Self-Hosted Comment SDK

We've talked to hundreds of companies implementing a comment SDK, and data privacy is often brought up by CISOs and security engineers. Velt is SOC II Type II and HIPAA compliant, making it the best option for most use cases. For teams that handle PHI or other sensitive data, Velt's commenting SDK that lets you self-host data without having to build the entire backend.

TLDR:

• Self-hosting means comment text, reactions, and PII live in your database, while Velt only holds IDs and metadata for routing real-time traffic.

• Security teams choose Velt because it meets HIPAA, GDPR & SOC 2 Type II standards + we do annual pentests.

• You drop in Velt’s React components, supply three provider functions (get, save, delete), and you're shipping in just a few days.

• Competitors like Liveblocks do not allow data to stay on your servers, which blocks many compliance-heavy deals.

• The hybrid model still gives you presence, live cursors, notifications because Velt handles the hard real-time work.

Why Product Teams Now Ask for Self-Hosted Comments

You Own the Paper Trail

When a user types feedback about a yet-to-ship feature or a doctor notes a dosage change, the words carry legal weight. If that content sits in your own Postgres DB:

• You can wipe it on demand to honor a right to be forgotten.

• Auditors see a single security boundary: yours.

• Legal teams can lock records during discovery without chasing a vendor.

Compliance Stops Being a Debate

• HIPAA: Self-hosting avoids moving ePHI through a third-party store. You still may need a Business Associate Agreement for transit, which Velt signs, but storage is under your shield.

• SOC 2: Your auditors map controls to one environment. Velt already holds a Type II report, so the hand-off is clean.

Future Migration Is a Non-Issue

If you ever rebuild the feature or move to another vendor (not that you'll want to), the raw comment rows never left your database. Export is a COPY command, not a weeks-long support ticket.

The Build-Versus-Buy Puzzle Gets a New Variable

The classic question: Should we build comments ourselves or use a provider? The answer used to lean toward build it if data privacy was important. Velt introduces a third door:

• Build every line → full control, six months of headcount.

• Buy SaaS only → quick win, data off-premises.

• Buy Velt hybrid → quick win, data in your house.

For a deeper breakdown, our build versus buy guide for 2025 walks through total cost, staffing, and roadmap trade-offs. The short version: Velt removes the main blocker that once pushed teams to roll their own.

Inside Velt’s Hybrid Architecture

Velt splits the job into two sides.

• The customer stores commentBody, authorId, reactions, and any files. Of course you also store user data (but you were already doing that).

• Velt stores metadata like commentId, threadId, cursor positions, and socket metadata required to dispatch live events.

That design keeps sensitive content private while still letting Velt handle the hard real time infra. The SDK never sends sensitive data from commentBody to Velt. It only ships an opaque reference like c_8937ae.

The Three Provider Functions

1. get(request) – Fetch rows for a page or document ID.

2. save(request) – Insert or update a row, then return the new ID.

3. delete(request) – Remove a row the user owns or has permission to erase.

That is it. No long scaffolding, no rate-limit headaches. Below is a minimal example. Check out the docs for complete guides.

import { VeltProvider } from "@velt/react";

const commentProvider = {
  async get(req) {
    const rows = await db("comments")
      .where({ thread: req.threadId })
      .orderBy("created_at");
    return { data: rows, success: true, statusCode: 200 };
  },
  async save(req) {
    const [id] = await db("comments").insert({
      body: req.comment.body,
      thread: req.threadId,
      author: req.user.id,
    });
    return { data: { id }, success: true, statusCode: 200 };
  },
  async delete(req) {
    await db("comments")
      .where({ id: req.commentId, author: req.user.id })
      .del();
    return { success: true, statusCode: 200 };
  },
};

function App() {
  return (
    <VeltProvider
      apiKey="VELT_PUBLIC_KEY"
      dataProviders={{ comment: commentProvider }}
    >
      {/* rest of your app */}
    </VeltProvider>
  );
}

The call chain:

1. Browser calls saveComment.

2. Your handler writes to Postgres.

3. Provider returns success: true.

4. Velt sends a socket event.

Latency is still sub-100 ms because the heavy text never travels outside your region.

What About Files and Mentions?

Files stay in your S3 bucket or a signed URL scheme. Mentions reuse your user table. The SDK renders avatars and badges from public thumbnails you expose, not from Velt storage.

Quick Note on Self Hosting

Self-hosting doesn't mean running the real-time servers yourself. Velt is a managed platform, so the socket lattice, presence heartbeat, and cursor math live under their watch. That choice slashes operational load but still respects data boundaries.

Security & Legal Checklist

Keeping content in your cloud means breach surface is identical to the rest of your stack rather than multiplied across third-party data stores. Self-hosting is not about features. It is about aligning with risk models, audit timelines, and customer deals that hinge on strict data clauses.

How Velt Compares With Other Paths

Here's the point: only Velt checks all the boxes. You get self-hosted data plus turnkey interface, which slashes time-to-value and passes security reviews.

For more details, see the best commenting SDK in 2025 list.

Real-World Scenarios

Healthcare Imaging Review

Radiologists view DICOM images and drop threaded notes on suspicious regions. Patient identifiers and doctor comments reside in the hospital’s private cloud. Velt carries only commentId and socket routing, meeting HIPAA without extra encryption hacks.

Fintech Reporting Dashboards

Analysts discuss monthly margin swings directly on a KPI tile. The text might include numbers that move markets. By storing content on an internal Aurora cluster, the firm satisfies audit rules. Velt’s presence layer shows who is reading the dashboard in real time.

E-learning Video Feedback

Course authors leave time-coded remarks on a lecture. The video file and comment text sit in the LMS vendor’s VPC, not on a SaaS vendor. Students see live pointers and notifications while the vendor avoids extra EU-US data transfer contracts.

Design Hand-Off Tools

UI designers pin call-outs on a Figma-like canvas. Pixel data is proprietary game art, so self-hosting is mandatory. Velt draws emoji reactions, mention chips, and resolution workflow without touching the art files.

Performance Tips for High-Traffic Apps

• Shard by tenant: If you run a multi-tenant SaaS, keep comment rows in separate schemas or clusters. Velt only needs the unique IDs, so sharding does not break socket sync.

• Cache first fetch: The SDK hydrates on page load. A CDN-fronted /comments?thread=XYZ endpoint serves 90 percent of reads. Subsequent writes go straight to your primary.

Roll-Out Checklist

1. Map data model: thread, comment, user.

2. Add three provider functions.

3. Embed <Comments /> widget from the SDK.

4. Run staging tests with fake PHI.

5. Push to production behind a feature flag.

6. Pass final security review with proof that text never crosses Velt Cloud.

Common Questions

Does self-hosting break Velt’s analytics features?

No. Velt’s viewer analytics records event IDs, not content. You can opt out entirely or keep using them with minimal exposure.

Can we encrypt comment text before saving?

Yes. The SDK does not care what the body field looks like. You can store a ciphertext blob and decrypt on the client.

What if we need to migrate away later?

Since you hold the raw rows, migration is a matter of transforming your own schema.

Closing Thoughts

Self-hosted comments once forced engineers to pick between speed to ship and data control. Velt closes that gap. You keep personal data on your infra, your users enjoy live conversation threads, and your roadmap moves faster because your team does not have to master CRDT math or socket scaling tricks.

Ready to give your product google docs/figma level collaboration without giving up ownership of the words your users share? Take Velt’s commenting SDK for a spin, wire up your provider in an afternoon, and watch both security and product teams nod in approval.