StavrynSTAVRYN
Security & data handling

Your data never leaves the building.

Stavryn runs entirely on hardware you own, inside your own network. No prompts, no documents, and no model outputs are sent to a third party. The system is built to be airtight, and to prove it.

Get early accessHow it works
The core guarantee

No egress. Nothing phones home.

The model weights, the inference, the retrieval over your documents, and the logs all sit on your premises. There is no external API call in the path of a query, because there is no external provider in the architecture. That single fact is what makes the rest of the compliance story simple.

How it is isolated

Controls, top to bottom.

The short version
  • The model and your data run on hardware you own — nothing is sent to a third party.
  • No telemetry: the system does not phone home, and there is no external API in the path of a query.
  • Optional full air-gap, encryption at rest, SSO access control, and audit logging on every request.
  • Compliance posture mapped to HIPAA and CMMC, handled as part of the build.
On-premise weights
The model runs from local GPUs. Weights live on your storage. Nothing is streamed from a vendor at inference time.
Network isolation
The stack runs on an isolated subnet. For sensitive deployments it can be fully air-gapped, with no route to the public internet at all.
No telemetry
We strip the phone-home behavior out of every component. The system does not report usage, prompts, or errors to anyone, including us, unless you ask it to.
Access control
Least-privilege accounts, SSO against your identity provider, and per-team keys through the gateway. People see only what they should.
Encryption at rest
Disks holding your documents, vectors, and logs are encrypted. Backups, if you want them, stay inside your control.
Audit logging
Every request is traceable on a local Langfuse dashboard, prompts, outputs, latency, and cost, for review and for your auditors.
What we do not do

The short list that matters most.

NO

No third-party API calls

Your prompts and documents are never sent to OpenAI, Anthropic, Google, or anyone else. There is no such call to make.

NO

No training on your data, off-site

Fine-tuning happens on your hardware. Your data is never pooled, shared, or used to train anyone else's model.

NO

No silent updates that change exposure

The system does not auto-pull from the cloud. Updates are deliberate, tested, and applied under your maintenance contract.

Compliance posture

Mapped to the frameworks you answer to.

Because the data never leaves your control, most of the hardest questions in a compliance review answer themselves. We handle the posture as part of the build.

HIPAA
PHI stays inside the practice. No disclosure to a third party means no business-associate gymnastics in the AI path. HIPAA & private AI
CMMC
CUI stays inside your enclave, air-gapped where required, with access control and audit aligned to Level 2 practices. CMMC & private AI
Finance & legal
Client, position, and privileged data stay on your side of the wall, under your retention and access rules. Finance · Legal
Get early accessFind your fit