Skip to main content
MergeWatch supports three deployment models. Each one makes a different trade-off between setup effort, infrastructure control, and data residency. Pick the one that matches your compliance and operational requirements.

At a glance

FeatureSaaS + BYOCFully Self-HostedSaaS + MergeWatch Bedrock
Orchestration (Lambda, DynamoDB, API Gateway)MergeWatch hostsYou hostMergeWatch hosts
Bedrock model accessYour AWS accountYour AWS accountMergeWatch account
Code leaves your infra?Diff transits MergeWatch in-memoryNoYes (to MergeWatch)
Who pays Bedrock?YouYouMergeWatch (included in pricing)
AWS account required?Yes (Bedrock only)Yes (full stack)No
Model choiceYou chooseYou chooseMergeWatch default
Setup time~10 min~30 min~5 min
MaintenanceMergeWatch manages infraYou manage everythingMergeWatch manages everything

1. SaaS + Customer Bedrock (BYOC)

Best for teams that want AWS control without managing infrastructure

MergeWatch hosts the orchestration layer. You provide your own AWS account with Bedrock access. You control which models run and pay your own Bedrock bill.

How it works

MergeWatch runs the Lambda functions, DynamoDB tables, API Gateway, and SQS queue. When a review needs a model invocation, MergeWatch assumes a cross-account IAM role in your AWS account and calls Bedrock there. 
PR opened → GitHub webhook → MergeWatch API Gateway → MergeWatch Lambda
  → Assumes cross-account role → Bedrock (your AWS account)
  → Review posted to GitHub

Cross-account role setup

You create an IAM role in your AWS account with a trust policy that allows MergeWatch to assume it. An external ID prevents confused deputy attacks. 
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::MERGEWATCH_ACCOUNT_ID:root"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "YOUR_EXTERNAL_ID"
        }
      }
    }
  ]
}
The external ID is generated during onboarding and displayed in the MergeWatch dashboard. Never share it publicly.

Data residency

  • Diff data transits MergeWatch infrastructure in-memory during orchestration. It is not persisted to disk or stored in any database.
  • Bedrock calls go directly to your AWS account in your chosen region. Model inputs and outputs stay within your AWS boundary.
  • Review metadata (timestamps, repo names, review status) is stored in MergeWatch-managed DynamoDB.

2. Fully Self-Hosted

Best for strict compliance, air-gapped environments, or full control

You deploy the entire MergeWatch stack in your own AWS account via SAM. Nothing touches MergeWatch infrastructure.

How it works

You run npx mergewatch@latest init, which deploys all resources to your AWS account. The GitHub App webhook points to your API Gateway. Every component runs in your environment. 
PR opened → GitHub webhook → Your API Gateway → Your Lambda
  → Your SQS FIFO → Your ReviewAgent Lambda → Bedrock (your account)
  → Review posted to GitHub

What you manage

ResourceYour responsibility
Lambda functionsDeploying updates, monitoring, concurrency settings
DynamoDB tablesBackups, capacity planning, TTL policies
API GatewayCustom domains, WAF rules, throttling
SQS FIFO queueDead-letter queue monitoring, redrive policies
SSM parametersCredential rotation, KMS key management
BedrockModel access requests, quotas, cost monitoring
Updates are applied by re-running the SAM deploy. MergeWatch publishes new SAM templates with each release. You control when to upgrade.

Data residency

  • All data stays in your AWS account, in the region you choose.
  • No data is sent to MergeWatch. There is no telemetry, no phone-home, no external dependency.
  • Suitable for air-gapped environments when combined with VPC endpoints for Bedrock, DynamoDB, SQS, and SSM.

3. SaaS + MergeWatch Bedrock

Best for teams that want zero infrastructure overhead

Everything is hosted by MergeWatch. Install the GitHub App and start getting reviews. No AWS account needed.

How it works

MergeWatch runs the full stack, including Bedrock model access. You install the GitHub App and configure your repositories. That is it. 
PR opened → GitHub webhook → MergeWatch API Gateway → MergeWatch Lambda
  → Bedrock (MergeWatch account)
  → Review posted to GitHub

What you get

  • No AWS account required
  • No infrastructure to manage
  • Bedrock costs are included in your MergeWatch subscription
  • Automatic updates to the latest review pipeline
This is the fastest way to start. You can migrate to BYOC or Self-Hosted later without losing your configuration history.

Data residency

  • Diff data is processed on MergeWatch infrastructure. It is held in-memory during review and not persisted after the review completes.
  • Bedrock calls run in MergeWatch’s AWS account. Model inputs and outputs are not logged or stored beyond the review lifecycle.
  • Review metadata is stored in MergeWatch-managed DynamoDB.

Decision guide

Strict compliance or air-gapped?

Choose Fully Self-Hosted. No data leaves your AWS account. You control every component and can run behind a VPC with no internet egress.

Want AWS control with easy setup?

Choose SaaS + Customer Bedrock (BYOC). MergeWatch manages the infrastructure. You keep control of model selection and Bedrock billing in your own account.

No AWS account?

Choose SaaS + MergeWatch Bedrock. Install the GitHub App and you are done. No cloud account, no infrastructure, no Bedrock configuration.

Data residency summary

Data typeBYOCSelf-HostedSaaS
PR diffIn-memory transit through MergeWatch, not persistedNever leaves your accountProcessed on MergeWatch infra, not persisted
Bedrock inputs/outputsYour AWS accountYour AWS accountMergeWatch AWS account
Review metadataMergeWatch DynamoDBYour DynamoDBMergeWatch DynamoDB
GitHub credentialsMergeWatch SSMYour SSMMergeWatch SSM
Configuration (.mergewatch.yml)Your GitHub repoYour GitHub repoYour GitHub repo

Self-Hosting Prerequisites

AWS account setup, IAM permissions, and Bedrock model access for self-hosted deployments.

Install Guide

Step-by-step deployment using the MergeWatch CLI wizard.