Self-Hosted Comment SDK
We've talked to hundreds of companies implementing a comment SDK, and data privacy is often brought up by CISOs and security engineers. Velt is SOC II Type II and HIPAA compliant, making it the best option for most use cases. For teams that handle PHI or other sensitive data, Velt's commenting SDK that lets you self-host data without having to build the entire backend.
TLDR:
Self-hosting means comment text, reactions, and PII live in your database, while Velt only holds IDs and metadata for routing real-time traffic.
Security teams choose Velt because it meets HIPAA, GDPR & SOC 2 Type II standards + we do annual pentests.
You drop in Velt’s React components, supply three provider functions (
get
,save
,delete
), and you're shipping in just a few days.Competitors like Liveblocks do not allow data to stay on your servers, which blocks many compliance-heavy deals.
The hybrid model still gives you presence, live cursors, notifications because Velt handles the hard real-time work.

Why Product Teams Now Ask for Self-Hosted Comments
You Own the Paper Trail
When a user types feedback about a yet-to-ship feature or a doctor notes a dosage change, the words carry legal weight. If that content sits in your own Postgres DB:
You can wipe it on demand to honor a right to be forgotten.
Auditors see a single security boundary: yours.
Legal teams can lock records during discovery without chasing a vendor.
Compliance Stops Being a Debate
HIPAA: Self-hosting avoids moving ePHI through a third-party store. You still may need a Business Associate Agreement for transit, which Velt signs, but storage is under your shield.
SOC 2: Your auditors map controls to one environment. Velt already holds a Type II report, so the hand-off is clean.
Future Migration Is a Non-Issue
If you ever rebuild the feature or move to another vendor (not that you'll want to), the raw comment rows never left your database. Export is a COPY
command, not a weeks-long support ticket.
The Build-Versus-Buy Puzzle Gets a New Variable
The classic question: Should we build comments ourselves or use a provider? The answer used to lean toward build it if data privacy was important. Velt introduces a third door:
Build every line → full control, six months of headcount.
Buy SaaS only → quick win, data off-premises.
Buy Velt hybrid → quick win, data in your house.
For a deeper breakdown, our build versus buy guide for 2025 walks through total cost, staffing, and roadmap trade-offs. The short version: Velt removes the main blocker that once pushed teams to roll their own.
Inside Velt’s Hybrid Architecture
Velt splits the job into two sides.
The customer stores
commentBody
,authorId
, reactions, and any files. Of course you also store user data (but you were already doing that).Velt stores metadata like
commentId
,threadId
, cursor positions, and socket metadata required to dispatch live events.
That design keeps sensitive content private while still letting Velt handle the hard real time infra. The SDK never sends sensitive data from commentBody
to Velt. It only ships an opaque reference like c_8937ae
.

The Three Provider Functions
get(request)
– Fetch rows for a page or document ID.save(request)
– Insert or update a row, then return the new ID.delete(request)
– Remove a row the user owns or has permission to erase.
That is it. No long scaffolding, no rate-limit headaches. Below is a minimal example. Check out the docs for complete guides.
The call chain:
Browser calls
saveComment
.Your handler writes to Postgres.
Provider returns
success: true
.Velt sends a socket event.
Latency is still sub-100 ms because the heavy text never travels outside your region.
What About Files and Mentions?
Files stay in your S3 bucket or a signed URL scheme. Mentions reuse your user table. The SDK renders avatars and badges from public thumbnails you expose, not from Velt storage.
Quick Note on Self Hosting
Self-hosting doesn't mean running the real-time servers yourself. Velt is a managed platform, so the socket lattice, presence heartbeat, and cursor math live under their watch. That choice slashes operational load but still respects data boundaries.
Security & Legal Checklist
Topic | Velt with Self-Hosting | Fully hosted vendors |
---|---|---|
Comment text leaves your network | Never | Always |
HIPAA BAA signed | Yes | Sometimes |
SOC 2 Type II report | Yes | Varies |
Data residency control | You choose region | Vendor decides |
Pen-test frequency | Annual external | Often unknown |
Right-to-be-forgotten latency | Immediate. Your database. | Vendor SLA |
Keeping content in your cloud means breach surface is identical to the rest of your stack rather than multiplied across third-party data stores. Self-hosting is not about features. It is about aligning with risk models, audit timelines, and customer deals that hinge on strict data clauses.
How Velt Compares With Other Paths
Solution | Data stays on your infra | Ready-made UI | Real-time engine | Staff months to ship |
---|---|---|---|---|
Velt | ✔ | ✔ | ✔ | 0.25 |
Liveblocks | ✖ | Partial | ✔ | 1-3 |
Ably / Firebase | ✖ | ✖ | ✔ | 3-6 |
Build in-house | ✔ | ✖ | ✖ | 6-9 |
Here's the point: only Velt checks all the boxes. You get self-hosted data plus turnkey interface, which slashes time-to-value and passes security reviews.
For more details, see the best commenting SDK in 2025 list.
Real-World Scenarios
Healthcare Imaging Review
Radiologists view DICOM images and drop threaded notes on suspicious regions. Patient identifiers and doctor comments reside in the hospital’s private cloud. Velt carries only commentId
and socket routing, meeting HIPAA without extra encryption hacks.
Fintech Reporting Dashboards
Analysts discuss monthly margin swings directly on a KPI tile. The text might include numbers that move markets. By storing content on an internal Aurora cluster, the firm satisfies audit rules. Velt’s presence layer shows who is reading the dashboard in real time.
E-learning Video Feedback
Course authors leave time-coded remarks on a lecture. The video file and comment text sit in the LMS vendor’s VPC, not on a SaaS vendor. Students see live pointers and notifications while the vendor avoids extra EU-US data transfer contracts.
Design Hand-Off Tools
UI designers pin call-outs on a Figma-like canvas. Pixel data is proprietary game art, so self-hosting is mandatory. Velt draws emoji reactions, mention chips, and resolution workflow without touching the art files.
Performance Tips for High-Traffic Apps
Shard by tenant: If you run a multi-tenant SaaS, keep comment rows in separate schemas or clusters. Velt only needs the unique IDs, so sharding does not break socket sync.
Cache first fetch: The SDK hydrates on page load. A CDN-fronted
/comments?thread=XYZ
endpoint serves 90 percent of reads. Subsequent writes go straight to your primary.
Roll-Out Checklist
Map data model: thread, comment, user.
Add three provider functions.
Embed
<Comments />
widget from the SDK.Run staging tests with fake PHI.
Push to production behind a feature flag.
Pass final security review with proof that text never crosses Velt Cloud.
Common Questions
Does self-hosting break Velt’s analytics features?
No. Velt’s viewer analytics records event IDs, not content. You can opt out entirely or keep using them with minimal exposure.
Can we encrypt comment text before saving?
Yes. The SDK does not care what the body
field looks like. You can store a ciphertext blob and decrypt on the client.
What if we need to migrate away later?
Since you hold the raw rows, migration is a matter of transforming your own schema.
Closing Thoughts
Self-hosted comments once forced engineers to pick between speed to ship and data control. Velt closes that gap. You keep personal data on your infra, your users enjoy live conversation threads, and your roadmap moves faster because your team does not have to master CRDT math or socket scaling tricks.
Ready to give your product google docs/figma level collaboration without giving up ownership of the words your users share? Take Velt’s commenting SDK for a spin, wire up your provider in an afternoon, and watch both security and product teams nod in approval.