Docs · Last updated 2026-05-26

Deployment

Three deployment modes. The right one depends on where your CUI is allowed to live and how much infrastructure you want to run yourself.

Comparison

Hosted SaaS On-Prem Docker Air-Gapped
Who runs it Cipher One Tech You You
Internet required Yes Yes (outbound only) No
CUI residency US-East AWS (FedRAMP-aligned) Your data center / cloud Your data center, no egress
FIPS 140-3 crypto Yes (OpenSSL FIPS) Yes (host OS in FIPS mode) Yes (host OS in FIPS mode)
Updates Automatic Pull from registry Signed offline bundle
Setup time ~10 minutes ~2 hours ~4 hours
Best for L1/L2 subs with no CUI residency rules L2/L3 with in-house ops team L3 enterprise with classified-adjacent CUI

Hosted SaaS

Default offering. We run it for you on AWS US-East. Multi-tenant database isolation via the Stancl multi-tenancy package: each tenant has its own MySQL database, its own storage prefix, and its own session pool. The central database holds only tenant metadata + billing.

Provisioning is automatic on Stripe checkout completion: a new tenant database is created, migrations run, the admin user is invited via email. Time from payment to login is under 60 seconds.

SLA: 99.9% monthly uptime. Backups every 6 hours, retained 30 days. Off-site backup to S3 cross-region replicated.

On-Prem Docker

Infrastructure requirements

  • Linux host: RHEL 9, Ubuntu 22.04 LTS, Rocky 9, or Debian 12. FIPS overlay supported.
  • Docker 24+ with docker-compose v2.
  • 4 vCPU, 8 GB RAM minimum for up to 100 users. Add 1 vCPU + 2 GB per additional 100 users.
  • 50 GB disk for the app + database, plus 1 GB per 500 documented controls or POAMs.
  • Outbound HTTPS to registry.readylinegrc.com (image pulls), api.anthropic.com (AI features, optional), api.stripe.com (billing, N/A for on-prem perpetual licenses).
  • Public DNS + Let's Encrypt cert, OR your own internal CA cert + manual hostname.

Network topology

                        ┌─────────────────────────────────────┐
                        │  TLS termination + WAF (nginx)      │
                        │  Port 443 inbound                   │
                        └─────────────────┬───────────────────┘
                                          │
                            ┌─────────────┴─────────────┐
                            │ Readyline app (PHP-FPM)   │
                            │ Stateless, horizontal     │
                            └─────────────┬─────────────┘
                                          │ TLS optional
                            ┌─────────────┴─────────────┐
                            │  MySQL 8.0  (encrypted)   │
                            │  + Redis cache + queue    │
                            └───────────────────────────┘

Install

curl -fsSL https://docs.readylinegrc.com/install.sh -o install.sh
sudo bash install.sh --hostname grc.your-domain.com --license YOUR-LICENSE-KEY

# After ~5 minutes:
#   - Docker compose stack up
#   - DB initialized + migrated
#   - Admin invite email sent

# Verify:
docker compose -f /opt/readyline/docker-compose.yml ps

Upgrade

cd /opt/readyline
docker compose pull
docker compose down
docker compose run --rm app php artisan migrate --force
docker compose up -d

Releases follow semver. Patch releases are deploy-safe (no manual steps). Minor releases may add new env vars (documented in CHANGELOG.md). Major releases are quarterly and include a migration script with rollback notes.

Air-Gapped

Same Docker stack as on-prem, but the image pull happens off the host. We ship a signed bundle (.tar.gz + .sig) on USB or via the customer's secure transfer method. The bundle includes the application image, the MySQL image, the Redis image, and a verification script.

Install

# Verify signature on a trusted host before crossing the air gap
gpg --verify readyline-v0.7.0-airgap.tar.gz.sig

# On the air-gapped host:
tar xzf readyline-v0.7.0-airgap.tar.gz
cd readyline-v0.7.0-airgap
docker load -i images/readyline-app.tar
docker load -i images/mysql.tar
docker load -i images/redis.tar
sudo bash install.sh --offline --hostname grc.internal --license LIC

Updates

Update bundles ship quarterly. Each bundle is GPG-signed by our release key (fingerprint published at readylinegrc.com/.well-known/pgp-key.txt). The update process is a docker load of the new images plus a docker compose restart with php artisan migrate --force for any schema changes.

Data import / export

On install, the platform can ingest:

  • Existing SSP narratives (DOCX, ODT), parsed and mapped to NIST control IDs.
  • POAM spreadsheets (CSV, XLSX), column mapping wizard for common formats (eMASS export, CMMC-AB CRM, Excel-based POAM templates).
  • NIST 800-171 self-assessment scores (XLSX, OSCAL JSON).

On export, every artifact can be produced in: PDF (DomPDF), DOCX (PhpWord), OSCAL JSON, CSV. CLI command php artisan tenant:export dumps the full tenant in a portable archive for offboarding.

Security Compliance mappings