Security isn’t a setting.
It’s the architecture.
On-premise, sovereign EU cloud or air-gapped — your data never leaves your network, and is never used to train a model.
Three guarantees, enforced by design.
Not a policy you have to trust — properties of where and how Diana runs.
Nothing leaves your walls
Diana and its agents run on infrastructure you control and make no external call in normal use. Zero data egress — no path off your network.
Never trained on
Your documents and conversations are never used to train a model — ours or anyone’s. The one promise we will never break.
You hold everything
Your hardware, your keys, your audit log. Diana has zero standing access — management never touches your content.
Your data never crosses the boundary.
Diana, your documents and your keys all live inside a perimeter you define. Nothing is sent to a third party, because there is no third party in the data path — and no sub-processor to assess.
You choose the boundary.
Three sovereign deployments — each keeps your data on infrastructure you control. The only question is how strict.
Sovereign EU Cloud
A dedicated private server in a European data centre (OVHcloud, Hetzner or Scaleway). EU data residency, no shared tenancy, GDPR-compliant by architecture.
Sovereign On-Premise
A pre-configured appliance on your own network. Your data never leaves the building; we manage it over an isolated channel with zero access to your data.
Air-Gapped
No external network connection of any kind. Diana ships pre-loaded; data physically cannot leave under any circumstances.
Where the architecture makes the difference.
The same task, two very different risk surfaces — this is what changes when the AI runs inside your perimeter instead of someone else’s cloud.
| Dimension | Public-cloud AI | Diana |
|---|---|---|
| Where data is processed | The provider’s cloud | Your perimeter — on-premise, sovereign EU cloud, or air-gapped |
| Data egress | Leaves your network | None in normal use |
| Trained on your data | Possible unless contractually excluded | Never |
| Sub-processors | The provider and its chain | None |
| Jurisdiction | The provider’s — including foreign law | EU — yours |
| Auditability | Limited to what the provider exposes | Full — tamper-evident Audit Stream |
Built for the rulebook you answer to.
Diana doesn’t just claim compliance — it removes the risk surface that creates the work in the first place.
| Regulation | What it covers | How Diana addresses it | Focus areas |
|---|---|---|---|
| GDPR | Data protection & cross-border transfer. | Data stays inside your network boundary — so there is no transfer to assess and no sub-processor chain to vet. Erasure is in your hands. |
|
| DORA | ICT risk for financial entities. | Run Diana on your own infrastructure and your AI stops being a critical ICT third party. Your exit plan is built in — the appliance is yours. |
|
| NIS2 | Cyber-resilience for essential entities. | The Audit Stream gives a tamper-evident record for reporting timelines, and there is no external dependency in the data path to widen your attack surface. |
|
| EU AI Act | Governance of AI systems. | A system you can govern, document and keep inside the EU. You control where it runs and what it can touch — nothing is processed on infrastructure you cannot audit. |
|
Least privilege, end to end.
Granular access control
Granted and revoked at the project, folder and file level, with inheritance — people see only what they should, and you can prove it.
You supply the key
The encryption key is customer-supplied and never leaves your environment. Automated rotation is on the roadmap.
Zero standing access
Diana staff cannot see your data. Remote management runs over an isolated channel that never touches your content.
Encrypted in transit & at rest
Document content is encrypted at rest with a key you supply, behind TLS 1.3 termination — inside a boundary only you control.
Every action, logged where the work lives.
The Audit Stream is a tamper-evident, time-stamped record of every read, edit, export and share — by people and by agents alike. It’s how you evidence DORA and NIS2 reporting, satisfy a GDPR access request, and answer “who touched this, and when?” without a ticket.
No sub-processors. No egress. No surprises.
No sub-processors
Because your data never leaves your environment, no third party ever processes it. There is no sub-processor list to assess — there is no sub-processor.
Nothing retained you don’t control
Diana keeps only what your workspace keeps. Stop using it and the data was always yours — keep it, wipe it, or return the appliance.
No training, ever
Your documents and conversations are never used to train a model — ours or anyone else’s. The one promise we will never break.
The questions you’ll be asked.
Put it to
the test.
Review the architecture, run a pilot on your own infrastructure, and let your security team audit every control. Trust you can verify — not take on faith.