For institutions whose dominant constraint is time-to-market, Vendor-Managed Deployment is the default: production-grade privacy infrastructure under the institution's brand within months, with the vendor retaining the engineering lift. Institution-Controlled is the suitable choice for long-term strategic commitments where the institution intends to own the stack and the regulator demands change-control sovereignty. Consortium is the choice for shared market infrastructure (interbank settlement, central-bank pilots, industry utilities) where multi-party governance is itself the requirement. Self-Custodial Deployment is the choice when end-user sovereignty is itself the institutional or donor commitment: humanitarian programs, jurisdictions where institution-as-sovereign is unacceptable, or any deployment where the trust surface against the institution itself must be the smallest practical.
The technical work is the same across the first three governance models, deploy the Modular Privacy Stack layers (Data, Execution, Settlement, Disclosure) and select vendor components per layer. The difference is who carries the engineering lift. Vendor-Managed minimizes institution-side engineering but creates vendor dependency at the operations level. Institution-Controlled requires building or acquiring an SRE team that can operate privacy-critical infrastructure under regulated change control. Consortium adds the inter-operator coordination overhead (testing across nodes, joint upgrade cadence, multi-sig admin). Self-Custodial Deployment swaps the execution layer for stateless plasma and pushes state custody to the user: wallet retention, backup, recovery UX, and the exit-game proof-construction path all sit with the user and the institution's wallet team. Forced-withdrawal primitives are mandatory across all four so that user-level recovery does not depend on any single operator.
This is a perspective for legal review by the deploying institution(s), not legal advice. Each governance model raises distinct review surfaces.
Vendor-Managed is typically treated as a critical-third-party outsourcing arrangement; counsel would review vendor due diligence, source escrow, exit rights, and the change-control delegation. Institution-Controlled aligns with the institution-as-licensee-and-operator model that regulated change control typically expects; whether a specific regulator accepts the implementation is a question for counsel. The institution-as-operator would need to bind itself out of master-key custody for end-user state (user-held viewing keys, per-request and scope-bound regulator disclosure, forced-exit reachability without operator cooperation); without that binding, the document does not classify the deployment as preserving end-user privacy.
Consortium raises joint-governance review surfaces (charter enforceability, member-fee structure, dispute resolution, the disclosure framework across home regulators); cross-border deployments would surface the jurisdictional diversity of member operators and the supervisory-coordination implications, all of which are for counsel rather than this document. Self-Custodial Deployment inverts the disclosure model: there are no master viewing keys at the institution, so each regulator disclosure requires user co-signing per request; counsel would scope whether per-disclosure user consent meets the regulator's evidentiary expectations, and whether the exit-game challenge windows and bond parameters satisfy the resolution timelines the regulator expects under stress.
Requirements
- Production-grade privacy infrastructure within a 6-12 month deployment window
- Brand identity preserved; customer relationship owned by the institution
- Regulator-aligned change management (institutional or consortium control)
- Exit and migration path defined per layer of the stack
- Composable layers (Data, Execution, Settlement, Disclosure) so each can be upgraded independently
Constraints
- Vendor licensing relationship for base technology and support
- 24/7 operations team for infrastructure management
- Ethereum mainnet connectivity for settlement and bridging
- Source-code escrow and exit rights negotiated up front
Architectural options
Recommended
For institutions launching a privacy product on a 6-12 month horizon with regulator-led change control, default to Institution-Controlled Deployment with Aztec or Miden as the Execution-layer vendor, off-chain encrypted Data, Ethereum L1 Settlement, and view-key Disclosure. Source escrow and audit rights are negotiated up front; quarterly upgrade cadence runs through the institution's change-control gate. The default is conditional on user-privacy guardrails being load-bearing, not optional: end users custody their own viewing keys, regulator disclosure is scoped per request via Regulatory Disclosure Keys & Proofs, and any user can self-exit via Forced Withdrawal. Without these primitives, Institution-Controlled collapses into a panopticon and the deployment should not be classified as private.
Side-by-side
| Axis | Vendor-Managed | Institution-Controlled | Consortium | Self-Custodial |
|---|---|---|---|---|
| Maturity | production | production | prototyped | prototyped |
| Context | i2i | both | both | i2u |
| Trust model | Vendor governance | Institution change-control | Consortium charter | Operator liveness + user state custody + L1 anchor |
| Privacy scope | Full (per stack) | Full (per stack) | Full (per stack); inter-member disclosure framework | Full, against operator inclusive |
| Performance | Vendor-managed ops | Institution-managed ops | Multi-operator coordination | Operator-amortized batching; heavier user-side proof retention |
| Operator req. | Vendor + institution | Institution | Multi-operator consortium | Institution (liveness only) + user-side state retention |
| Cost class | Subscription + ops | Engineering + ops | Member fees + joint ops | Engineering + user-side wallet ops; lowest amortized L1 footprint |
| Regulatory fit | Conditional (vendor cadence) | Strong (institution-led) | Strong (multi-jurisdiction) | Conditional (user-state custody and user-co-signed disclosure) |
| Failure modes | Vendor compromise; product discontinuation | Institution operations gap; vendor support latency | Consortium capture; governance dispute | User data loss; operator equivocation; exit-game latency |
Decision factors
- If time-to-market dominates and engineering capacity is unavailable, choose Vendor-Managed Deployment and accept the vendor cadence.
- If the goal is shared market infrastructure across multiple institutions, choose Consortium Deployment and invest in the governance charter.
- If regulator demands institutional ownership of the full upgrade lifecycle, Institution-Controlled is the option that satisfies this constraint.
- If the institution wants the smallest possible trust surface against itself and the user base can operate state-custody wallets, choose Self-Custodial Deployment.
Hybrid composition
Begin with Vendor-Managed to compress time-to-market, with a contractual transition path to Institution-Controlled at month 18-24 once the institution's engineering team is staffed and the operational runbook is mature. Consortium can layer over an Institution-Controlled deployment when peer institutions join and joint governance becomes the new operating model.
Open questions
- Vendor concentration. As the privacy-vendor market consolidates, single-vendor dependency becomes a sector-wide risk; multi-vendor strategies per layer mitigate but do not eliminate it.
- Regulator acceptance per governance model. Whether vendor-led upgrade cadences satisfy specific regulators (Fed, ECB, BaFin, MAS) is unsettled and must be validated per jurisdiction.
- Source-escrow practicality. Whether escrow agreements can be executed quickly enough during vendor-failure scenarios to maintain operational continuity.
- Cross-vendor migration. State migration between privacy stacks (e.g., Aztec → Miden Execution layer) lacks tooling; today this is a manual lift.
- Forced-withdrawal coverage. Whether L1 escape-hatch primitives cover all user-level recovery scenarios, including state stuck behind a discontinued vendor.
Last reviewed