Hydrate at enterprise scale.
One canonical memory across every team, every office, every on-call rotation. Self-hosted. Audited. Built for the moment someone has to fix code they've never seen.
Starting price
Starts at $96/seat/year (Team) and scales by deployment topology. Most 50 to 200 seat deployments land between $144 to $240 per seat per year. Talk to us for a precise quote.
The number is the floor; the configurable axes are seat count, sync-hub topology (single-region / multi-region / air-gapped), and support tier (see SLA below).
What leaves the customer perimeter
The first question every procurement review asks. Direct answer:
Stays inside the perimeter
- Source code (workstations + your git remotes)
- Session transcripts and extracted facts
- Canon, hydration packs, project memory
- Audit log (Sync Hub append-only store)
- Telemetry from Sync Hub (none by default; optional Prometheus / SIEM, both inside-perimeter)
Touches the outside, once
- Brew tap / MSI download at install time (outbound only, from your machine to GitHub Releases)
- Licence token validation at install + renewal (no session content attached)
- Self-hosted Sync Hub container image pulls (your choice of registry)
No prompts, completions, transcripts, facts, or canon ever transit the Hydrate vendor. The local ~/.hydrate/data.db SQLite file and the on-prem Sync Hub Postgres are the only stores. See /privacy for the full data-handling breakdown.
Cross-team knowledge sync
Dispersed workforce. Remote contractors. Three time zones, four offices, two acquisitions. Your team's hard-won decisions only exist in the heads of whoever was in the room.
Hydrate Enterprise pushes one canonical fact store to every developer's local Hydrate. A decision logged in London is visible to the developer in São Paulo before they open the file. Governance is git-shaped: CODEOWNERS on the canon repo, pull requests for changes, audit log on every edit.
Built on Team Memory as Git.
Zero-context firefighting
3 a.m. incident. The on-call developer has never touched the service that's down. The original team is asleep on another continent.
The on-call runs hydrate pack-load <service>.hpack
and starts the session. Architecture, conventions, known-broken
edges, past post-mortems: all already in the context window. First
useful prompt in seconds, not hours.
Built on Hydration Packs + Team Memory as Git.
Enterprise capabilities
What Enterprise unlocks beyond Team:
| Capability | Included |
|---|---|
| Everything in Team | |
| Self-hosted sync hub | |
| SSO (SAML, OIDC) | |
| Audit log of every canon edit | |
| Custom retention policy per project | |
| Dedicated onboarding + support |
Architecture
Local Hydrate runs on every developer's machine. The self-hosted Sync Hub runs inside the customer perimeter. The Hydrate vendor sees no runtime data.
src/content/enterprise/architecture.mmd; the
illustration above is the same topology in procurement-document form.
Deployment topology
| Component | Runs where | What it does |
|---|---|---|
| Hydrate workstation | Each developer's laptop / desktop | Local hydrate-server daemon owning ~/.hydrate/data.db (SQLite). Reads/writes during sessions; pushes/pulls canon to/from Sync Hub. |
| Sync Hub | On-prem or customer-owned VPC | Multi-tenant memory server. Postgres + pgvector for canon and facts; append-only audit DB; mTLS to workstations. |
| SIEM (optional) | Customer's existing SIEM | Receives a syslog / Splunk HEC / JSON-over-HTTPS push from the Sync Hub audit stream. Hydrate does not store events here; SIEM is the customer's copy. |
| SSO IdP | Customer's existing IdP (Okta, Entra, Auth0, Keycloak) | SAML 2.0 or OIDC. Sync Hub validates tokens at workstation login. |
| Container registry (optional) | Customer's choice (ECR, GHCR, Harbor, Quay) | Hosts the Sync Hub image. Pulled once per upgrade. Air-gapped customers mirror via offline tarball. |
Sync Hub sizing
| Team size | CPU | RAM | Storage | Notes |
|---|---|---|---|---|
| Up to 25 seats | 2 vCPU | 4 GB | 20 GB SSD | Single node is fine; nightly snapshot to S3 / blob storage. |
| 25 to 200 seats | 4 vCPU | 8 GB | 100 GB SSD | Single node; consider Postgres read replica. |
| 200 to 1000 seats | 8 vCPU | 16 GB | 500 GB SSD | HA pair behind a load balancer; managed Postgres recommended. |
| 1000+ seats | Custom | Custom | Custom | Multi-region active-active. Engagement scoped per topology. |
Network footprint is small: workstation sync is a few KB per minute on average (event-driven, not polling). Bandwidth ceiling is the audit-log push to SIEM, which scales linearly with canon-edit volume.
Outage behaviour
- Sync Hub unreachable: Workstation Hydrate continues to operate against the local
~/.hydrate/data.db. Reads (context injection, recall) work as normal. Writes are queued locally and replayed on reconnect; conflict resolution is git-style three-way merge against the canon log. - Workstation Hydrate process crashes: Hook shims fail-open per design invariant. The coding agent's session continues with no Hydrate context; no prompt is ever blocked on Hydrate availability.
- IdP outage: Existing session tokens remain valid until expiry (configurable, default 8h). New logins fail until IdP recovers (same behaviour as any other SAML-protected service).
- Hydrate vendor outage: No runtime impact. Vendor systems only serve licence validation at install/renewal, brew tap metadata, and container images. The runtime memory layer has no vendor dependency.
How to disable
Two-level kill switch.
- Per-developer:
hydrate setup --uninstallremoves the hook entries from~/.claude/settings.json/~/.codex/config.toml/~/.vibe/hooks.tomland stops the local daemon. Data at~/.hydrate/stays untouched (so it can be re-enabled later); use--purgeto remove it too. - Fleet-wide: Sync Hub admins can flip a kill switch that returns
410 Goneto all workstation requests. Workstations honour the flag, drop their hooks on next startup, and become inert. Re-enable with one config flip.
Audit log: ready for your SIEM
Hydrate Enterprise writes an append-only audit stream from the self-hosted Sync Hub. Every event carries actor, target, before/after snapshot, source IP, user agent, and a versioned HMAC signature. The Sync Hub is the system of record; SIEM exports are push-style copies of the same stream.
- Event-type categories: canon edits (add / remove / edit / pin / unpin), facts (add / remove / edit / merge / export) and project lifecycle; sync operations (push, pull, conflict resolution); auth + admin (login, token issue/revoke, config / retention / role changes).
- Tamper-evidence: HMAC-SHA256 with a per-day rotating key signs every event; optional chained signing makes deletion or reordering detectable on batch verify.
- Export formats: syslog RFC 5424 over TLS, JSON over HTTPS POST, Splunk HEC, S3 batch dump (AES-256-GCM at rest).
Full audit log spec → schema, event catalogue, tamper-evidence, retention, export →
Compliance & data handling
Data handling matrix
| Data category | Free / Pro | Team | Enterprise |
|---|---|---|---|
| Source code | Local working tree + git remotes; never uploaded to Hydrate. | Team git repos; Hydrate does not host source. | Customer repos + workstations; Sync Hub never needs full source. |
| Session transcripts | Local disk only by default; Pro may send post-scrub narratives to your LLM provider for extraction. | Local disks; shared canon in git. Vendor receives none. | Customer perimeter only: workstations and self-hosted Sync Hub. 90-day default retention. |
| Extracted facts | Local SQLite, readable by you and the local Hydrate process. Vendor receives none. | Local SQLite + team-approved canon in git. | Self-hosted Sync Hub + workstations inside customer perimeter. |
| Licence identity | Pro: licence token validated by Hydrate; no session content attached. | Team seat entitlements validated by Hydrate; no session content. | Enterprise seat entitlement validated at install/renewal. Runtime memory does not leave perimeter. |
| Telemetry | None by default for runtime features. | None by default for runtime features. | None from Sync Hub to Hydrate by default. Customer may wire local Prometheus / SIEM. |
| Audit logs | Local CLI actions logged locally only. | Git history for canon changes; no hosted log. | Sync Hub audit DB inside the customer perimeter. 90-day default, SIEM export. |
Framework posture
| Framework / law | Current posture | Notes |
|---|---|---|
| SOC 2 Type II | In progress (target: TBD) | Self-assessment + policies published; no independent Type II attestation yet. Docs under MNDA. |
| ISO 27001 | In progress (target: TBD) | Controls mapped in compliance documentation. Not certified today. |
| GDPR | Documentation under MNDA | Local-first / self-hosted architecture minimizes processor scope. Customer is controller for self-hosted Enterprise. |
| CCPA | Documentation under MNDA | Hydrate does not sell personal information. Customer controls all data in self-hosted Enterprise. |
| EU AI Act (Aug 2026) | Documentation under MNDA | Hydrate is developer memory infrastructure, not an autonomous high-risk AI system by itself. |
| HIPAA | Not applicable by default | Hydrate is not offered as a HIPAA Business Associate today. |
| PCI-DSS | Not applicable to Hydrate runtime | Hydrate does not process cardholder data in the runtime product. |
Full compliance one-pager → vulnerability disclosure, sub-processors, MNDA-gated documentation →
Service-level commitments
Standard
- 24h response on P1 issues
- Business-hours support
- 99.5% Sync Hub uptime target
Priority
- 4h response on P1 issues
- 24×7 support coverage
- 99.9% uptime target
- Named Customer Success Manager
Custom
- Negotiated response time
- Dedicated support channel
- Custom uptime via topology
Procurement FAQ
The questions security review and procurement reliably ask, with the short version of each answer. Long-form documentation is available under MNDA.
Where is customer data stored?
Workstation Hydrate stores all runtime state in ~/.hydrate/data.db (SQLite). Self-hosted Sync Hub stores canon and audit log in Postgres inside the customer perimeter. The Hydrate vendor stores licence-entitlement records (email, seat count, plan, no session content) for billing and renewal.
Who is the data controller / processor under GDPR?
Customer is the controller and processor for all session content in self-hosted Enterprise; Hydrate does not see it. Hydrate is the controller only for licence-entitlement records.
What sub-processors do you use?
For the licensing service: Cloudflare (edge), the GitHub Releases CDN (binary distribution), and Stripe (billing). None of these touch runtime session content. Full list at /enterprise/compliance.
Is Hydrate certified against SOC 2 / ISO 27001?
Both are in progress. Self-assessment and policies are available under MNDA. No independent Type II attestation today. The self-hosted architecture is designed so that customers can rely on their own existing controls for the parts that matter.
Can we run Hydrate fully air-gapped?
Yes. The Sync Hub container image is mirrorable as an offline tarball. Licence validation can be moved to an offline-token model (1-year token issued in advance) for fully air-gapped deployments. Hooks fail-open, so the runtime keeps working even with no outbound network.
How do you handle a security incident?
CVE disclosure policy at SECURITY.md. P1 vulnerabilities trigger patched releases within 48h with a CVE reservation; customers get notified by email and dashboard banner. Coordinated disclosure window is 90 days. Past CVEs (none to date) would be published at /security.
What is the retention policy for the audit log?
90-day default in the Sync Hub. Configurable per project; some customers extend to 7 years for regulated workloads. The customer's SIEM copy is governed by the customer's own retention policy; Hydrate does not enforce or override it.
Can users redact or delete their own data?
Yes. Individual facts and canon entries are deletable from the dashboard or via hydrate facts remove; deletions are themselves audit events (tombstones), not silent drops. Session transcripts have a configurable per-project retention; the default is 90 days.
What does the licence cover and how is it enforced?
Per-seat annual licence. Enforcement is by Ed25519-signed token validated locally; no phone-home at runtime. Over-quota installs surface a banner but do not block functionality (we prefer renewals over enforcement frustration).
What happens at end-of-contract?
Workstation Hydrate keeps working in local-only mode (no Sync Hub) for read access to existing memory. Sync Hub can be archived (Postgres dump + audit log export to your S3). No vendor lock-in: the SQLite and Postgres schemas are documented and your data is in standard formats you can run a query against.
How do we evaluate before committing?
Free tier is fully functional locally; your developers can use Hydrate today, no procurement step. For evaluating Sync Hub specifically, we provide a 30-day evaluation licence and a one-page deployment runbook. No POC fee.
Trusted by
We'll populate this row with beta-customer marks once they sign off publicly. The grid is here so procurement reviewers can see where these references will live.