Update Due to Comment The application needs to reside on the customers's server because there is a lot of communication between this application and other applications on the customer's server (in parent frames). If hosted on our server, it would be blocked due to browser security. There are options to get around this, but by having it on the customer's server, it removed a point of failure that is a common issue for similar applications.
Is there a better way to retain the ability to provide updates to the application without going through the customer?
Per this question : Is there a better way to retain the ability to provide updates to the application without going through the customer?
Could you not create a webservice on your server that provides JSON to the client's (Client being the other company, not an end user ) side that constructs whatever objects you need? That way you can update your webservice "whenever" and as long as you build the constructing js extensible enough, you can just pass object specifications to it remotely