Built for the room that says no.
Zero egress by default
Source copybooks, generated schemas, and policy data never leave your network. The engine runs inside your VPC on your hardware. There is no outbound call to make — no SaaS backend, no third-party LLM, no analytics endpoint.
Local model, on-prem
Drafting runs on a local model (e.g. Gemma-class) on your own GPUs. No prompt, no field, no copybook fragment is ever sent to an external API. The model is shown only the deterministic AST — never your raw data in transit.
No telemetry, no logs that leave
No usage telemetry, no cookies on the engine, no prompt logs shipped off-box. What runs in your perimeter stays in your perimeter. Audit logs are written to your storage, under your retention policy.
Deterministic & reproducible
Same input, same output, every run — no temperature, no sampling drift. Every transformation is hashed (SHA-256 input and output). Your security team can re-run any receipt and confirm the hashes independently.
Two-model consensus, not blind trust
When a parity or structural gate fails, recovery requires two independent models to agree (≥0.95) before any output emits. No single model gets the last word, and nothing ships that hasn't passed every gate.
Solo-built is a control, not a risk
No sprawling vendor with a hundred sub-processors. A focused, air-gappable engine with a small, auditable surface is easier for your security team to reason about than a cloud platform you have to take on faith.
Want the air-gapped build for an internal security review? Request it here — we'll scope a deployment inside your perimeter. Your team can read the verification engine source and reproduce every receipt first.