Security & Compliance

Built for the work your CISO has to defend.

Bolt and Aeira are built for regulated industries from day one — not retrofitted with enterprise add-ons. This page covers our architectural posture, the compliance regimes the platform is deployable for today, and our roadmap. Detailed security briefs, threat models, and pen-test results are shared under NDA.

Request Security Brief (NDA) Architecture posture →

At a glance

The posture, summarized.

Your data. Your perimeter.

Self-host on AWS, Azure, GCP, on-prem, or fully air-gapped. Bolt Absolute and Aeira Federated never make outbound calls during operation. Bolt Bundled and Complete tiers route AI inference through a Sparcle-managed gateway under MSA + DPA with zero-retention guarantees from upstream providers.

Identity-bound by design

Every query inherits the calling user's identity from your IdP (SAML, OIDC, JWT). Aeira filters in-band on every result; Bolt's pipeline applies policy guardrails before any prompt reaches the LLM. No bypass mode for callers.

Encrypted & auditable

KMS-enveloped storage with per-tenant key isolation. Provable cryptographic erasure for GDPR & HIPAA obligations. Audit trail on every query — including which results were filtered and why. Specific KMS posture and crypto choices reviewed under NDA.

Patent-pending architecture

Three USPTO provisional applications cover the runtime architecture, the priority engine, and the overlay UI. Numbers and filing dates on our IP page; detailed claim language under NDA.

Compliance Posture

What's deployable today, what's on the roadmap.

We use precise language about compliance: an architecture is "deployable" for a regime when it can be configured to satisfy that regime's technical requirements, but a formal certification is a separate process with a third-party auditor. Here's where we are honestly.

Regime
Status
Notes
HIPAA
Architecture deployable
Self-hosted variants meet HIPAA technical safeguards. BAAs available on enterprise contracts during pilot evaluation.
SOX
Architecture deployable
Audit-trail responses, immutable logging, and role-based controls support SOX IT general controls. Customer-specific scope reviewed during pilot.
ITAR / Export Control
Architecture deployable
Air-gapped Federated tier available. US-person-only access controls and data residency enforced via deployment configuration.
GDPR
Architecture deployable
Provable cryptographic erasure for Right to be Forgotten. EU data residency via region-pinned deployments.
SOC 2 Type II
Roadmap
Audit engagement planned. Honest framing: no formal certification yet. Aligned controls implemented; happy to share gap analysis under NDA.
FedRAMP Moderate
Roadmap
Federated tier targeted. Multi-quarter effort; we work with sponsoring agency partners during pilot.
ISO 27001
Roadmap
Audit engagement on the path; controls aligned. NDA brief covers timeline.

Deployment Models

You choose what we run, what you run.

Self-Hosted (Bolt Absolute, Aeira Dynamic / Enhanced)

You run the data plane and the AI inference. Sparcle ships software, updates, and support. Air-gap option available. Most regulated buyers start here. From $30/seat/month for Bolt; from $999/month for Aeira Dynamic.

Hybrid (Bolt Bundled)

You run the data plane in your perimeter. Sparcle runs the AI inference gateway under an MSA + DPA with zero-retention guarantees from upstream providers. Best for teams wanting managed AI without giving up data residency. From $60/seat/month.

Fully Managed (Bolt Complete)

Sparcle runs the entire stack in our infrastructure under contractual SLA & DPA. For teams without a strong on-prem or VPC operations capability who still want enterprise SSO, audit, and compliance. From $90/seat/month.

Air-Gapped (Aeira Federated)

No outbound, no inbound, no telemetry. Multi-region VPC or physically air-gapped. License validation via offline-signed token, refreshed on a customer-controlled schedule. Defense, federal, and the most-regulated industries. Custom annual contracts from $500K/year.

Available under NDA

Where the technical depth lives.

We deliberately don't publish implementation specifics on the public site. Below is what we share under a mutual NDA during pilot evaluation:

  • Architecture brief — component-level diagrams of Bolt's runtime and Aeira's data plane, including the cache hierarchy, the priority engine's scoring model, and the security pipeline's specific layers
  • Security posture documentation — threat model, encryption details, key management semantics, audit log format and retention
  • Patent claim summaries — what the three USPTO filings cover and how they map to the runtime
  • Pen-test results — latest external assessment findings and remediation status
  • Compliance gap analysis — honest current-vs-target view for SOC 2, ISO 27001, FedRAMP
  • Reference customer conversations — design partners willing to take a call about their experience
  • Deployment runbook — Helm charts, Docker Compose, Kubernetes manifests, and the operational guides used during go-live

Take the next step.

Schedule a 30-minute call to walk through the architecture, request the security brief under NDA, or arrange a reference conversation with a design partner.

Request Security Brief (NDA) Schedule Architecture Review