PDFOnly
Get started
self-hosting
privacy
architecture

Self-host PDF tools or use SaaS? Pick the right path

Confidential contracts, regulated PII, air-gapped environments — sometimes SaaS isn't the answer. Here's a clear-eyed framework for picking.

By PDFOnly Team · May 8, 2026 · 7 min read

If you process PDFs at any scale, you've faced the SaaS-vs-self-host question. The answer isn't always obvious. Here's the framework we'd use.

Use SaaS when:

- Files aren't sensitive. Marketing PDFs, public reports, reference docs — anything you'd email casually. - You don't want to run servers. Self-hosting means owning a VPS, monitoring uptime, applying security patches, restoring from backups when something breaks at 2am. - Volume is low to medium. SaaS pricing usually beats VPS costs at low volume. Cross over to self-hosted when your monthly SaaS bill exceeds ~$50/mo.

Self-host when:

- You handle regulated PII. HIPAA-protected health records, SSN-bearing tax docs, M&A documents under NDA. The audit trail is much cleaner when you control the data path end-to-end. - You operate air-gapped. Defense, classified work, certain legal practices. SaaS isn't an option, period. - You're at scale. Thousands of conversions per day → a $20/mo VPS beats per-conversion SaaS pricing by an order of magnitude. - Compliance requires it. Some ISO certifications, some FedRAMP profiles, some SOC 2 Type 2 customer requirements demand processing under your control.

What "self-host" actually means with PDFOnly

We ship the entire stack as a single deployable: Next.js web app, BullMQ worker, MySQL, Redis, MinIO (for file storage). Install scripts get you to a working install in 15 minutes on any modern Linux VPS.

The trade-off: you own the operational complexity. SaaS hides backups, monitoring, scaling, security patches behind their team. You're now that team.

A middle path: hybrid

Some teams use SaaS for low-sensitivity batch processing (compress, merge, convert) and self-host only for the workflows that touch sensitive data (redact, OCR confidential scans, run AI on contracts). Nothing prevents this — same source of truth, same UX, just routed by sensitivity.

How to decide

Ask three questions:

1. Could a leak of these files reach a regulator, lawyer, or journalist? If yes → self-host or use a SaaS with strong audit logs and a data processing agreement. 2. Will I exceed $50/mo in SaaS costs? If yes → self-host pays for itself. 3. Do I have the operational capacity to run a VPS? If no → SaaS, even if (1) and (2) say otherwise. A poorly-run self-hosted instance is worse than a well-run SaaS one.

The most common right answer for small businesses is "stay on SaaS, set a calendar reminder for 12 months out to revisit." If you're processing 10,000+ docs per month, the math changes fast.

Keep reading