Trust & compliance

Trust is engineered,
then documented.

Lucrion designs for regulated environments from the architecture phase: data sovereignty, isolation, identity, and audit applied at every layer, documented so it can withstand external review rather than just internal policy.

We are honest about what is not yet in place. Lucrion is pre-launch and holds no security certification today; the certification clock starts at company formation. Until then, this page documents the engineering posture we apply, not a certificate we do not hold.

Engineering pillars

Data Sovereignty

Inference and storage run on hardware you own, inside your perimeter. No prompts, documents, or embeddings leave your network unless you explicitly route them out.

Network Isolation

Segmented networks, a hardened ingress, and air-gap-capable designs for the most sensitive environments. Every boundary is authenticated; nothing is implicitly trusted.

Identity & Access

Keycloak and FreeIPA integrated with your existing directory, so access follows the roles your organisation already manages, and every grant is recorded.

Audit by Design

Queries, retrieved sources, and answers are logged so activity can be reconstructed under regulated review. Audit is a design input, not an afterthought.

Backup & Restore

Encrypted backup with a restore that is witnessed together before handover, because a backup you have never restored is a hope, not a control.

Supply-Chain Hygiene

Open-source and open-weights components, pinned and verified, with signed builds and a software bill of materials (SBOM) so you can see what is running and where it came from.

What we design around

We design systems to support your compliance work under the frameworks below. We do not certify you, and we do not claim a system is "compliant" on your behalf. That is a determination you and your advisers make. What we provide is engineering that makes the case defensible.

Framework Scope What Lucrion does to support it
EU AI Act AI systems in the EU Logging, transparency, and human-oversight hooks designed in, with documented data governance for the system's lifecycle.
GDPR Personal data, EU-wide On-premise processing keeps data within your perimeter; we map residency, lawful-basis boundaries, and third-party transfer avoidance.
DORA Financial entities ICT-resilience-oriented design: high availability, tested restore, and the audit trail an operational-resilience review expects.
NIS2 Critical infrastructure Segmentation, access control, monitoring, and incident-response hooks aligned to a cyber-risk-management posture.
MDR / IVDR Medical devices (conditional) Where AI sits near a regulated device, we document data flows and controls to support your conformity work. We are not a notified body.
MiFID II Investment firms (conditional) Record-keeping and traceability of model inputs and outputs to support the retention obligations relevant to your use case.
DSG Austrian data protection Designed in line with the Austrian Datenschutzgesetz as it sits alongside GDPR for Austrian-domiciled processing.
Schrems II EU to US data transfer On-premise, EU-resident processing removes the transfer question entirely. There is no US cloud leg to assess.

What we do not claim

  • No certifications today. We hold no ISO 27001, SOC 2, or equivalent certificate yet. The certification clock starts at company formation.
  • No customer logos. We are pre-launch and will not display references we do not have.
  • No proven-at-scale claims. Our reference deployment runs an associated venture's workload, not a fleet of customers.

We will publish the Information Security overview at company formation. Until then, this page documents the engineering posture we apply.

Get Started

Your data. Your infrastructure. Your control.

Start with a Readiness Assessment, a fixed-scope engagement to decide whether on-premise AI makes sense for your organisation, before any hardware is procured.

We answer within two business days, in English or German.