Data sovereignty
Can sensitive prompts, embeddings, traces, and outputs remain in an approved region or private boundary?
// PROCUREMENT_LAYER
Cocoshede blueprints reference infrastructure categories, not vendor hype. This catalog gives leaders a structured shortlist for the common procurement layers behind private, governed AI adoption.
// BUYER_FILTERS
Vendor procurement should follow the target architecture, not the other way around. Use these filters to separate useful infrastructure from attractive demos that create governance debt.
Can sensitive prompts, embeddings, traces, and outputs remain in an approved region or private boundary?
Does the vendor fit the architecture lane: public API, private cloud, VPC, self-hosted, or on-premise?
Who operates reliability, updates, monitoring, access control, incident response, and model evaluation?
What becomes variable cost: tokens, GPU hours, storage, traces, evaluations, or support seats?
// PROCUREMENT_LANES
Cocoshede blueprints recommend infrastructure by lane. This prevents a team from buying sovereign infrastructure for a low-risk experiment or using a public API path for regulated workflow automation.
Lane 01
Managed model platform
Managed vector layer
AI gateway
Use when leadership needs evidence quickly and data sensitivity is moderate.
Lane 02
Private inference hosting
Vector database
Observability and evaluation
Use when the workflow touches customer records, internal IP, regulated documents, or repeatable high-volume operations.
Lane 03
Self-hosted inference
Self-hosted vector store
Security and output guardrails
Use when public API dependency, residency, or model-call exposure is unacceptable.
Strong fit for MVP and mid-market teams already comfortable with Postgres governance.
SLA: Managed database SLA by plan
Managed cloud Postgres
GDPR: EU region available
HIPAA: Provider-dependent BAA review required
No
Teams that want a pragmatic vector layer close to relational application data.
Useful when sovereignty or self-hosting is a major buying criterion.
SLA: Enterprise SLA available
Cloud, private cloud, self-hosted
GDPR: EU hosting and self-hosting options
HIPAA: Enterprise review required
Yes
Private retrieval layers where teams need vector search portability and deployment choice.
Requires internal ML platform maturity or an implementation partner.
SLA: Depends on hosting provider and internal SRE coverage
Self-hosted / private cloud
GDPR: Customer-controlled deployment
HIPAA: Customer-controlled deployment
Yes
Serving open-weight models in private GPU environments with strong throughput requirements.
Strong candidate when the target architecture already lives in AWS.
SLA: AWS service SLA
Managed cloud
GDPR: Regional controls available
HIPAA: Eligible service review required
No
Enterprises standardizing AI adoption inside AWS procurement and security controls.
Evaluate when Azure AD, Purview, and Microsoft security tooling are already standard.
SLA: Microsoft cloud SLA
Managed cloud
GDPR: Regional controls available
HIPAA: Eligible service review required
No
Microsoft-centric enterprises requiring identity, governance, and procurement alignment.
Important once prototypes move from demo usage into governed production monitoring.
SLA: Enterprise plan dependent
Cloud, self-hosted
GDPR: EU and self-hosting options
HIPAA: Enterprise review required
Yes
Tracing prompts, model calls, evaluations, costs, and quality for production AI systems.
Useful for teams pursuing hybrid API routing without building gateway infrastructure first.
SLA: Enterprise SLA available
Managed edge
GDPR: Regional and enterprise controls dependent on plan
HIPAA: Enterprise review required
No
Centralized routing, caching, observability, and policy control across model providers.
Consider when report generation, extraction, or agent actions need deterministic gates.
SLA: Provider/implementation dependent
Open-source, managed options
GDPR: Deployment-dependent
HIPAA: Deployment-dependent
Yes
Schema validation, output constraints, and policy checks around LLM workflows.
// PROCUREMENT_NOTE
Treat every entry as a due-diligence starting point. Enterprise buyers should still validate data residency, contractual terms, support coverage, security documentation, and implementation ownership before selection. Cocoshede links blueprint recipes to categories so teams can compare realistic options without turning strategy into a vendor shopping exercise too early.
// FAQ
No. It is a procurement map. The right vendor depends on data sensitivity, deployment posture, operating maturity, and the workflow economics shown in the blueprint.
Usually no. Choose the architecture lane first, then evaluate vendors that fit the lane. Premature vendor selection often creates avoidable lock-in.
The catalog is presented as an architecture resource. Vendor choice should still go through your procurement, security, and legal review.
Ask where data is processed, what is retained, how access is controlled, how incidents are handled, and whether traces or prompts are used for training.