Why Deployment Choice Matters More Than You Think
When you're setting up a reporting system for invoices, statements, certificates, or audit reports, the deployment question isn't just about where servers live. It's about who manages what, how your data flows, and what trade-offs you're willing to accept between control and convenience.
Most teams approach this decision backwards. They start with IT preferences ("we do everything on-prem" or "we're cloud-first") without considering what actually matters for their reporting workload. Then they discover unexpected limitations months later when scaling up or integrating new data sources.
The reality is that reporting systems have unique operational characteristics that don't map cleanly to generic cloud-versus-on-premise debates. You're generating PDFs that contain sensitive data, scheduling batch jobs that run at specific times, connecting to databases that might have strict access controls, and delivering documents through email or file storage systems that have their own security requirements. Each deployment model handles these challenges differently, and the right choice depends entirely on your specific operational constraints and priorities.
Understanding Your Deployment Options
CxReports supports both deployment models, giving you flexibility to choose based on your actual requirements rather than vendor limitations. Let's explore what each option really means in practice.
On-Premise Deployment: Maximum Control
On-premise deployment means running CxReports on your own infrastructure—whether that's physical servers in your data center, virtual machines on your private cloud, or containers in your own Kubernetes cluster. You have complete control over every aspect of the system, from network configuration to upgrade timing to data storage locations.
This deployment model provides maximum security in the traditional sense. Your reporting system runs entirely within your network perimeter, never exposing data to external networks unless you explicitly configure outbound connections. Data connections stay internal—your database credentials never leave your network, your queries execute over private network segments, and generated PDFs remain in your controlled environment until you decide how to deliver them. This is the fully controlled environment that compliance officers and security teams often prefer.
Local data connections work seamlessly in this model because everything runs on your internal network. Your SQL databases, MongoDB instances, and internal APIs are all accessible through standard network connectivity without worrying about firewall rules for external cloud services. If you have strict data residency requirements or regulations that prevent data from crossing certain boundaries, on-premise deployment ensures you maintain complete control over where data lives and flows.
The trade-off for this control is operational responsibility. You manage all system updates, security patches, backup procedures, disaster recovery planning, and capacity scaling. When CxReports releases a new version with features you need, you must schedule and execute the upgrade yourself. When report volume spikes during month-end processing, you need sufficient infrastructure capacity already provisioned. When your SMTP server has issues, you troubleshoot and fix the email delivery problems yourself.
Cloud Deployment: CxReports Managed Service
Cloud deployment means subscribing to CxReports' managed cloud service where CxReports handles all infrastructure, maintenance, and operational concerns. You access CxReports through a web browser, and the system runs on infrastructure managed entirely by CxReports in professional data centers located in the EU, US, or Australia.
The primary advantage of cloud deployment is simple maintenance—in most cases, zero maintenance on your part. System updates happen automatically without your involvement, security patches apply immediately as CxReports releases them, and infrastructure scaling happens transparently as your reporting volume grows. You don't manage servers, databases, security certificates, or any underlying infrastructure. Your team focuses entirely on designing report templates, configuring data sources, and ensuring reports meet business requirements. There are no operating system updates, no database maintenance windows, and no infrastructure monitoring for you to handle.
Cloud deployments stay always up to date with the latest CxReports features and improvements. When CxReports releases new capabilities like enhanced chart types, additional data source connectors, or improved template designer functionality, you get access immediately without upgrade projects or deployment coordination. Security improvements and bug fixes apply automatically, ensuring your reporting system benefits from continuous improvements without any effort on your part.
Built-in HTTPS and web firewall protection come standard with CxReports' cloud service. The platform includes enterprise-grade TLS certificates, DDoS protection, and web application firewalls without requiring any configuration or management from your team. You get professional network security infrastructure that would require significant expertise and investment to build yourself. This is particularly valuable for smaller teams that don't have dedicated security engineering resources or large IT departments.
The significant limitation of cloud deployment is that it works only with cloud-accessible data sources. Your databases, APIs, and file storage must be accessible over the internet with appropriate security measures. This typically means cloud-hosted databases like AWS RDS, Azure SQL Database, or Google Cloud SQL that accept secure connections from CxReports' IP ranges. If your data sources are strictly internal on-premise systems with no external connectivity, you'll need to establish secure connectivity through VPN tunnels, database replication to cloud instances, or using CxReports' data agent pattern where queries execute on-premise and only results flow to the cloud.
Data center location is a critical decision point for cloud deployments. CxReports offers data centers in the EU for organizations subject to GDPR requiring European data processing, the US for American companies with data sovereignty requirements or regulatory frameworks expecting US-based processing, and Australia for Asia-Pacific organizations needing regional data residency. You choose your data center region during onboarding, and this determines where your templates, configurations, and generated reports are processed. Selecting the appropriate region ensures compliance with your applicable data protection regulations.
Making the Right Choice for Your Business
The decision between on-premise and cloud deployment should be driven by your actual operational requirements, not abstract preferences. Here's how to think through the choice systematically.
Choose On-Premise If You Need
Maximum Security with Air-Gapped Infrastructure. If your security requirements mandate that reporting systems never connect to external networks, on-premise is your only viable option. Regulated industries like defense contracting, certain healthcare environments, and government agencies often have these strict air-gap requirements. Your security team may have determined that even encrypted connections to managed cloud services introduce unacceptable risks. In these scenarios, on-premise deployment ensures the reporting system operates entirely within your controlled network boundary.
Local Data Connections Without External Access. If your databases and data sources are on private networks with no external connectivity allowed—and you can't or won't change that architecture—on-premise deployment keeps everything internal. Your database administrators may have policies against allowing inbound connections from cloud IP ranges, even through VPNs. Your data might be so sensitive that network policies prohibit any external data flows, even encrypted. On-premise deployment respects these constraints while still providing robust reporting capabilities.
Complete Control Over Upgrade Timing and Versions. If your business requires tight control over when systems change, on-premise gives you that control. Perhaps you need to coordinate reporting system updates with fiscal year-end processing, or you need extensive testing periods before accepting any system changes. Maybe you have compliance requirements that demand formal change control processes with weeks of advance notice. On-premise deployment allows you to lock versions, test thoroughly in staging environments that exactly match production, and upgrade only when your business processes permit.
Existing Infrastructure Investment and Operations Expertise. If you already have mature operations teams managing containerized applications, database infrastructure, and monitoring systems, on-premise deployment leverages your existing investment. Your operations team knows how to deploy, monitor, and troubleshoot containerized applications. Your network team has established patterns for internal service communication. Your security team has policies and procedures for managing internal infrastructure. On-premise deployment fits naturally into your existing operational model without introducing new management overhead.
Choose Cloud If You Need
Fast Implementation Without Infrastructure Setup. If you need reporting capabilities quickly without spending weeks on infrastructure provisioning, CxReports' cloud service gets you operational in days rather than months. You don't need to procure servers, provision virtual machines, configure networks, or set up database clusters—CxReports handles all infrastructure as part of the managed service. Simply sign up, choose your data center region, and start building report templates. For businesses launching new reporting capabilities or replacing legacy systems on tight timelines, cloud deployment eliminates infrastructure setup entirely.
Minimal Ongoing Maintenance Overhead. If your team is small and already stretched thin managing other systems, CxReports' cloud service eliminates operational burden. You don't need dedicated operations staff monitoring infrastructure, applying security patches, or troubleshooting server issues. CxReports manages all infrastructure, databases, security certificates, and platform updates as part of the service. Your team focuses entirely on building templates, connecting data sources, and ensuring reports meet business requirements rather than managing servers and infrastructure.
Automatic Scaling for Variable Workload. If your reporting volume fluctuates significantly—perhaps you generate thousands of reports at month-end but only dozens daily otherwise—CxReports' cloud service scales automatically to handle your workload without requiring any configuration or intervention from your team. During quiet periods, you use minimal resources. During month-end processing spikes, the platform scales transparently to handle increased load. You don't provision capacity, adjust resource limits, or worry about whether infrastructure can handle peak volumes. This elasticity is particularly valuable for seasonal businesses or companies with irregular reporting cycles.
Cloud-Hosted Data Sources Already in Place. If your databases and data sources already run on cloud platforms like AWS RDS, Azure SQL Database, or Google Cloud SQL, CxReports' cloud service connects naturally to these data sources. Since both your data and the CxReports service live in cloud environments with internet connectivity, establishing secure connections is straightforward through firewall rules and VPN if needed. If you're already committed to cloud infrastructure for data storage, using CxReports' cloud service creates architectural alignment without requiring you to manage additional infrastructure.
Professional Infrastructure Without In-House Expertise. If you don't have in-house expertise for managing containerized applications, database clusters, or high-availability infrastructure, CxReports' cloud service provides professional-grade infrastructure without requiring these skills. CxReports manages the complexity of running reporting infrastructure reliably—load balancing, database replication, backup procedures, disaster recovery—as part of the managed service. For businesses that want robust reporting capabilities without building infrastructure expertise, cloud deployment provides enterprise-grade reliability through a simple subscription.
Deployment Architecture Considerations
Beyond the basic cloud-versus-on-premise decision, several architectural considerations affect how you actually deploy and operate CxReports.
Data Connectivity Patterns
The most critical architectural decision is how CxReports connects to your data sources. In on-premise deployments, data connectivity is straightforward—everything runs on internal networks with standard database connection strings and private IP addresses. Your PostgreSQL database, MongoDB cluster, and internal REST APIs are all accessible through internal DNS names and private routing. No special network configuration is required beyond standard internal firewall rules.
CxReports' cloud service requires that your data sources be accessible over secure connections from the internet. If your data sources already run on cloud platforms (AWS RDS, Azure SQL, Google Cloud SQL), connectivity is typically straightforward—configure your database firewall rules to accept connections from CxReports' IP addresses, establish secure SSL/TLS connections for all data transfers, and optionally set up VPN tunnels for additional network security. If your data sources are on-premise and must remain internal, you have several options: establish VPN connectivity between your network and CxReports' cloud service, replicate necessary data to cloud-accessible databases through your own replication processes, or use CxReports' data agent pattern where queries execute on-premise within your network and only query results (not raw data) flow to the cloud service for report generation.
The data agent pattern is particularly valuable for organizations with strict data residency requirements or highly sensitive data that cannot be directly accessed from external systems. The agent runs within your controlled network, executes queries against your internal databases, and sends only the filtered query results to CxReports cloud service for PDF generation. This keeps your raw operational data internal while still leveraging the operational benefits of the cloud service for report generation and delivery.
Authentication and Access Control
Authentication patterns differ significantly between deployment models. On-premise deployments typically integrate with existing enterprise authentication systems through Active Directory, LDAP, or internal single sign-on providers. Your users authenticate using the same credentials they use for other internal systems, and access control policies align with your existing security model. CxReports can respect your internal network access policies, potentially requiring VPN connections for remote users or limiting access to users on the corporate network.
CxReports' cloud service uses modern web-based authentication that supports access from anywhere. Users authenticate directly through the CxReports interface with email and password, or through integrated authentication with Google or Microsoft accounts if you enable these options. Personal Access Tokens provide API authentication for automated integrations and programmatic access. Role-based access control through workspaces ensures different teams, departments, or customers can't access each other's templates or reports. The system is designed for remote access—your users can securely access the reporting system from any location with internet connectivity and proper credentials.
Document Delivery and Storage
How you deliver generated reports and where you store them depends significantly on your deployment model. On-premise deployments typically deliver reports through your internal email servers using SMTP configuration you control, store generated PDFs on internal file storage or network-attached storage within your infrastructure, and may integrate with internal document management systems. All artifact storage happens within your controlled infrastructure, making it straightforward to apply your existing data retention and deletion policies.
CxReports' cloud service delivers reports through configured email (using your SMTP settings or integrated email delivery) and can upload reports to Google Drive folders you specify with appropriate permissions. For long-term storage, you're responsible for managing document retention in these delivery destinations—CxReports generates and delivers the reports, but doesn't provide long-term document archival as part of the cloud service. If you need reports stored in specific locations for compliance, configure delivery to those locations (Google Drive folders, email to archival systems) or retrieve generated PDFs via API and store them in your chosen systems.
Practical Deployment Guidance
Once you've decided on your deployment model, here's how to actually implement it successfully.
On-Premise Deployment Steps
Start with the Docker deployment documentation, which provides a tested, containerized approach that works consistently across different infrastructure platforms. The Docker deployment guide walks through creating the necessary configuration files, setting up the PostgreSQL database, and configuring encryption keys for sensitive data protection.
Your infrastructure team will provision the necessary compute resources—typically virtual machines or Kubernetes pods with sufficient CPU and memory for your expected report generation volume. CxReports runs as a containerized application, making it portable across different container orchestration platforms. You'll need persistent storage for the PostgreSQL database and log files, and you must ensure this storage has appropriate backup procedures configured.
Network configuration requires careful planning. You'll configure firewall rules to allow internal access to the CxReports web interface (typically port 8080 or your chosen port), ensure the application can connect to your PostgreSQL database server, allow outbound connections to your SMTP server for email delivery, permit connections to your data sources (SQL databases, MongoDB, APIs), and potentially allow outbound connections to Google APIs if you use Google Sheets data sources or Google Drive document delivery.
Database connectivity uses standard connection strings pointing to your internal database servers. CxReports supports PostgreSQL, MySQL, SQL Server, and MongoDB, all configured through simple connection string parameters. Your database administrators will create service accounts with appropriate permissions, and you'll store these credentials securely in the encrypted configuration file.
Security configuration involves generating unique encryption keys using OpenSSL (the documentation provides the exact commands), securely storing these keys and other sensitive configuration in the appsettings.Production.json file (which Docker Compose mounts as a secret), configuring SMTP credentials for email delivery, and setting up role-based access control within CxReports to match your internal security policies.
Ongoing operations require regular backups of the PostgreSQL database (which contains all template definitions, configurations, and metadata), monitoring log files for errors or performance issues, applying CxReports updates when new versions are released (following a test-in-staging-first workflow), and monitoring system resource usage to ensure sufficient capacity for your report generation volumes.
Cloud Deployment Steps
Cloud deployment with CxReports' managed service is significantly simpler than self-hosted infrastructure. Begin by signing up for CxReports cloud service and selecting your data center region during onboarding. Choose EU if you're subject to GDPR or have European data residency requirements, US for American companies with data sovereignty requirements, or Australia for Asia-Pacific operations. This region selection determines where your templates and report processing occur, so align it with your compliance requirements upfront.
Configure connectivity to your data sources by providing connection strings for your cloud-hosted databases (AWS RDS, Azure SQL, Google Cloud SQL) or establishing VPN connectivity if your data sources are on-premise. Work with the CxReports team to whitelist the service IP addresses in your database firewalls. Test connectivity thoroughly before building production templates to ensure stable access to your data.
Set up authentication and access control by creating users and assigning them to appropriate workspaces and roles based on your organizational structure. Configure Personal Access Tokens for any API integrations or automated processes that need to trigger report generation programmatically. If you want users to authenticate with Google or Microsoft accounts, enable these authentication options in the workspace settings.
Configure delivery options for generated reports by setting up SMTP if you'll deliver reports via email, specifying Google Drive folders if you'll archive reports to Drive, or planning API retrieval patterns if your applications will fetch generated PDFs programmatically. Test each delivery method to ensure reports reach their intended destinations reliably.
Begin building report templates using the visual template designer, connecting to your configured data sources and creating professional layouts with your branding. Since CxReports manages all infrastructure, you focus entirely on template design and business logic rather than server configuration or infrastructure management.
Security Considerations for Both Models
Regardless of which deployment model you choose, certain security practices are non-negotiable for production reporting systems handling sensitive business data.
Encryption of Sensitive Data. CxReports requires encryption configuration for protecting sensitive data stored in the database, including database connection strings, API credentials, and license keys. The Docker documentation provides specific commands using OpenSSL to generate secure encryption keys and initialization vectors. Never use the example keys from documentation in production—generate unique keys for each deployment and protect them as you would protect database credentials.
Secrets Management. Never commit sensitive configuration including database passwords, SMTP credentials, API keys, or encryption keys to source control repositories. In on-premise deployments, use encrypted configuration files with strict file permissions or integrate with enterprise secrets management systems like HashiCorp Vault. In cloud deployments, use cloud provider secrets management services like AWS Secrets Manager, Azure Key Vault, or Google Secret Manager. CxReports supports both file-based configuration and environment variable injection, making it compatible with most secrets management approaches.
Role-Based Access Control. CxReports provides comprehensive role-based access control through workspaces and roles. The Workspaces documentation and Roles documentation explain how to configure tenant isolation and least-privilege access. Configure workspaces to separate different business units, customers, or sensitivity levels, define roles that grant only the permissions users actually need, regularly review user access and remove unnecessary privileges, and audit access logs to detect unusual patterns or potential security issues.
Network Security. Lock down network access to expose only what's necessary. For web interfaces, use TLS for all connections and consider limiting access to specific IP ranges if users connect from known locations. For APIs, require authentication using Personal Access Tokens with appropriate scopes and consider rate limiting to prevent abuse. For database connections, allow only the CxReports application to connect, use strong passwords or certificate-based authentication, and enable connection logging for audit purposes. For SMTP and delivery services, allow only outbound connections initiated by CxReports and monitor for unusual volumes or destinations that might indicate compromise.
Regular Updates and Patching. Keep CxReports updated to receive security patches and bug fixes. The release notes identify security-related updates that should be prioritized. In cloud deployments, updates may apply automatically or with minimal intervention. In on-premise deployments, you must monitor for new releases and schedule updates appropriately. Test updates in non-production environments before applying to production to ensure they don't break your specific templates or integrations.
Common Mistakes to Avoid
Based on real-world deployments, here are pitfalls teams frequently encounter and how to avoid them.
Choosing Based on IT Preferences Rather Than Requirements. Many teams default to "we prefer cloud" or "we only do on-premise" without evaluating their actual reporting requirements. This leads to awkward workarounds when the chosen deployment model doesn't fit the use case well. Evaluate your data connectivity needs, security requirements, and operational capabilities honestly before deciding. If your data sources are strictly internal with no external connectivity, CxReports' cloud service will require VPN infrastructure regardless of your general cloud preference. Conversely, if you choose on-premise deployment but lack infrastructure operations expertise, you may struggle with maintenance and updates.
Underestimating On-Premise Operational Overhead. Teams choose on-premise for security reasons but fail to allocate sufficient resources for ongoing operations. Updates get deferred because "we're too busy," backups aren't tested, and monitoring is informal. If you choose on-premise deployment, commit to the operational responsibility. Assign clear ownership for updates, backups, monitoring, and incident response. If you can't commit to proper operations, cloud deployment may be the safer choice despite security trade-offs.
Neglecting Data Connectivity Planning for Cloud Service. Teams subscribe to CxReports' cloud service without thinking through how it will securely connect to their on-premise data sources. They discover after signup that their network security policies don't allow external connections, leading to emergency VPN setup or database replication projects. Plan data connectivity before subscribing. If your data sources are on-premise and highly restricted with no external connectivity, you'll need VPN infrastructure or database replication to cloud instances. Alternatively, on-premise deployment of CxReports may be the simpler choice that avoids these connectivity challenges entirely.
Using Default Encryption Keys in Production. The documentation includes example encryption keys for getting started quickly. Teams sometimes deploy these example keys to production, essentially leaving their database unencrypted. Always generate unique encryption keys for production deployments using the provided OpenSSL commands. Treat these keys with the same security you apply to database credentials—they protect your most sensitive configuration data.
Ignoring Regional Data Residency Requirements. CxReports' cloud service requires choosing a specific data center region during signup. Teams sometimes choose regions based on convenience or default options without considering data residency regulations. If you're subject to GDPR, processing EU citizen data in US data centers may violate compliance requirements. If you have contractual data sovereignty obligations, processing data in the wrong country creates legal exposure. Evaluate data residency requirements before subscribing to the cloud service, choose the appropriate region (EU, US, or AU), and document your decision for compliance audits.
Skipping Backup Testing. Both deployment models require regular backups of the database containing all template definitions, configurations, and operational data. Many teams set up automated backups but never test restoring from those backups. When they eventually need to restore after data corruption or infrastructure failure, they discover backup issues too late. Test backup restoration regularly—at least quarterly—to ensure you can actually recover if needed. Restoration testing should include validating that restored systems work correctly, not just that restoration completes without errors.
Getting Started
Ready to deploy CxReports? Here's your practical starting point based on your chosen deployment model.
For On-Premise Deployment
Begin with the Docker deployment documentation, which provides the most straightforward on-premise deployment path. This containerized approach works across different infrastructure environments and gives you a tested, reliable deployment pattern. Work through the documentation step by step, paying particular attention to generating unique encryption keys, configuring database connections to your internal PostgreSQL server, setting up SMTP configuration for email delivery from your internal mail servers, and configuring network access appropriate for your internal policies.
Once you have the basic system running, focus on operational readiness before rolling out to users. Set up monitoring and alerting so you know if the system has issues before users report problems. Establish backup and restore procedures with tested recovery processes. Plan your upgrade process including how you'll test updates in staging before production. Assign clear operational ownership so everyone knows who's responsible for keeping the system running. Document your configuration and operational procedures so knowledge isn't stuck in one person's head.
For CxReports Cloud Service
Contact CxReports to discuss your requirements including expected report volumes, required data center region (EU, US, or AU), and data source connectivity needs. During onboarding, you'll select your data center region based on your compliance requirements and user locations. CxReports will provide connection details and IP addresses for firewall whitelisting if your data sources need to accept connections from the cloud service.
Configure connectivity from the cloud service to your data sources by updating firewall rules to allow CxReports' IP addresses, establishing VPN connectivity if required by your security policies, or configuring database replication if data must remain primarily on-premise. Test connectivity thoroughly before building production templates.
Set up your workspace, users, and roles within the CxReports cloud interface. Create workspaces for different departments or business units that need isolation, define roles with appropriate permissions for template designers versus report viewers, and configure authentication options (email/password, Google, or Microsoft single sign-on). Configure delivery methods including SMTP settings for email delivery and Google Drive connections for document archival.
Begin building and testing your report templates using the visual designer, connecting to your configured data sources and ensuring generated reports meet your quality and branding requirements. Since CxReports handles all infrastructure management, you focus entirely on template design and business logic.
Conclusion
The choice between on-premise and cloud deployment for your reporting system isn't about which model is better in the abstract. It's about which model fits your actual operational requirements, data connectivity constraints, security obligations, and available operational resources.
On-premise deployment provides maximum security through controlled infrastructure, supports local data connections without external network access, and gives you complete control over system timing and versions. This model works best when you have strict data residency requirements, when your data sources are tightly secured on internal networks, or when you already have mature infrastructure operations that can properly manage the system.
CxReports' cloud service offers zero-maintenance operations where CxReports manages all infrastructure, ensures you stay always up to date with latest features and security patches automatically, and provides built-in HTTPS and web firewall protection as part of the managed service. This model works best when you need fast implementation without infrastructure setup, when your team is small and operational overhead is a concern, or when your data sources are cloud-accessible and you prefer to focus on reporting rather than infrastructure management.
Both deployment models can be secure and operationally sound if implemented properly. The key is matching the deployment choice to your real requirements rather than abstract preferences, planning data connectivity carefully before deployment rather than discovering issues afterward, and committing to proper operational practices regardless of which model you choose.
Ready to deploy CxReports?
Explore the Docker deployment guide for on-premise deployment, review the AWS hosting documentation for cloud deployment, or contact our team to discuss which deployment model best fits your specific requirements.