02. Security
Security & Data Sovereignty
Data does not leave your jurisdiction unless you explicitly configure it to. This is an architectural property of Clarvus AIOS — not a configuration default that can be changed by a vendor update.
The security posture described here reflects how Clarvus AIOS operates in production deployments at regulated financial institutions. Each property is verifiable and independently assessable.
1. Deployment Architecture
Four deployment models, one governance standard
Clarvus AIOS governance enforcement is identical across all deployment models. The REAPS enforcement architecture, policy layer, and audit trail operate the same way whether the system is on-premises, private cloud, air-gapped, or hybrid. Deployment model selection is a data residency and infrastructure decision — not a governance capability decision.
Clarvus AIOS deployed entirely within your own infrastructure. No data leaves your network. Model inference, governance enforcement, and audit storage all operate within your perimeter. Suitable for institutions with strict data localisation obligations.
Dedicated deployment in a private cloud environment. Resources are not shared across tenants. Data residency is configurable to specific cloud regions to meet jurisdictional requirements (India, EU, US).
Complete network isolation. Suitable for government, defence-adjacent, or highly sensitive BFSI deployments where any external network connectivity is prohibited. Governance and audit capabilities operate without external calls.
Workload split between on-premises and cloud. Sensitive inference and data processing on-premises; governance reporting and dashboards in cloud. Data classification policy determines which workloads transit which boundary.
2. Model Independence
Bring Your Own Model — no provider dependency
Clarvus AIOS separates governance from model selection. The REAPS enforcement layer sits between your institution's AI applications and the underlying language models, applying governance constraints regardless of which model is in use.
Bring Your Own Model (BYOM)
Deploy Clarvus AIOS governance enforcement over any LLM — Claude, GPT-4o, Gemini, Cohere, Mistral, or locally-hosted open-source models. REAPS constraints are applied to the model's output regardless of the underlying model provider.
Bring Your Own Language Model (BYOL)
Use locally-hosted language models without any data leaving your infrastructure. Clarvus AIOS governance stack applies uniformly to locally-hosted models. No external LLM API call is required if the institution's policy prohibits it.
No provider lock-in
Model selection is a configuration decision, not an architectural commitment. Institutions can migrate between model providers without changing governance policy, audit architecture, or application code.
3. Data & Encryption
Encryption and data handling posture
All data in transit between Clarvus AIOS components uses TLS 1.3. Data at rest in the audit trail and governance store uses AES-256 encryption. Encryption keys are managed by the deploying institution in on-premises and air-gapped configurations — not by ArthaVedh.
PII detection runs at inference time. When a model output contains detected PII, the system applies the institution's configured PII policy before output surfaces to the end user — masking, blocking, or escalating to human review, depending on the L1 policy configuration.
Data in transit
TLS 1.3
All inter-service communication
Data at rest
AES-256
Audit trail and governance store
Key management
Institution-controlled
On-premises and air-gapped deployments
PII detection
Inference-time
Applied before output reaches end user
Audit record integrity
Hash-chained
Tamper-evident chain-of-custody
SOC 2
Roadmap 2026
Type II audit in preparation
Security questionnaire or architecture review?
We can provide detailed security documentation and participate in your institution's vendor security review process.