# Vector Database Vendor Selection: Decision Memo

**Prepared for**: doany.ai Architecture Review — 2026-04-11
**Decision Owner**: Engineering Leadership
**Sources**: Internal benchmark testing (Alex Chen, 2026-04-03), pricing analysis (Alex Chen, 2026-04-05), InfoSec vendor security review (Jamie Park, 2026-04-07)

## Abstract

This memo evaluates four vector database candidates — **Pinecone, Weaviate Cloud, Qdrant Cloud, and pgvector** — for doany.ai's skill retrieval pipeline against four hard requirements: P99 latency <50ms, hybrid search, SOC 2 Type II compliance, and total cost <$2,500/month. After cross-referencing benchmark, pricing, and security data, **two vendors are eliminated on hard requirements** (Qdrant fails compliance; pgvector fails latency) and **Pinecone emerges as the primary recommendation**, with Weaviate Cloud Enterprise as a conditional secondary option pending resolution of open items. Seven material data gaps remain and are documented in full below.

## 1. Decision Context

doany.ai requires a vector database to power its production skill retrieval pipeline. The system currently indexes **~50,000 skill embeddings** (1536-dimensional, OpenAI text-embedding-ada-002) and serves hybrid keyword + semantic queries at **~200 QPS peak** [README.md]. Over the next 12 months, the system is projected to grow to **~200,000 vectors** at **~400 QPS peak** [pricing-summary.md].

### 1.1 Hard Requirements

| # | Requirement | Source |
|---|-------------|--------|
| R1 | P99 query latency < 50ms at 200 QPS (hybrid search) | README.md |
| R2 | Hybrid search: vector + keyword filtering | README.md |
| R3 | SOC 2 Type II certification or equivalent | README.md; Policy SEC-017 |
| R4 | Total cost < $2,500/month at projected 12-month scale | README.md |

## 2. Vendor-by-Vendor Assessment

### 2.1 Performance Assessment

All benchmarks were conducted in AWS us-east-1 on a 50K-vector test set using 500 queries sampled from production skill-search logs [benchmark-notes.md]. Self-hosted tests ran on r6i.xlarge (4 vCPU, 32 GB RAM).

#### Hybrid Search Latency (the binding constraint)

| Vendor | P50 (ms) | P95 (ms) | P99 (ms) | Meets R1 (<50ms)? |
|--------|----------|----------|----------|--------------------|
| **Pinecone** (s1 pod) | 12 | 24 | **31** | **Yes** |
| **Qdrant Cloud** (1 node) | 11 | 25 | **34** | **Yes** |
| **Weaviate Cloud** (sandbox) | 14 | 32 | **44** | **Yes** (marginal) |
| **pgvector** (HNSW) | 28 | 68 | **112** | **No — 2.2x over limit** |

[Source: benchmark-notes.md, "Latency — Hybrid Search" table]

**pgvector fails R1.** At P99 = 112ms, it exceeds the 50ms requirement by more than double. The benchmark notes attribute this to the PostgreSQL query planner sometimes choosing a sequential scan over the combined GIN + HNSW indexes [benchmark-notes.md, Observation #2]. This is a structural limitation rather than a tuning issue.

**Weaviate's 44ms is marginal.** At 88% of the 50ms budget with headroom of only 6ms, this leaves no margin for production variability — and was measured on the **sandbox tier**, not the production tier the team would actually deploy [benchmark-notes.md, Observation #3].

#### Throughput

| Vendor | Avg QPS | Errors | Meets 200 QPS? |
|--------|---------|--------|-----------------|
| **Pinecone** | 340 | 0 | **Yes** (1.7x headroom) |
| **Qdrant Cloud** | 290 | 0 | **Yes** (1.45x headroom) |
| **Weaviate Cloud** (sandbox) | 195 | 3 timeouts | **Marginal** (0.975x) |
| **pgvector** | 145 | 0 | **No** |

[Source: benchmark-notes.md, "Throughput" table]

Weaviate's sandbox-tier throughput of 195 QPS falls **below** the 200 QPS requirement. Three timeout errors were recorded during the 5-minute sustained load test. Production-tier throughput was not benchmarked [benchmark-notes.md, Observation #3].

pgvector's 145 QPS is limited by the Postgres connection pool (max_connections=100) and is insufficient at current scale, let alone the projected 400 QPS [benchmark-notes.md].

#### Recall Quality

| Vendor | Recall@10 |
|--------|-----------|
| **Pinecone** | **0.97** |
| **Qdrant** | 0.96 |
| **Weaviate** | 0.95 |
| **pgvector** (HNSW) | 0.94 |

[Source: benchmark-notes.md, "Recall@10" table]

All vendors deliver acceptable recall. Pinecone leads at 0.97 under default settings. The delta between vendors is small (3 percentage points across the range).

### 2.2 Pricing Assessment

All pricing data sourced from [pricing-summary.md].

#### Current Scale (50K vectors, 200 QPS)

| Vendor | Configuration | Monthly Cost |
|--------|--------------|-------------|
| **Qdrant Cloud** | Starter, 1 node | **$65** |
| **Pinecone** | Standard, s1, 1 pod | **$70** |
| **Pinecone** | Standard, s1, 2 pods (HA) | $140 |
| **Weaviate Cloud** | Standard tier | $135 |
| **pgvector** | r6i.xlarge (compute only) | $185 + ops labor |
| **Weaviate Cloud** | Enterprise tier | $295 |

#### Projected 12-Month Scale (200K vectors, 400 QPS)

| Vendor | Configuration | Projected Monthly Cost | Meets R4 (<$2,500)? |
|--------|--------------|----------------------|----------------------|
| **Pinecone** | s1, 2 replicas | **$140** | **Yes** |
| **Weaviate Cloud** | Standard, scale-up | ~$270 (estimate) | **Yes** |
| **Qdrant Cloud** | Production, 16 GB, 3 nodes | ~$310 | **Yes** |
| **Pinecone** | p1, 2 replicas (higher perf) | $350 | **Yes** |
| **pgvector** | RDS multi-AZ | ~$420 + uncosted ops labor | **Yes** |
| **Weaviate Cloud** | Enterprise tier | ~$450 (estimate) | **Yes** |

All vendors fall well within the $2,500/month budget. **Pinecone s1 is the most cost-efficient option at projected scale** ($140/month), and notably its cost remains flat when scaling from 50K to 200K vectors because the s1 pod supports up to 1M vectors [pricing-summary.md].

**Hidden cost alert — pgvector**: The $420/month figure excludes **4-6 hours/month of SRE labor** for patching, monitoring, failover, and index rebuilds. With the SRE team at 3 headcount and no dedicated DBA, this is a material uncosted burden [pricing-summary.md, Note #3].

### 2.3 Security & Compliance Assessment

All security data sourced from [security-review.md], reviewed by Jamie Park (InfoSec Lead) against doany.ai Vendor Security Checklist v2.1.

| Criteria | Pinecone | Weaviate Cloud | Qdrant Cloud | pgvector |
|----------|----------|---------------|-------------|----------|
| **SOC 2 Type II** | **Yes** | **Yes** | **No** (in progress, expected Q3 2026) | N/A (our responsibility) |
| **InfoSec Risk Rating** | **LOW** | MEDIUM | **HIGH** | MEDIUM |
| Encryption at rest | AES-256 | AES-256 | AES-256 | Configurable |
| RBAC | API key scoping | OIDC roles (Enterprise) | API key only | PostgreSQL native |
| Audit logging | Yes (90-day) | Enterprise only | **Not available** | pgAudit (self-configured) |
| Backup RTO | < 1 hour | < 4 hours | Snapshot-dependent | Our responsibility |
| Pen test report | Available (NDA) | Available (NDA) | **Not available** | N/A |

[Source: security-review.md, "Summary Scorecard" and "Detailed Findings"]

**Qdrant fails R3.** SOC 2 Type II is not yet achieved, with completion expected Q3 2026. Per doany.ai's compliance Policy SEC-017, this is a **hard blocker** for any customer-facing workload [security-review.md, Qdrant section]. Additionally, Qdrant lacks audit logging, granular RBAC, and a penetration test report — compounding the compliance gap.

**Weaviate's compliance posture is tier-dependent.** On the Standard tier, there is no audit logging, which fails Checklist item 4.3 [security-review.md]. The Enterprise tier addresses this but introduces a ~$450/month projected cost and an annual commitment. Multi-tenancy isolation documentation is still pending from Weaviate's security team (expected 2026-04-12) [security-review.md, Open Item #1].

**pgvector's security is viable but operationally contingent.** PostgreSQL's mature security model (row-level security, pgAudit, SCRAM-SHA-256) is strong, but requires the SRE team to commit to a <7-day patch cadence — the current cadence is ~14 days. This commitment **has not been secured** from the engineering manager [security-review.md, pgvector section].

**Pinecone** carries the lowest third-party risk per InfoSec's assessment. The key concern is the absence of customer-managed encryption keys (CMEK) and vendor lock-in from a proprietary API [security-review.md, Pinecone section].

## 3. Elimination Analysis

| Vendor | R1: Latency <50ms | R2: Hybrid Search | R3: SOC 2 Type II | R4: Cost <$2,500/mo | Result |
|--------|-------------------|-------------------|-------------------|---------------------|--------|
| **Pinecone** | **31ms — Pass** | Native metadata filtering | **Certified** | **$140-350/mo — Pass** | **Eligible** |
| **Weaviate** | 44ms — Marginal* | BM25 + vector fusion | **Certified** | ~$270-450/mo — Pass | **Conditionally Eligible** |
| **Qdrant** | 34ms — Pass | Payload filtering | **Not certified — FAIL** | ~$310/mo — Pass | **Eliminated** |
| **pgvector** | **112ms — FAIL** | GIN + HNSW (unreliable) | N/A (self-managed) | ~$420/mo + ops — Pass | **Eliminated** |

*Weaviate's 44ms was measured on sandbox tier; production performance is unknown.

**Qdrant and pgvector are eliminated on hard requirements.** Qdrant fails R3 (compliance). pgvector fails R1 (latency). Neither can be recommended for production deployment today.

## 4. Comparative Assessment: Pinecone vs. Weaviate

With two vendors remaining, the comparison narrows:

| Dimension | Pinecone (s1, 2 replicas) | Weaviate Cloud (Enterprise) |
|-----------|--------------------------|----------------------------|
| Hybrid P99 latency | **31ms** (37% below limit) | 44ms (12% below limit)* |
| Throughput headroom | **340 QPS** (70% above 200 QPS) | 195 QPS (below 200 QPS)* |
| Recall@10 | **0.97** | 0.95 |
| 12-month projected cost | **$140/mo** | ~$450/mo (estimate) |
| SOC 2 Type II | **Yes** | Yes |
| InfoSec risk rating | **Low** | Medium |
| Audit logging | **Yes (included)** | Enterprise tier only |
| Backup RTO | **< 1 hour** | < 4 hours |
| Vendor lock-in risk | **High** (proprietary API) | Low (open-source core) |
| CMEK | Not available | Not available |
| DPA status | **Signed** | Draft received |
| Self-host fallback | No | **Yes** |

*Weaviate figures are from sandbox tier testing; production-tier performance is unknown.

**Pinecone leads in 9 of 12 dimensions.** Weaviate's advantages are strategic (open-source fallback, lower lock-in risk) rather than operational. However, Weaviate's benchmark data has a critical gap: all performance numbers come from sandbox-tier testing, not production infrastructure [benchmark-notes.md, Observation #3].

## 5. Recommendation

### Primary Recommendation: Pinecone (Standard, s1 pod, 2 replicas for HA)

**Rationale:**

1. **Performance**: Lowest hybrid search P99 at 31ms, with 37% headroom below the 50ms requirement [benchmark-notes.md]. Highest throughput at 340 QPS, providing 70% headroom above the 200 QPS target.
2. **Cost efficiency**: Projected at $140/month at 12-month scale — the lowest among all HA-capable configurations, and flat pricing up to 1M vectors [pricing-summary.md].
3. **Security posture**: Only vendor rated LOW risk by InfoSec. SOC 2 Type II certified, audit logging included, DPA already signed [security-review.md].
4. **Operational burden**: Fully managed. No SRE time required for patching, index rebuilds, or failover management.

**Known trade-offs to accept:**

- **Vendor lock-in**: Proprietary API with no standard export format. Migration would require re-indexing from source embeddings [security-review.md]. *Mitigation*: Maintain source embeddings in a separate store (e.g., S3) to preserve re-indexing capability.
- **No CMEK**: Data encrypted with Pinecone-managed keys only. CMEK roadmap inquiry has been submitted but not answered [security-review.md, Open Item #4].
- **SSO limitation**: Standard plan uses shared API keys with no per-user attribution. SSO requires Enterprise plan [security-review.md].

### Secondary Option: Weaviate Cloud (Enterprise tier)

Weaviate is a viable alternative **if and only if** the following conditions are met:

1. Production-tier benchmarks confirm P99 <50ms and throughput >200 QPS at projected scale
2. Multi-tenancy architecture whitepaper is reviewed and approved by InfoSec (expected 2026-04-12)
3. Formal Enterprise pricing is received and falls within budget (quote expected from Dana M. by 2026-04-15)
4. Egress pricing is confirmed in writing as included in plan pricing

Weaviate's strategic advantage is the open-source core, which provides a self-hosting fallback and reduces long-term vendor dependency. If lock-in risk is the team's primary concern, Weaviate Enterprise is worth the additional investment — but only once the data gaps above are closed.

## 6. Material Data Gaps

The following gaps could materially affect this recommendation. Each is flagged with its source, expected resolution date, and impact.

| # | Gap | Source | Expected Resolution | Impact on Decision |
|---|-----|--------|--------------------|--------------------|
| **G1** | Weaviate production-tier benchmarks not conducted (sandbox only) | benchmark-notes.md, Observation #3 | Not scheduled | **High** — Cannot validate Weaviate meets R1/R2 at production tier |
| **G2** | No concurrent write + read testing for any vendor | benchmark-notes.md, Observation #5 | Not scheduled | **Medium** — Write-heavy scenarios during index updates could degrade query latency |
| **G3** | Weaviate Enterprise formal pricing quote pending | pricing-summary.md, Note #2 | 2026-04-15 (Dana M.) | **Medium** — Informal estimate only; actual cost could differ |
| **G4** | pgvector SRE ops labor not costed | pricing-summary.md, Note #3 | Not scheduled | **Low** (pgvector eliminated on R1) |
| **G5** | Weaviate multi-tenancy architecture documentation pending | security-review.md, Open Item #1 | 2026-04-12 | **High** — Could change Weaviate's risk rating |
| **G6** | Weaviate and Qdrant egress pricing: verbal "included" but no written confirmation | pricing-summary.md, Note #5 | Not scheduled | **Low** for Pinecone decision; **Medium** if pursuing Weaviate |
| **G7** | Pinecone CMEK roadmap: inquiry submitted, no response | security-review.md, Open Item #4 | Unknown | **Low** — Not a blocker today, but relevant for future compliance requirements |

## 7. Recommended Next Steps

| Priority | Action | Owner | By When |
|----------|--------|-------|---------|
| **P0** | Approve Pinecone (s1, 2 replicas) as primary vendor selection | Architecture Review Board | 2026-04-11 |
| **P0** | Complete Pinecone DPA execution (already signed) and begin integration planning | Engineering | 2026-04-18 |
| **P1** | Maintain source embeddings in S3 or equivalent to mitigate vendor lock-in | Engineering | Ongoing |
| **P1** | Follow up on Pinecone CMEK roadmap response | InfoSec (Jamie Park) | 2026-04-18 |
| **P2** | Receive and review Weaviate multi-tenancy whitepaper (expected 2026-04-12) as diligence for future re-evaluation | InfoSec | 2026-04-14 |
| **P2** | Receive Weaviate Enterprise formal quote (expected 2026-04-15) and file for reference | Alex Chen | 2026-04-16 |
| **P3** | Re-evaluate Qdrant after SOC 2 Type II completion (expected Q3 2026) if vendor diversification becomes a goal | InfoSec | Q4 2026 |

## 8. References

[1] Alex Chen. Vector DB Benchmark Notes[R]. doany.ai Internal, 2026-04-03. (benchmark-notes.md)

[2] Alex Chen. Vector DB Pricing Summary[R]. doany.ai Internal, 2026-04-05. (pricing-summary.md)

[3] Jamie Park, InfoSec Team. Vector DB Security Review — Excerpts[R]. doany.ai Internal, 2026-04-07. (security-review.md)

[4] doany.ai. Vendor Security Checklist v2.1[S]. Internal Policy.

[5] doany.ai. Security Policy SEC-017: SOC 2 Compliance Requirements for Customer-Facing Workloads[S]. Internal Policy.