee.
Organizations whose security reviews require that document data not transit any third-party infrastructure should use VPC deployment rather than hosted ZDR.
Is a BAA available for HIPAA compliance in VPC deployments? A Business Associate Agreement with LandingAI is required for HIPAA compliance regardless of deployment path; the VPC deployment provides the technical safeguards for PHI and PII processing required under HIPAA, per the ZDR documentation. BAA initiation is available through the Organization Settings page once ZDR is enabled on the organization.