SECURITY & DEPLOYMENT TRUST CENTER

Private by architecture, not by policy.

VDF AI runs enterprise agents where your data already lives — on-premises, in your private cloud, or fully air-gapped. Nothing depends on an external inference API. This is where your security, compliance, and procurement teams find how it works.

On-premises Air-gapped Private cloud / VPC Bring-your-own models
Get the RFP checklist
100% on-premises deployment runs inside your data center, VPC, or air-gapped network
Zero data leaves your perimeter prompts, documents, and embeddings stay under your control
Bring-your-own models and identity your models, your SSO, your keys, your audit trail
Your Perimeter
Customer-controlled boundary
Identity / SSOSAML · OIDC
RBACrole-scoped access
Orchestrationmulti-agent
Model Routerpolicy-enforced
Private RAGyour documents
Your Modelson your hardware
Egress to external model APIs: not required
Auditevery call logged to your SIEM
Keyscustomer-managed (BYOK)
Regionpinned for residency
DEPLOYMENT MODELS

Deploy it where your data has to stay

Every model runs inside a boundary you control. Choose the isolation level your regulators, security team, and infrastructure require — the platform is the same.

Maximum isolation

Air-gapped

The full platform — orchestration, routing, retrieval, and models — runs on networks with no outbound internet access. Updates arrive through a controlled, offline artifact process.

  • No outbound connectivity required
  • Offline model and update delivery
  • Suited to defense, government, and OT/critical infrastructure
Most common

On-premises

Deployed on your own hardware in your data center. Data, models, and logs remain inside your infrastructure and identity boundary, governed by your existing controls.

  • Your hardware, your network zones
  • Integrates with existing IAM, SIEM, and secrets management
  • Full residency and sovereignty control
Cloud-native

Private cloud / VPC

Deployed into your own cloud tenancy (AWS, Azure, GCP, or sovereign cloud). You keep the account, the network policy, the encryption keys, and the data plane.

  • Single-tenant in your own account
  • Customer-managed keys (BYOK / KMS)
  • Region-pinned for data residency
THE CONTROL PLANE

The controls your security team expects

VDF AI plugs into the identity, logging, secrets, and network controls you already run — it does not ask you to trust a new external service.

01

Identity & SSO

Integrates with your existing identity provider over SAML or OIDC (Entra ID, Okta, Keycloak, LDAP). No separate user store to manage, no shadow accounts.

02

Role-based access control

Granular RBAC governs who can use which agents, models, tools, and data sources. Access to sensitive workflows and connectors is scoped by role, team, and environment.

03

Audit logging

Every prompt, tool call, retrieval, model route, and response is recorded with actor, timestamp, and context. Logs stream to your SIEM for retention and investigation.

04

Model governance

You control which models are approved, where they run, and which workloads may use them. The router enforces model policy per domain, sensitivity level, and residency requirement.

05

Private retrieval (RAG)

Retrieval runs against your own document stores and vector indexes inside your perimeter. Embeddings are generated locally; no content is sent to third-party APIs.

06

Network isolation

Deploys into segmented network zones with no dependency on external inference endpoints. Egress can be fully disabled for air-gapped and OT environments.

COMPLIANCE MAPPING

Mapped to the regulations you answer to

On-prem deployment is the most direct way to satisfy data-residency, sovereignty, and third-party-risk obligations. Here is how the architecture supports each framework.

FrameworkHow VDF AI supports it
EU AI Act AI inventory, risk classification, human-oversight controls, and technical documentation generated from the governed workflow. See the AI Governance Framework resource.
GDPR Data stays in-region and inside your perimeter; no processing by external model providers. Supports data-minimization, purpose limitation, and right-to-erasure workflows.
DORA On-prem deployment removes third-party inference as an ICT concentration risk. Full audit trail and model governance support operational-resilience testing and reporting.
HIPAA PHI never leaves the covered entity’s environment. Access controls, audit logs, and encryption support the Security Rule for AI-assisted clinical and administrative workflows.
NIS2 Air-gapped and network-isolated deployment options for essential and important entities, with logging and access controls that map to incident-handling obligations.

This mapping describes how the platform’s architecture and controls support your compliance program. It is not legal advice; obligations depend on your deployment, jurisdiction, and use case.

SECURITY FAQ

Questions security teams ask first

Does any data ever leave our environment?

No. VDF AI is designed to run entirely inside your infrastructure — on-premises, in your private cloud tenancy, or fully air-gapped. Prompts, documents, embeddings, model weights, and logs remain inside your perimeter. There is no requirement to call an external inference API.

Can we use our own models?

Yes. VDF AI is model-agnostic and supports bring-your-own-models. You choose which open-weight or licensed models to run, where they run, and which workloads may use them. The router enforces your model policy per domain, sensitivity, and residency requirement.

How does VDF AI integrate with our identity and security stack?

Authentication uses your existing SSO over SAML or OIDC. Authorization is governed by role-based access control. Audit events stream to your SIEM. Secrets integrate with your existing vault, and encryption keys can be customer-managed.

What can you provide for our security and procurement review?

We provide a reference architecture, an RFP/evaluation checklist, deployment and network diagrams, a compliance mapping, and a security questionnaire response. We can also join a security architecture review with your team.

Do you support fully offline, air-gapped deployment?

Yes. The complete platform — orchestration, routing, retrieval, and models — can run with no outbound internet access. Updates and models are delivered through a controlled offline artifact process suited to defense, government, and OT networks.

Bring your security team to the table.

We will walk your architects, security, and compliance leads through the deployment model, data flow, controls, and compliance mapping for your environment — and answer your security questionnaire against a concrete reference architecture.