# Rachel Sternberg, Director of Information Security at Meridian Financial Partners — read of self-hosted-document-qa-tool, June 13 2026

> 11 years in infosec, most of it at financial firms under 150 people. I came up through sysadmin, which means I can actually read a Dockerfile but also means I have zero patience for vaporware.

## How I got here

Our compliance officer sent me a Slack message three weeks ago: two advisors had been pasting client account statements into ChatGPT to summarize them. Classic. I started searching for "self-hosted document QA tool private data" and "local RAG tool no cloud" and this page showed up on page two of Google. I clicked because the title matched exactly what I typed and I was tired of landing on Notion templates and Medium articles.

## What I clicked first

The pricing headline stopped me: "Self-hosted, so no usage limits. Pay once, own the code forever." That is the right thing to say to me. We are a registered investment advisor. Data does not leave our systems. Full stop. So the framing landed. I kept reading.

Then I hit the Starter tier at $79 and I immediately got suspicious. That is a price point for a side project, not a compliance-grade document search tool. My brain went: is this a real product or a template someone built over a weekend?

## Where I paused

The FAQ. Specifically: "How long to deploy? Starter: 15 minutes with Docker. Enterprise: 1-2 hours with Kubernetes." I sat on that for a minute. We have deployed enough Docker things to know that 15 minutes is the time it takes before something breaks and you spend 4 hours on Stack Overflow. But the fact that there is a video walkthrough mentioned and a Docker demo image with no signup gave me a small amount of hope. That is the right way to present this. Let me run it before I commit.

## What I distrusted

This. Right here on the page: "Honest disclosure: we don't have live customers on this idea yet. We shipped the strategy package; you ship the customer conversations."

That is not a product disclaimer. That is a product *idea* marketplace disclaimer. I scrolled back up and read the page again from the top and then I finally understood what I was looking at. This is not a company selling me a document QA tool. This is a studio selling me the *concept and maybe the code* to go build and sell a document QA tool. The $79 and $299 pricing might be what they think I should charge end customers, not what I pay.

I genuinely could not tell. The page mixes both framings without ever clearly separating them. If I am the end buyer, the "Adopt this idea for $99" section makes no sense. If I am a would-be founder, the Starter/Enterprise tier pricing reads like advice, not an invoice.

The "Yr1 $$-17K (est)" and the "1 in 8 meaningful success odds (Fermi)" and the "-$9,870 Year-1 take-home" are for someone evaluating a business to start, not for me evaluating a tool to deploy. That context is not just missing -- it is actively confusing.

## What would convince me

If this is a real, deployable product: a single sentence that says "You can download and run this today. Here is the GitHub repo. Here is a changelog." That sentence does not exist on this page.

If there are no live customers yet, I need to know that upfront, not buried in a scoring rubric. But more than a disclaimer, I need one specific case: a firm our size, same compliance pressure, ran this against their document library, here is what the search quality looked like. Not a testimonial slide. A realistic write-up where something went wrong and they fixed it.

On the SOC 2 audit guide specifically: tell me what that actually is. Is it a checklist? A set of config flags? A template policy doc? "SOC 2 audit guide" in a feature list is the kind of thing that sounds credible until you click on it and it is a PDF with bullet points.

## What I'd ask in an email reply

1. Is this a product I can deploy today, or are you selling me the concept and codebase to launch my own version of it? The page does not answer that clearly.
2. What model is handling the document QA, and is it running fully local or does inference phone home anywhere? Docker image, sure, but inference is where the data risk lives.
3. You mention "images (OCR-backed)" for document support. Whose OCR engine? Tesseract locally, or does that hit an API?

## Verdict: on-the-fence

If this is a real product I can actually install and test, the demo image gets me to try it this week. But I spent ten minutes on this page and I still do not know if I am a customer or a potential founder, and that is a problem the page needs to fix before anyone in a regulated industry hands over $299.

---
*Memo by skeptic persona, generated 2026-06-13. Studio breaks own self-grading loop.*
