AiSOC runs where you do.
Sovereign by default.
Deploy the same MIT-licensed agent loop into an air-gapped network, an on-prem Kubernetes cluster, your VPC on any major cloud, or a sovereign-cloud region. Pick the LLM trust boundary that fits your policy — including a fully local one — and pin data residency to a specific region.
Four control points, in your hands
Set AISOC_AIRGAPPED=true and the platform refuses to make outbound calls — no LLM provider, no threat-intel feed, no telemetry. The Ollama overlay ships a pinned local model so the demo seed runs end-to-end with zero external calls.
docker-compose.airgap.yml
Per-tenant LLM credentials live in the encrypted vault (Fernet AES-128-CBC + HMAC-SHA256). Point a tenant at OpenAI, Anthropic, an Azure deployment, a Bedrock model, or a private LiteLLM gateway — the agent loop is identical.
BYOK + tenant LLM credential vault
A single Helm release deploys every service into your cluster; Terraform modules cover AWS EKS, GCP Cloud Run, and a generic BYOC blueprint. Bring your own VPC, KMS, and IAM — the modules consume them rather than reinventing them.
infra/helm/aisoc · infra/terraform/{aws,gcp,byoc}
Because the entire stack runs in your account, residency is decided by which region you provision into. Pin to eu-west-1, ap-south-1, us-east-2, or any other region your provider exposes — including sovereign-cloud regions.
Operator-controlled provisioning
Deployment matrix
One platform, five deployment modes. Every row maps to a shipping artefact in the repo — no special edition, no enterprise binary, no closed components.
| Mode | LLM trust boundary | Data residency | Compliance posture | Shipping artefact |
|---|---|---|---|---|
| Air-gapped | Local Ollama sidecar | Operator-defined | SOC 2 · ISO 27001 · GDPR · DPDP | docker-compose.airgap.yml |
| On-prem | Local Ollama or BYO endpoint | Operator-defined | SOC 2 · ISO 27001 · GDPR · DPDP | Helm chart (infra/helm/aisoc) |
| Hybrid | Cloud APIs · Ollama · BYO | EU · US · India · Custom | SOC 2 · ISO 27001 · GDPR · DPDP | Terraform (infra/terraform/byoc) |
| Public cloud | Cloud APIs · BYO endpoint | EU · US · India · Custom | SOC 2 · ISO 27001 · GDPR · DPDP | Terraform (infra/terraform/{aws,gcp}) |
| Managed SaaS (waitlist) | Cloud APIs (default) · BYO | EU · US · India | SOC 2 · GDPR (target) | tryaisoc.com |
Any cloud × any region
Because deployment is operator-controlled (Helm or Terraform into your account), the supported cloud / region pairs are the ones your provider supports — including sovereign-cloud regions.
| Cloud | US | EU | India | Singapore | Custom |
|---|---|---|---|---|---|
| AWS | |||||
| Azure | |||||
| GCP | |||||
| OCI | |||||
| DigitalOcean | |||||
| Hetzner |
“Custom” covers sovereign-cloud regions (e.g. AWS GovCloud, Azure Germany, OVH, Scaleway, IBM Cloud) and on-prem Kubernetes clusters reachable from your operator network.
What ships in the repo
docker-compose.airgap.ymlCompose overlay that adds an Ollama sidecar with a pinned model and flips AISOC_AIRGAPPED=true on every service that calls an LLM.
Openinfra/helm/aisoc/Single Helm release for every backend service, the web console, and the realtime gateway. Production-shaped values for resource limits, secrets, and ingress.
Openinfra/terraform/AWS EKS, GCP Cloud Run, and a BYOC blueprint that consumes your VPC, KMS, and IAM rather than reinventing them.
Openservices/api/app/services/credentials.pyFernet AES-128-CBC + HMAC-SHA256. Per-tenant LLM credentials, connector secrets, and webhook tokens never leave the vault in plaintext.
Openservices/agents/app/ledger/Every prompt, tool call, evidence row, and decision the agent makes — durable and replayable. The auditor reads the events directly, not a vendor summary.
Openservices/agents/tests/eval_data/200-incident substrate suite + 1,000-alert noisy stream. Reproducible locally, gated in CI on every PR. The benchmark page documents what each metric measures.
OpenTalk to us about sovereign deployment
Tell us the cloud, region, LLM trust boundary, and compliance regime you need to land. We'll point you at the right Helm values, Terraform module, or air-gap overlay — and stay on the line for the first deployment.