Skip to main content
Operayde
Talk to usGet a quote
Security

Designed by people who’ve sat across from regulators.

The architecture is the answer. Your prompts don’t leave your building, our control plane doesn’t see your data, and every request is Merkle-signed. What follows is how we get there.

Hardware trust

Every appliance ships with TPM-bound LUKS2 disk encryption, a sealed BIOS password, and a signed kernel. The bootloader refuses to load an unsigned initramfs; the root filesystem is verified on every boot.

OS hardening

Debian stable with minimal package footprint. Services run under dedicated users, confined by systemd (NoNewPrivileges, ProtectSystem=strict, MemoryDenyWriteExecute). Outbound egress is IP-filtered; inbound is through apache2 with mTLS from the gateway.

Identity & access

Tenant users sign in via their own IdP (OIDC). Operayde staff access is separated — we have no shared admin account, and every action is attributed to an individual engineer.

Policy & keys

Virtual API keys scope access by tenant, room, model family, and budget. Policy is authored centrally, signed, pushed to the fleet, and enforced on-appliance. There is no ‘god’ key.

Merkle-signed audit

Each appliance hashes every request and response into a daily Merkle tree, signs the head with its enrolment key, and ships heads-only to the central plane. Bodies stay local. You can verify any request offline.

Fleet updates

Updates are signed manifests with hash-pinned images. The appliance verifies before applying. Roll-forward and roll-back are both 15-minute operations from the operator portal.

Compliance

We meet the regulations before we claim the certifications.

GDPR
EU appliances and central-plane region are EU-only. No sub-processor outside the EU.
UAE PDPL
UAE region residency with an in-country central plane. Local support hours.
ISO 27001
Control mapping underway — target certification Q2'27.
SOC 2 Type II
Audit engagement begins Q1'27; evidence pipeline already in place.

Ready to put AI behind your own firewall?

Spend 20 minutes with one of our deployment engineers. We’ll walk through your workload, pick the right tier, and ship an appliance to your office within two weeks.

Security · Operayde