Dedicated Instance

From subscription-tier dedicated to enterprise-grade customisation — one product line covering pro users to global enterprises

Hydite Vtslx AO Dedicated Instance ships in two clearly separated tiers:

🟦 Subscription Dedicated — single-tenant SaaS for power users and SMBs. Self-serve, monthly/annual subscription, zero ops.

🟪 Enterprise Dedicated — for large enterprises, government, finance, healthcare. Adds BYOK, self-hosted agent, private models, SSO, white-label, compliance and custom routing on top of the subscription tier. Available only on the Enterprise membership.

Both tiers expose the same OpenAI-compatible API, so migrating or upgrading is zero-code-change.

Tier comparison#

Sections marked ✦ Subscription are baseline features; ✦ Enterprise sections require the Enterprise membership.

Part 1 · Subscription Dedicated ✦ Subscription

1.1 What it is#

Subscription Dedicated sits between Shared Edge and Enterprise:

• A single-tenant AO instance on Hydite multi-region cloud — isolated rate quotas, key namespace, cache and DB.
• vs Shared: no noisy-neighbour limits; QPS / TPM are allocated per tier and scale linearly.
• vs Enterprise: no choice of deployment location, no BYOK, no custom routing — everything runs on Hydite presets.

Best fit:

• Heavy solo developers / indie SaaS already saturating Shared Edge's 60 RPM.
• SMBs at 10M – 1B tokens / month that want stable first-token latency.
• Teams that need a branded subdomain like acme.api.hydite.com without running infra.
• Workloads with no hard data-residency requirements but wanting isolated quotas, billing and keys.

1.2 Subscription tiers#

Only the Enterprise tier unlocks the customisation features in Part 2 below. Pro / Team / Business subscribers — even when on Dedicated — do not have customisation rights and must upgrade to Enterprise.

1.3 Three-step activation#

Dashboard → Workspaces → Upgrade Plan:

1. Pick a tier (Pro / Team / Business). The dashboard shows the resource sheet and monthly price.
2. Pay (card / monthly invoice) and click Provision.
3. ~5 min later your instance is live with a fresh subdomain (e.g. acme.api.hydite.com). Point your base_url at it.

Upgrades / downgrades are anytime — upgrade is immediate and pro-rated; downgrade takes effect at the next cycle (no quota refunds); any tier can be paused for up to 30 days.

1.4 Built-in features#

Every subscription tier ships with:

• ✅ Full API Reference
• ✅ Curated model pool (OpenAI · Anthropic · Google · DeepSeek · Qwen · Zhipu · Moonshot · xAI · Mistral …)
• ✅ Channels for env isolation (dev / staging / prod)
• ✅ Three-tier quotas (Key / Team / Org)
• ✅ Dashboard: Overview / API Keys / Channels / Billing / System Health
• ✅ Anomaly auto-pause for leaked keys
• ✅ Prometheus /metrics and basic webhooks
• ✅ 99.9% availability SLA

But not included: BYOK · self-hosting · custom routing · white-label · SAML/SCIM · advanced compliance. Those belong to Enterprise customisation.

Part 2 · Enterprise Dedicated ✦ Enterprise

🟪 Everything in this part is gated behind the Enterprise membership. Subscription tiers (Pro / Team / Business) — even on Dedicated — cannot enable any of the features below and need to upgrade to Enterprise first.

2.1 Why "customised"#

The Enterprise tier targets workloads where generic SaaS just doesn't fit:

• Compliance — finance, healthcare, gov, central / state-owned enterprises handling regulated or proprietary data.
• Compute sovereignty — must run private fine-tunes on your own GPU fleet.
• Commercial sovereignty — bill providers under your own contracts (BYOK), no Hydite usage cut.
• Brand sovereignty — white-label the AO console for resale to your own customers.
• Network isolation — only allow access via VPC peering / Direct Connect / private DNS.
• Operational boundary — upgrades, configs and security policies are owned by your security team.

2.2 Three deployment topologies#

Topology B is our flagship pattern — keeps data inside the customer boundary while keeping ops on Hydite. Details follow.

2.3 Connected Self-Host: control plane / data plane split#

1
┌───────────────────────────────┐         ┌──────────────────────────────────────┐
2
│  Hydite cloud control plane   │         │  Customer VPC / DC                   │
3
│  control.hydite.com           │         │                                       │
4
│                               │         │  ┌──────────────────────────────┐    │
5
│  • White-label dashboard      │◀───────┤  │   Hydite AO Agent (signed)    │    │
6
│  • IAM / SSO / RBAC           │  mTLS   │  │   • outbound-only (no inbound)│    │
7
│  • Site mgmt + token issuing  │  beat   │  │   • pulls routing / blacklist │    │
8
│  • Routing config (YAML/Git)  │  cfg    │  │   • reports token / health    │    │
9
│  • Usage rollup (metadata)    │  push   │  │   • local routing/cache/db    │    │
10
│  • Audit / alerts / billing   │         │  └────────────┬──────────────────┘    │
11
└───────────────────────────────┘         │               │                       │
12
                                           │  ┌────────────▼──────────────────┐    │
13
                                           │  │  Your App                      │    │
14
                                           │  │  base_url=hydite-ao.svc:443   │    │
15
                                           │  └────────────┬──────────────────┘    │
16
                                           │               │                       │
17
                                           │  ┌────────────▼──────────────────┐    │
18
                                           │  │ LLM providers (BYOK direct)   │    │
19
                                           │  │ + private self-hosted models  │    │
20
                                           │  └────────────────────────────────┘    │
21
                                           └──────────────────────────────────────┘

Data flow matrix#

Business data stays 100% inside the customer boundary — the control plane sees only an "audit fingerprint" sufficient for billing, alerting and compliance audit.

Source-code & algorithm protection#

• The Agent ships as a distroless container image + Helm chart — no source code is shipped.
• Images come from registry.hydite.com; pull secret is bound to the Site token and revoked on offboarding.
• Cosign / Sigstore signed; signatures verified at boot against Hydite's public key — no anti-tamper bypass.
• Routing strategies, cache-key algorithms and pricing logic are pushed as WASM modules from the control plane — never persisted on disk locally.

Install flow#

Step 1 — issue a Site in the dashboard:

Dashboard → Sites → Create Site, fill name / compliance level / network mode. The system returns:

1
SITE_ID=site_xxxxxxxxxxxxxxxxxxxx
2
SITE_TOKEN=hyt_site_eyJhbGciOi...           # short-lived JWT, swapped for mTLS cert on first boot
3
HYDITE_REGISTRY_PULL_SECRET=...

Step 2 — deploy the Agent in your K8s:

1
helm repo add hydite https://charts.hydite.com
2
helm install hydite-ao hydite/ao-agent \
3
  --set site.id=$SITE_ID \
4
  --set site.token=$SITE_TOKEN \
5
  --set registry.pullSecret=$HYDITE_REGISTRY_PULL_SECRET \
6
  --set network.egress=via-corp-proxy        # optional: route through corp egress

Step 3 — outbound registration:

The Agent dials wss://control.hydite.com/agent, completes mutual TLS, the Site goes green in the dashboard.

Step 4 — cut traffic over:

1
client = OpenAI(api_key=key, base_url="http://hydite-ao.acme.svc:443/v1")

The full call path stays 100% on-prem / in-VPC with zero inbound ports — fully zero-trust compatible.

2.4 Air-gapped offline licence#

For fully isolated networks:

• Hydite issues a signed offline licence with expiry, RPM cap, model whitelist.
• The Agent verifies the signature + clock-drift tolerance at boot — no control-plane reachability needed.
• Config changes ride physical media: dashboard exports config.yaml.signed → copy to internal network → Agent loads it.
• Usage ships back via offline reconciliation: Agent emits usage-{date}.signed.json → exported → uploaded to dashboard.
• Sovereign-stack support: Kunpeng / Kylin / OceanBase / HuaweiCloud Stack / Zhongbiao Kylin / UOS.

2.5 BYOK and private model onboarding#

1
# Typical routing config (Enterprise customisation only)
2
models:
3
  - alias: claude-sonnet-4-5
4
    provider:
5
      name: anthropic
6
      model: claude-sonnet-4-5
7
      api_key: ${ACME_ANTHROPIC_KEY}     # your own Anthropic account
8
      api_base: https://api.anthropic.com
9
    tags: [prod]
10
  - alias: claude-sonnet-4-5             # same alias → automatic fallback
11
    provider:
12
      name: bedrock
13
      model: anthropic.claude-sonnet-4-5
14
      region: us-east-1
15
    tags: [fallback]
16
  - alias: acme-finetune-v3              # private self-hosted model
17
    provider:
18
      name: openai-compatible            # any OpenAI-compatible endpoint works
19
      api_base: http://vllm.internal:8000/v1
20
    tags: [private, on-prem]

• Public-provider BYOK: bills under your contract — Hydite takes no usage cut, only the Enterprise platform fee.
• 100+ supported endpoints: Anthropic / OpenAI / Bedrock / Azure OpenAI / Vertex / DeepSeek / Qwen / Zhipu / Moonshot / xAI / Mistral / DashScope / Volcengine / Tencent / Baidu …
• Private model onboarding: vLLM / TGI / SGLang / LMDeploy / Triton / Ollama / sovereign stacks — anything OpenAI-compatible.
• Public and private models can share the same alias for canary / fallback (e.g. 70% private fine-tune / 30% Anthropic / fallback GPT-4o on timeout).

2.6 Custom routing strategies#

All declarative YAML, visual editor in the dashboard, Git-versioned. Subscription tiers can only use presets.

2.7 Identity & access#

Subscription tiers only get basic SSO (see 1.2). SAML / OIDC / SCIM is Enterprise-only.

2.8 Networking#

Mix and match any of:

• Public + custom apex — https://ai.acme.com/v1 with auto-issued or BYO certs.
• VPC Peering / PrivateLink — drop an ENI / endpoint inside your VPC, traffic never traverses the public internet.
• Direct Connect — Aliyun Express Connect / AWS Direct Connect / Azure ExpressRoute.
• IP allow-list + mTLS + zero-trust egress (Zscaler / Cloudflare Access).
• Multi-region dedicated — e.g. primary in us-east, DR in eu-west, branch in ap-southeast — cross-region fallback handled by AO routing.

Subscription tiers only support "public + platform subdomain".

2.9 Capacity, performance & SLA#

2.10 Observability#

Both Subscription and Enterprise include the five dashboard surfaces (Overview / Anomaly / API Keys / Channels / System Health) and /metrics. Enterprise adds:

• White-label dashboard — your logo, theme and domain (e.g. console.acme.com); resellable.
• Structured audit logs — every call + dashboard event streamed as NDJSON to your S3 / OSS / Splunk / Elasticsearch / Aliyun SLS.
• Replay & debug — once Logging is enabled, inspect any past call's prompt, completion, token counts and upstream timings.
• BYO KMS — at-rest encryption uses your CMK (AWS KMS / Azure Key Vault / GCP KMS / HashiCorp Vault).

2.11 Onboarding flow#

A typical 4-step rollout — first business traffic in 7–10 working days:

1. Discovery (D+0–3) — solution architect aligns on topology, compliance, capacity, network, IDP / SIEM / provider list.
2. Environment delivery (D+3–7) — Hydite cloud same-day; customer-cloud via IaC modules; on-prem via offline package. SSO, domain, certs, KMS, private models all wired.
3. Integration & load test (D+7–10) — compatibility suite + replay-based load test, validation of RPM / latency / cost targets.
4. Cutover — flip base_url, canary then full rollout. Zero client-code changes.

Ongoing operations are owned by Hydite Customer Success: quarterly capacity review + bi-annual DR drill + provider change advisory + dedicated Slack / Feishu channel + 24×7 P1 SLA.

2.12 Commercial model#

Dual-track: monthly platform fee + usage.

• Platform fee covers infra, dashboard, SLA and customer success — tiered by cluster size and SLA target.
• Usage is billed on actual token consumption. Hydite-procured providers ride our volume discount; under BYOK Hydite charges only a thin routing/audit fee.
• Professional services (optional): fine-tuning, agent workflow co-build, on-site compliance audits, sovereign-stack porting.

Pricing always starts with a 30-minute solution call. Trigger via Workspaces → Upgrade to Enterprise in the dashboard, or email enterprise@hydite.com.

Upgrade path

1
Shared Edge (free / pay-go)  →  Sub. Pro  →  Team  →  Business  →  Enterprise Dedicated
2
                                  ↑                       ↑                    ↑
3
                       single-tenant isolation     basic enterprise SSO    BYOK / self-host / white-label / SAML

Every step is zero-code-change:

• Shared → Subscription Dedicated — one click in the dashboard; keys, channels and usage history migrate.
• Subscription → Enterprise Dedicated — once the contract is signed we either migrate the cluster to Enterprise or stand up a Connected Self-Host alongside it; both run dual-active during cutover, old keys move via /key/migrate.

Next steps#

• Browse every endpoint → API Reference
• Try Subscription Dedicated → Workspaces → Upgrade Plan in the dashboard
• Talk to Enterprise sales → enterprise@hydite.com
• Compare with Shared → Shared Edge Instance