Why Enterprises Choose On-Premise Document Automation
Every day, enterprises generate thousands of personalized documents — contracts, invoices, compliance reports, employee communications, and regulatory filings. Each one contains sensitive business data: customer names, financial figures, legal terms, health records, and personally identifiable information.
For most organizations, cloud-based SaaS tools handle this well. But for enterprises operating under strict data governance, regulatory compliance, or security mandates, sending document data to third-party servers is not an option. That is where self-hosted document automation becomes essential.
Tip
Mergram Enterprise runs the same full-featured mail merge platform as the SaaS version, deployed on your own infrastructure via Docker. No data ever leaves your network.
The Business Case for Self-Hosted
Data Sovereignty and Residency
Data sovereignty laws require that certain types of data remain within specific geographic or organizational boundaries. The EU’s GDPR, for example, imposes strict requirements on transferring personal data outside the European Economic Area. Industry regulations in healthcare (HIPAA), financial services (SOX, PCI DSS), and government (FedRAMP, ITAR) impose similar constraints.
When you use a cloud SaaS tool for document generation, your template files, spreadsheet data, and generated documents all pass through the vendor’s infrastructure. Even if the vendor is compliant, the data path itself may violate your organization’s data residency policies or contractual obligations with clients.
Self-hosted deployment eliminates this concern entirely:
- Templates and data never leave your network — all processing happens on servers you control
- Storage is yours — local filesystem, your own S3 bucket, or your private MinIO instance
- Database stays on-premise — PostgreSQL runs within your infrastructure, no external connections
- Full audit trail — every merge job is logged with timestamps, template IDs, and row counts
Air-Gapped and Restricted Networks
Some environments have no internet access at all — classified government facilities, industrial control networks, research labs, and certain financial trading floors. In these environments, cloud tools are simply not usable, regardless of their compliance certifications.
Mergram Enterprise is designed for this scenario:
- No phone-home — The license is verified locally at startup using an embedded RSA public key. No outbound connection is made.
- No telemetry — No usage data, analytics, or tracking of any kind.
- No CDN dependencies — All assets are bundled in the Docker image. The application serves itself.
- Offline-first architecture — After deployment, the application requires zero internet connectivity to operate.
Info
The license key is a JWT signed with RS256 (asymmetric RSA 2048-bit). The public key is embedded in the application — no shared secret exists on your server. Verification happens entirely locally at startup.
Cost Predictability at Scale
Cloud SaaS tools typically charge per document, per page, or per merge row. For enterprises generating tens of thousands of documents monthly, these per-unit costs accumulate significantly. A company processing 50,000 invoices per month at even $0.01 per row would spend $6,000 annually — and that cost scales linearly with volume.
Self-hosted deployment changes the cost model fundamentally:
| Factor | Cloud SaaS | Self-Hosted |
|---|---|---|
| Per-document cost | $0.01–$0.10 per row | $0 — unlimited |
| Monthly caps | Yes — throttled or blocked | No — limited only by hardware |
| Billing surprises | Possible with volume spikes | None — fixed license fee |
| Cost at scale | Grows linearly | Fixed, regardless of volume |
| Infrastructure cost | Included in per-unit price | Your server cost (often lower) |
For high-volume use cases — batch invoicing, regulatory filing, insurance claims processing — the break-even point between SaaS per-unit pricing and self-hosted infrastructure cost is often reached within the first few months.
Regulatory Compliance
Different industries face different compliance requirements, but the common thread is control over data:
| Regulation | Requirement | How Self-Hosted Helps |
|---|---|---|
| GDPR | Personal data must stay within EEA or equivalent | Data never leaves your infrastructure — no cross-border transfer |
| HIPAA | PHI must be protected with administrative, physical, and technical safeguards | Self-hosted deployment + encryption at rest + access controls |
| SOX | Financial reporting controls and audit trails | Full job logging, role-based access, retention policies |
| ITAR | Defense-related data must not leave the US | On-premise deployment within US borders, no external transmission |
| PCI DSS | Cardholder data must be protected | Document generation happens within your secure network |
| SOC 2 | Service organization controls for security | You control the infrastructure, encryption, and access |
Warning
Self-hosted deployment is a necessary but not sufficient condition for compliance. You must also implement proper network security, access controls, encryption at rest, and audit procedures as required by your specific regulatory framework.
How Self-Hosted Document Automation Works
Architecture
Mergram Enterprise deploys as a set of Docker containers on your infrastructure:
| Component | Purpose |
|---|---|
| API Server | Web application and REST API (port 5555) |
| Worker | Background job processing (PDF merges, email campaigns) |
| PostgreSQL | Database for templates, jobs, users, configuration |
The entire stack runs within an isolated Docker network. Only the API server port is exposed — the database and worker have no external access.
Deployment Model
# Deploy with Docker Compose
docker compose -f docker-compose.enterprise.yaml up -dThe application supports any infrastructure you choose:
- On-premises servers — bare metal or VMs in your data center
- Private cloud — AWS VPC, Azure Virtual Network, GCP VPC
- Hybrid — database on managed service (RDS, Cloud SQL), application on your servers
- Air-gapped — fully offline, no internet dependency after deployment
Storage Options
| Option | When to Use |
|---|---|
| Local filesystem | Development, small deployments, single-server setups |
| S3-compatible | Production — AWS S3, MinIO, Cloudflare R2, Google Cloud Storage |
Storage is configured via environment variables. Switch between local and S3 without code changes.
Authentication
Control which login methods are available:
| Mode | Configuration |
|---|---|
| Email + Google | MERGRAM_AUTH_PROVIDERS=google,email (default) |
| Email only | MERGRAM_AUTH_PROVIDERS=email — no external identity provider needed |
| Google only | MERGRAM_AUTH_PROVIDERS=google |
The initial admin user is seeded automatically on first deployment. No external identity provider is required.
Enterprise Features
Security and Encryption
- No outbound connections — license verification, document generation, and email sending all happen locally
- AES-256-GCM encryption for SMTP passwords and OAuth tokens stored in the database
- HTTP-only session cookies signed with your
JWT_SECRET, withSecureflag in production - Per-document PDF encryption — password-protect individual merged PDFs with unique passwords per row
- Network isolation — Docker Compose uses an internal network with no external database port exposure
Integration and Automation
The REST API enables programmatic document generation from any system:
curl -X POST https://mergram.yourcompany.com/api/v1/merge \
-H "Authorization: Bearer YOUR_API_KEY" \
-d '{"templateId": "...", "data": [...]}'Common enterprise integration patterns:
- ERP-driven invoicing — Generate invoices triggered by your billing system
- HR system onboarding — Produce employee packets when new hires are entered
- CRM correspondence — Merge customer letters from Salesforce, HubSpot, or Dynamics data
- Compliance reporting — Schedule regulatory filings from internal data warehouses
- Legal contract generation — Populate contract templates from case management systems
Tip
Use Zapier or Make.com as a middleware layer between legacy systems and Mergram. Many enterprise platforms support webhook notifications that can trigger document generation workflows without custom API development.
Retention and Data Lifecycle
Self-hosted deployments give you full control over document retention:
- Configurable auto-purge — Set retention periods that match your compliance requirements
- Manual cleanup — Delete specific jobs or template history on demand
- Database-controlled — All metadata and file references are in your PostgreSQL database
- Storage separation — Generated files can be stored separately from the application container
Team Management
- Role-based access control — Assign owner, admin, or member roles to team members
- API key management — Generate, rotate, and revoke API keys for integrations
- Job logging — Every merge operation is recorded with user, template, row count, and timestamp
- Template permissions — Control who can create, edit, and run merge jobs on each template
Who Benefits Most from Self-Hosted
IT Directors and CISOs
Maintain complete control over your document generation pipeline. No third-party data access, no vendor lock-in for your data, no compliance gaps from external data processing. Deploy on infrastructure you already manage, behind firewalls and network policies you already control.
Compliance Officers
Self-hosted deployment provides a clear, auditable data path. Templates, source data, and generated documents all reside within your security perimeter. Retention policies are enforced on your schedule. Job logs provide the audit trail regulators require.
DevOps Teams
Mergram Enterprise is a standard Docker deployment — no exotic dependencies, no special infrastructure requirements. Integrate it into your existing CI/CD pipeline, monitoring stack, and backup procedures. Health check endpoints (/health, /health/worker) plug into Prometheus, Datadog, or your preferred monitoring tool.
Procurement Teams
Fixed-cost licensing eliminates usage-based billing surprises. No per-page charges, no monthly caps, no overage fees. The total cost of ownership is the license fee plus your infrastructure cost — both predictable and budgetable.
Industries That Require Self-Hosted
| Industry | Regulatory Driver | Typical Documents |
|---|---|---|
| Government & Defense | ITAR, FedRAMP, data sovereignty | Citizen correspondence, classified reports, procurement forms |
| Healthcare | HIPAA, HITECH | Patient forms, prescriptions, discharge summaries |
| Financial Services | SOX, PCI DSS, GLBA | Regulatory filings, audit reports, client statements |
| Legal | Attorney-client privilege, court rules | Contracts, NDA, court filings, engagement letters |
| Insurance | State regulations, NAIC | Claims forms, policy documents, underwriting reports |
| Energy & Utilities | NERC CIP, critical infrastructure | Compliance reports, safety documentation, permit applications |
| Pharmaceutical | FDA 21 CFR Part 11 | Clinical trial forms, regulatory submissions, batch records |
| Education | FERPA, state privacy laws | Student records, transcripts, enrollment forms |
Migration from Cloud to Self-Hosted
Organizations typically move to self-hosted document automation in three phases:
-
Evaluation — Test the self-hosted deployment on a staging server with real document templates and data. Verify merge output matches the SaaS version (it does — same codebase).
-
Parallel operation — Run self-hosted alongside existing cloud tools for a transition period. Migrate templates and workflows gradually. Use the REST API to integrate with existing automation.
-
Full migration — Decommission cloud document tools once all workflows are running on the self-hosted instance. Configure production security hardening (TLS termination, database SSL, secrets management).
Info
Mergram Enterprise runs the identical codebase as the SaaS version. Every feature works the same — visual field editor, QR codes, barcodes, image fields, custom fonts, email campaigns, PDF encryption, template management, and merge history. The only differences are unlimited generation and self-managed infrastructure.
Getting Started
Mergram Enterprise deploys in minutes on any infrastructure you control. Contact the Mergram team for a license key, deployment assistance, and integration guidance tailored to your compliance requirements.