Trust & compliance
Trust is engineered,
then documented.
Lucrion designs for regulated environments from the architecture phase: data sovereignty, isolation, identity, and audit applied at every layer, documented so it can withstand external review rather than just internal policy.
We are honest about what is not yet in place. Lucrion is pre-launch and holds no security certification today; the certification clock starts at company formation. Until then, this page documents the engineering posture we apply, not a certificate we do not hold.
Engineering pillars
Data Sovereignty
Inference and storage run on hardware you own, inside your perimeter. No prompts, documents, or embeddings leave your network unless you explicitly route them out.
Network Isolation
Segmented networks, a hardened ingress, and air-gap-capable designs for the most sensitive environments. Every boundary is authenticated; nothing is implicitly trusted.
Identity & Access
Keycloak and FreeIPA integrated with your existing directory, so access follows the roles your organisation already manages, and every grant is recorded.
Audit by Design
Queries, retrieved sources, and answers are logged so activity can be reconstructed under regulated review. Audit is a design input, not an afterthought.
Backup & Restore
Encrypted backup with a restore that is witnessed together before handover, because a backup you have never restored is a hope, not a control.
Supply-Chain Hygiene
Open-source and open-weights components, pinned and verified, with signed builds and a software bill of materials (SBOM) so you can see what is running and where it came from.
What we design around
We design systems to support your compliance work under the frameworks below. We do not certify you, and we do not claim a system is "compliant" on your behalf. That is a determination you and your advisers make. What we provide is engineering that makes the case defensible.
What we do not claim
- No certifications today. We hold no ISO 27001, SOC 2, or equivalent certificate yet. The certification clock starts at company formation.
- No customer logos. We are pre-launch and will not display references we do not have.
- No proven-at-scale claims. Our reference deployment runs an associated venture's workload, not a fleet of customers.
We will publish the Information Security overview at company formation. Until then, this page documents the engineering posture we apply.
Your data. Your infrastructure. Your control.
Start with a Readiness Assessment, a fixed-scope engagement to decide whether on-premise AI makes sense for your organisation, before any hardware is procured.