Much better Pro docs

docs/book/getting-started/zenml-pro/README.md

@@ -25,7 +25,7 @@ The [Pro version of ZenML](https://zenml.io/pro) extends the Open Source product
 ![Walkthrough of ZenML Model Control Plane](../../.gitbook/assets/mcp-walkthrough.gif)
 
 {% hint style="info" %}
-To try ZenML Pro or to learn more [book a call](https://www.zenml.io/book-your-demo).
+To get access to ZenML Pro, [book a call](https://www.zenml.io/book-your-demo).
 {% endhint %}
 
 ## ZenML OSS vs Pro Feature Comparison
@@ -35,66 +35,20 @@ To try ZenML Pro or to learn more [book a call](https://www.zenml.io/book-your-d
 | **User Management** | Single-user mode | Multi-user support with [SSO](self-hosted.md#identity-provider), [organizations](organization.md), and [teams](teams.md) |
 | **Access Control** | No RBAC | Full [role-based access control](roles.md) with customizable permissions |
 | **Multi-tenancy** | No workspaces/projects | [Workspaces](workspaces.md) and [projects](projects.md) for team and resource isolation |
-| **Dashboard** | Basic pipeline and run visualization | Pro dashboard with [Model Control Plane](https://docs.zenml.io/user-guides/starter-guide/track-ml-models), [Artifact Control Plane](https://docs.zenml.io/user-guides/starter-guide/manage-artifacts), and comparison views |
-| **Pipeline Execution** | Run pipelines via SDK/CLI | Run pipelines from the dashboard, manage schedules via UI, [triggers](https://docs.zenml.io/concepts/triggers) |
+| **ZenML Web UI** | Basic pipeline and run visualization | Pro UI with [Model Control Plane](https://docs.zenml.io/concepts/models), [Artifact Control Plane](https://docs.zenml.io/concepts/artifacts), and comparison views |
+| **Pipeline Execution** | Run pipelines via SDK/CLI | Run pipelines from the UI, manage schedules through the UI, [triggers](https://docs.zenml.io/concepts/triggers) |
 | **Stack Configuration** | User-managed stacks | Advanced stack configurations with workspace/project-level restrictions for platform teams |
 | **Security** | Community updates | Prioritized security patches, SOC 2 and ISO 27001 certification |
-| **Deployment** | Self-hosted only | [SaaS](#saas-deployment), [Hybrid SaaS](#hybrid-saas-deployment), or [Air-gapped](#air-gapped-deployment) options |
+| **Deployment** | Self-hosted only | [SaaS](#saas-deployment), [Hybrid SaaS](#hybrid-saas-deployment), or [Self-hosted](#self-hosted-deployment) options |
 | **Support** | Community support | Professional support included (SaaS deployments) |
 | **Reporting** | Basic run tracking | Advanced usage reports and analytics |
 | **Core Features** | ✅ Run pipelines on stacks<br>✅ Full observability over runs<br>✅ Artifact tracking<br>✅ Model versioning | ✅ All OSS features<br>✅ [Run Snapshots](https://docs.zenml.io/concepts/snapshots)<br>✅ Enhanced filtering and search |
 
-## Deployment Scenarios Comparison
+## Deployment Scenarios
 
-| Deployment Aspect | SaaS | Hybrid SaaS | Air-gapped |
-|-------------------|------|-------------|------------|
-| **ZenML Server** | ZenML infrastructure | Customer infrastructure | Customer infrastructure |
-| **Control Plane** | ZenML infrastructure | ZenML infrastructure | Customer infrastructure |
-| **Metadata & RBAC** | ZenML infrastructure | RBAC: ZenML infrastructure<br>Run metadata: Customer infrastructure | Customer infrastructure |
-| **Compute & Data** | Customer infrastructure | Customer infrastructure | Customer infrastructure |
-| **Setup Time** | ⚡ Fastest (minutes) | Moderate | Longer (requires full deployment) |
-| **Maintenance** | ✅ Fully managed | Partially managed (workspace maintenance required) | Customer managed |
-| **Production Ready** | ✅ Day 1 | ✅ Day 1 | ✅ Day 1 |
-| **Best For** | Teams wanting minimal infrastructure overhead and fastest time-to-value | Organizations with security/compliance requirements but wanting simplified user management | Organizations requiring complete data isolation and air-gapped environments |
+ZenML Pro offers three flexible deployment options to match your organization's needs: **SaaS**, **Hybrid**, and **Self-hosted**.
 
-### SaaS Deployment
-
-The ZenML-managed SaaS deployment provides the fastest path to production with zero infrastructure overhead. All ZenML server components run on ZenML infrastructure, while your compute resources and data remain in your environment.
-
-**What runs where:**
-- ZenML Server: ZenML infrastructure
-- Metadata and RBAC: ZenML infrastructure
-- Compute and Data: Customer infrastructure
-
-**Ideal for:** Teams that want to get started immediately without managing infrastructure, while keeping sensitive ML data in their own environment.
-
-[Learn more about SaaS architecture →](../system-architectures.md#zenml-pro-saas-architecture)
-
-### Hybrid SaaS Deployment
-
-The Hybrid deployment balances control with convenience. The ZenML control plane (handling user management, authentication, and RBAC) runs on ZenML infrastructure, while the ZenML server and all metadata run in your environment.
-
-**What runs where:**
-- ZenML Management Plane: ZenML infrastructure
-- ZenML Server: Customer infrastructure
-- RBAC: ZenML infrastructure
-- Run metadata: Customer infrastructure
-- Compute and Data: Customer infrastructure
-
-**Ideal for:** Organizations with security or compliance requirements that mandate keeping metadata and credentials within their infrastructure, while benefiting from centralized user management.
-
-[Learn more about Hybrid architecture →](../system-architectures.md#zenml-pro-hybrid-saas)
-
-### Air-gapped Deployment
-
-The fully self-hosted, air-gapped deployment gives you complete control and data sovereignty. All ZenML components run entirely within your infrastructure with no external dependencies.
-
-**What runs where:**
-- All components: Customer infrastructure (completely isolated)
-
-**Ideal for:** Organizations with the strictest security requirements, regulated industries, or environments that must operate without external network access.
-
-[Learn more about self-hosted architecture →](../system-architectures.md#zenml-pro-self-hosted-architecture) | [Self-hosting setup guide →](self-hosted.md)
+[Explore all deployment scenarios →](deployments-overview.md)
 
 ## Security & Compliance
 
@@ -105,8 +59,8 @@ All ZenML Pro deployments include:
 - ✅ **Vulnerability Assessment Reports** available on request
 - ✅ **Software Bill of Materials (SBOM)** available on request
 
-For software deployed on customer infrastructure (Hybrid and Air-gapped scenarios), ZenML provides comprehensive security documentation to support your compliance requirements.
+For software deployed on your infrastructure (Hybrid and Self-hosted scenarios), ZenML provides comprehensive security documentation to support your compliance requirements.
 
 ## Pro Feature Details
 
-<table data-view="cards"><thead><tr><th></th><th></th><th data-hidden data-card-cover data-type="files"></th><th data-hidden></th><th data-hidden data-type="content-ref"></th><th data-hidden data-card-target data-type="content-ref"></th></tr></thead><tbody><tr><td><strong>Workspaces</strong></td><td>Isolated environments for teams and projects</td><td><a href=".gitbook/assets/pro-workspaces.png">pro-workspaces.png</a></td><td></td><td></td><td><a href="workspaces.md">workspaces.md</a></td></tr><tr><td><strong>Organizations</strong></td><td>Top-level entity for managing users and teams</td><td><a href=".gitbook/assets/pro-organizations.png">pro-organizations.png</a></td><td></td><td></td><td><a href="organization.md">organization.md</a></td></tr><tr><td><strong>Teams</strong></td><td>Group users for simplified access management</td><td><a href=".gitbook/assets/pro-teams.png">pro-teams.png</a></td><td></td><td></td><td><a href="teams.md">teams.md</a></td></tr><tr><td><strong>Roles</strong></td><td>Customizable role-based access control</td><td><a href=".gitbook/assets/pro-roles.png">pro-roles.png</a></td><td></td><td></td><td><a href="roles.md">roles.md</a></td></tr><tr><td><strong>Projects</strong></td><td>Organize work within workspaces</td><td></td><td></td><td></td><td><a href="projects.md">projects.md</a></td></tr><tr><td><strong>Deployment Options</strong></td><td>SaaS, Hybrid, or Air-gapped deployments</td><td><a href=".gitbook/assets/pro-self-host.png">pro-self-host.png</a></td><td></td><td></td><td><a href="self-hosted.md">self-hosted.md</a></td></tr></tbody></table>
+<table data-view="cards"><thead><tr><th></th><th></th><th data-hidden data-card-cover data-type="files"></th><th data-hidden></th><th data-hidden data-type="content-ref"></th><th data-hidden data-card-target data-type="content-ref"></th></tr></thead><tbody><tr><td><strong>Workspaces</strong></td><td>Isolated environments for teams and projects</td><td><a href=".gitbook/assets/pro-workspaces.png">pro-workspaces.png</a></td><td></td><td></td><td><a href="workspaces.md">workspaces.md</a></td></tr><tr><td><strong>Organizations</strong></td><td>Top-level entity for managing users and teams</td><td><a href=".gitbook/assets/pro-organizations.png">pro-organizations.png</a></td><td></td><td></td><td><a href="organization.md">organization.md</a></td></tr><tr><td><strong>Teams</strong></td><td>Group users for simplified access management</td><td><a href=".gitbook/assets/pro-teams.png">pro-teams.png</a></td><td></td><td></td><td><a href="teams.md">teams.md</a></td></tr><tr><td><strong>Roles</strong></td><td>Customizable role-based access control</td><td><a href=".gitbook/assets/pro-roles.png">pro-roles.png</a></td><td></td><td></td><td><a href="roles.md">roles.md</a></td></tr><tr><td><strong>Projects</strong></td><td>Organize work within workspaces</td><td><a href=".gitbook/assets/pro-projects.png">pro-projects.png</a></td><td></td><td></td><td><a href="projects.md">projects.md</a></td></tr><tr><td><strong>Workload Managers</strong></td><td>Enable running pipelines from the ZenML Pro UI</td><td><a href=".gitbook/assets/pro-workload-managers.png">pro-workload-managers.png</a></td><td></td><td></td><td><a href="workload-managers.md">workload-managers.md</a></td></tr><tr><td><strong>Deployment Options</strong></td><td>SaaS, Hybrid, or Full On-Prem deployments</td><td><a href=".gitbook/assets/pro-self-host.png">pro-self-host.png</a></td><td></td><td></td><td><a href="self-hosted.md">self-hosted.md</a></td></tr></tbody></table>

docs/book/getting-started/zenml-pro/deployments-overview.md

@@ -0,0 +1,187 @@
+---
+description: Compare ZenML Pro deployment scenarios to find the right fit for your organization.
+icon: code-merge
+layout:
+  title:
+    visible: true
+  description:
+    visible: true
+  tableOfContents:
+    visible: true
+  outline:
+    visible: true
+  pagination:
+    visible: true
+---
+
+# Deployment Scenarios
+
+ZenML Pro offers three flexible deployment options to match your organization's security, compliance, and operational needs. This page helps you understand the differences and choose the right scenario for your use case.
+
+## Quick Comparison
+
+| Deployment Aspect | Purpose | SaaS | Hybrid SaaS | Self-hosted |
+|-------------------|---------|------|-------------|-------------|
+| **ZenML Server** | Stores pipeline metadata and serves the API that your SDK and UI connect to | ZenML infrastructure | Your infrastructure | Your infrastructure |
+| **Pipeline/ Artifact Metadata** | Records of your pipeline runs, step executions, and artifact locations | ZenML infrastructure | Your infrastructure | Your infrastructure |
+| **ZenML Control Plane** | Manages authentication, RBAC, and organization-level settings across workspaces | ZenML infrastructure | ZenML infrastructure | Your infrastructure |
+| **ZenML Pro UI** | Web UI for visualizing pipelines, artifacts, and managing your ML workflows | ZenML infrastructure | ZenML infrastructure | Your infrastructure |
+| **Compute & Data** | Your ML training infrastructure, models, datasets, and artifacts | Your infrastructure | Your infrastructure | Your infrastructure |
+| **Setup Time** | Time to get your first pipeline running | ⚡ ~1 hour | ~4 hours | ~8 hours |
+| **Maintenance** | Ongoing operational responsibility | Fully managed | Partially managed (workspace maintenance required) | Customer managed |
+| **Best For** | Recommended use case | Teams wanting minimal infrastructure overhead and fastest time-to-value | Organizations with security/compliance requirements but wanting simplified user management | Organizations requiring complete data isolation and on-premises control |
+
+{% hint style="info" %}
+In all of these cases the client sdk that you pip install into your development environment is the same one found here: https://pypi.org/project/zenml/
+{% endhint %}
+
+## Which Scenario is Right for You?
+
+### SaaS Deployment
+
+Choose **SaaS** if you want to get started immediately with zero infrastructure overhead.
+
+**What runs where:**
+- ZenML Server: ZenML infrastructure
+- Metadata and RBAC: ZenML infrastructure
+- Compute and Data: Your infrastructure
+
+**Key Benefits:**
+- ⚡ Fastest setup (minutes)
+- ✅ Fully managed by ZenML
+- 🚀 Immediate production readiness
+- 💰 Minimal operational overhead
+
+**Ideal for:** Startups, teams prioritizing time-to-value and operational simplicity, organizations comfortable leveraging managed cloud services.
+
+[Learn more about SaaS deployment →](saas-deployment.md)
+
+### Hybrid SaaS Deployment
+
+Choose **Hybrid** if you need to keep sensitive metadata in your infrastructure while benefiting from centralized user management.
+
+**What runs where:**
+- ZenML Control Plane: ZenML infrastructure
+- ZenML Pro UI: ZenML infrastructure
+- ZenML Pro Server: Your infrastructure
+- Run metadata: Your infrastructure
+- Compute and Data: Your infrastructure
+
+**Key Benefits:**
+- 🔐 Metadata stays in your infrastructure
+- 👥 Centralized user management
+- ⚖️ Balance of control and convenience
+- 🏢 Control plane and UI fully maintained and patched by ZenML
+- ✅ Day 1 production ready
+
+**Ideal for:** Organizations with security policies requiring metadata sovereignty, teams wanting simplified identity management without full infrastructure control.
+
+[Learn more about Hybrid deployment →](hybrid-deployment.md)
+
+### Self-hosted Deployment
+
+Choose **Self-hosted** if you need complete control with no external dependencies.
+
+**What runs where:**
+- All components: Your infrastructure (completely isolated)
+
+**Key Benefits:**
+- 🔒 Complete data sovereignty
+- 🚫 No external network dependencies
+- 🛡️ Maximum security posture
+- 📋 Full audit trail control
+
+**Ideal for:** Regulated industries (healthcare, finance, defense), government organizations, enterprises with strict data residency requirements, environments requiring offline operation.
+
+[Learn more about Self-hosted deployment →](self-hosted-deployment.md)
+
+## Common Pipeline Execution Data Flow
+
+All three deployment scenarios follow a similar pipeline execution pattern, with differences in where authentication happens and where data resides:
+
+### Standard Data Flow Steps
+
+1. **Code Execution**: You write code and run pipelines with your client SDK using Python
+
+2. **Token Acquisition**: The ZenML client fetches short-lived tokens from your ZenML workspace for:
+   - Pushing Docker images to your container registry
+   - Communicating with your artifact store
+   - Submitting workloads to your orchestrator
+   - *Note: Your local Python environment needs the client libraries for your stack components*
+
+3. **Image & Workload Submission**: The client automatically builds and pushes Docker images (and optionally code if no code repository is configured) to your container registry, then submits the workload to your orchestrator
+
+4. **Orchestrator Execution**: In the orchestrator environment:
+   - The Docker image is pulled from your container registry
+   - The necessary code is pulled in
+   - A connection to your ZenML workspace is established
+   - The relevant pipeline/step code is executed
+
+5. **Runtime Data Flow**: During execution:
+   - Pipeline and step run metadata is logged to your ZenML workspace
+   - Logs are streamed to your log backend
+   - Artifacts are written to your artifact store
+   - Metadata pointing to these artifacts is persisted
+
+6. **Observability**: The ZenML UI connects to your workspace and uses all persisted metadata to provide you with a complete observability plane
+
+### Deployment-Specific Differences
+
+**SaaS**: Metadata is stored in ZenML infrastructure. Your ML data and compute remain in your infrastructure.
+
+**Hybrid**: Metadata and control plane are split — authentication/RBAC happens at ZenML control plane, but all run metadata, artifacts, and compute stay in your infrastructure.
+
+**Self-hosted**: All components (control plane, metadata, authentication, compute) run entirely within your infrastructure with zero external dependencies.
+
+## Making Your Choice
+
+Consider these factors when deciding:
+
+1. **Data Location Requirements**: Where must your ML metadata and run data reside?
+   - Cloud-hosted is acceptable → **SaaS**
+   - Must stay in your infrastructure → **Hybrid**
+   - Must be completely isolated on-premises → **Self-hosted**
+
+2. **Infrastructure Complexity**: How much infrastructure control do you want?
+   - Minimal → **SaaS**
+   - Moderate → **Hybrid**
+   - Full control → **Self-hosted**
+
+3. **Time to Value**: How quickly do you need to be productive?
+   - Within 1 hour → **SaaS**
+   - Within 4 hours → **Hybrid**
+   - Within 8 hours (or longer planning period) → **Self-hosted**
+
+4. **Compliance Requirements**: What regulations apply to your organization?
+   - General business → **SaaS**
+   - Data residency rules → **Hybrid**
+   - Strict isolation requirements → **Self-hosted**
+
+## Security & Compliance
+
+All ZenML Pro deployments include:
+
+- ✅ **SOC 2 Type II** certification
+- ✅ **ISO 27001** certification
+- ✅ **Vulnerability Assessment Reports** available on request
+- ✅ **Software Bill of Materials (SBOM)** available on request
+
+For software deployed on your infrastructure (Hybrid and Self-hosted scenarios), ZenML provides comprehensive security documentation to support your compliance requirements.
+
+## Running Pipelines from the web UI
+
+All deployment scenarios support running pipeline snapshots from the UI through [workload managers](workload-managers.md). Workload managers are built into the ZenML Pro workspace and can be configured to orchestrate pipeline execution on your Kubernetes cluster, AWS ECS, or GCP infrastructure.
+
+Learn more: [Understanding Workload Managers](workload-managers.md)
+
+## Next Steps
+
+- **Ready to start?** [Choose SaaS Deployment](saas-deployment.md)
+- **Need metadata control?** [Set up Hybrid Deployment](hybrid-deployment.md)
+- **Require complete isolation?** [Configure Self-hosted Deployment](self-hosted-deployment.md)
+- **Deploying on your own infrastructure?** [See Self-hosted Deployment Guide](self-hosted.md)
+- **Want to run pipelines from the UI?** [Configure Workload Managers](workload-managers.md)
+
+{% hint style="info" %}
+Not sure which option is right for you? [Book a call](https://www.zenml.io/book-your-demo) with our team to discuss your specific requirements.
+{% endhint %}