Usually in the observability space it is primarily based on the volume of data and sometimes seat count. Especially if it’s freemium like elastic where users can get an idea of volume by running a POC of the free version. Companies do this because of small teams who deploy large infra that would make contracts unprofitable
I have been using cheogram but I’m not sure where their servers are hosted https://cheogram.com/
It’s possible it could be a local firewall that is reaching out to their cloud for lists of bad IP addresses or domains or a local firewall that is configured from a cloud interface. The other case is it could be web application firewall or WAF which where a company intercepts traffic, drops malicious requests and forwards it to your actual web server