Sovereign-hybrid edition (BYOK)¶
The Sovereign-hybrid edition is built for organisations that want the infrastructure isolation of pure sovereign mode, without sacrificing the quality of frontier LLMs (Mistral Large, Claude Sonnet 4.6, GPT-5, Gemini 2.5).
It's the trade-off: your data stays on your infrastructure, but AI synthesis calls can go out to external APIs that you configure yourself (BYOK — Bring Your Own Key).
On-premise / Sovereign offering — on quote
The sovereign-hybrid deployment is part of the On-premise / Sovereign offering, a bespoke, quote-based installation — no self-service subscription. To get started, contact us.
Architecture¶
graph TB
U[Internal users] -->|HTTPS| Web[Myeline Web<br/>at the customer site]
Web --> DB[(MariaDB)]
Web --> Redis[(Redis)]
Web --> Chroma[(ChromaDB)]
Web --> Ollama[Local Ollama<br/>bge-m3 embedding]
Web -.->|"BYOK Mistral<br/>Claude / OpenAI / Gemini<br/>(per org, your choice)"| LLM[AI provider<br/>of your choice]
Web -.->|"GCP service account<br/>(your project)"| GDrive[Google Drive]
Web -.->|"BYOC OAuth<br/>(your own apps)"| OneDrive[OneDrive]
Differences vs pure sovereign¶
| Feature | Sovereign | Sovereign-hybrid |
|---|---|---|
| Local Ollama | ✅ | ✅ |
| External API (Mistral, etc.) | ❌ | ✅ (BYOK per org) |
| Google Drive connector | ❌ | ✅ (GCP service account) |
| OneDrive / Dropbox connectors | ❌ | ✅ (BYOC — your OAuth apps) |
| Notion / Zotero connector | ❌ | ✅ |
| Stripe | ❌ | ❌ |
| Local audit log | ✅ | ✅ |
| Off-host backup (S3 / rclone) | To internal infra | To internal MinIO or S3 cloud |
BYOK — Bring Your Own Key¶
In sovereign-hybrid mode, each organisation within
your deployment can independently choose its LLM provider via
/admin/orgs/<slug>:
- Local Ollama (default, free)
- Mistral AI (your key)
- Anthropic Claude (your key)
- OpenAI (your key)
- Google Gemini (your key)
Keys are stored encrypted in the DB (org.ai_api_key_enc via
Fernet, derived from CLOUD_TOKEN_KEY). No shared "platform" key —
each org pays the provider directly.
BYOK embedding (synapse 0025)¶
Since migration 0025, each organisation can also choose its embedding provider independently of the LLM. Useful when the deployment defaults to Ollama bge-m3 but an org wants a higher-quality embedding (Voyage, Cohere multilingual) or a separate billing trail (Mistral, OpenAI).
| Provider | Default model | Dim | Notes |
|---|---|---|---|
| Mistral | mistral-embed |
1024 | 🇫🇷 EU-hosted, GDPR |
| OpenAI | text-embedding-3-small |
1536 | -3-large 3072-dim also supported |
| Voyage | voyage-3 |
1024 | Top quality, English + multilingual |
| Cohere | embed-multilingual-v3.0 |
1024 | Strong multilingual coverage |
Configured via /org/<slug>/admin → "Fournisseur d'embedding (BYOK)"
card. Routing only applies to the org_{id}_shared collection — the
public shared collection and member personal libraries stay on the
deployment-wide default provider.
Dimension lock. Switching providers on an already-indexed collection is refused until existing vectors are wiped — even when the dimension matches (a 1024-dim Mistral vector and a 1024-dim Voyage vector live in incompatible cosine spaces). Procedure:
flask wipe-org-embed-collection --org <id> --confirm
# Then activate the new provider via /org/<slug>/admin
flask reindex-embeddings
Security. Embedding keys follow the same storage scheme as LLM keys
(org.embed_api_key_enc Fernet-encrypted, never echoed back by the UI
— a •••••••• mask only confirms that a key is on file).
BYOC — Bring Your Own Credentials¶
To enable cloud connectors (Google Drive, OneDrive, Dropbox, kDrive) in sovereign-hybrid, you must register your own OAuth apps with each provider. Myeline.io credentials only work for the central SaaS.
Why? Your internal users access Myeline via
https://myeline.acme.local/..., so the OAuth redirect URI is
https://myeline.acme.local/user/cloud/gdrive/callback. Google /
Microsoft / Dropbox check the redirect URI against the OAuth app's
whitelist — central Myeline does not have your URL in its whitelist
(and we cannot add it at scale for security and scalability reasons).
See the detailed walkthrough: Sovereign-hybrid installation § BYOC.
For whom?¶
- Companies that want a pragmatic trade-off between sovereignty and AI synthesis quality
- Organisations that already have Anthropic / OpenAI / Mistral Enterprise contracts and want to use them through Myeline
- Consulting firms or law firms that host Myeline themselves for their clients and bill a margin on AI
- Universities / labs that want to index their Workspace Drive but keep the database on their internal compute cluster
Pricing model¶
- Annual licence (quoted, 12 months max)
- You pay the AI providers directly for the ones you enable (Mistral La Plateforme, Anthropic Console, OpenAI, Google AI Studio)
- No hidden margin on our side — you see your AI costs directly
- Support included — detailed terms in the licence contract
Getting started¶
git clone -b synapse git@github.com:ClaraVnk/myeline.git
cd myeline
./scripts/install.sh
# → Choose option 3 (Sovereign-hybrid installation)
# → Paste the licence key
# → The wizard explicitly asks for BYOC OAuth credentials
Full walkthrough: Sovereign-hybrid installation.