Security & Compliance

Built for the work your CISO has to defend.

Bolt and Aeira are built to the security bar regulated industries demand — which means they work for any enterprise that takes governance seriously, not just the ones a regulator forces to. This page covers our architectural posture, the compliance regimes the platform is deployable for today, and our roadmap. Detailed security briefs, threat models, and pen-test results are shared under NDA.

Request Security Brief (NDA) Architecture posture →

At a glance

The posture, summarized.

Your data. Your perimeter.

Self-host on AWS, Azure, GCP, on-prem, or fully air-gapped. Every Bolt tier and Aeira Federated keep your data plane in your perimeter — Sparcle never hosts your data. If you opt into Managed AI, only LLM inference routes through a Sparcle-managed gateway under MSA + DPA with zero-retention guarantees from upstream providers; your data stays put.

Identity-bound by design

Every query inherits the calling user's identity from your IdP (SAML, OIDC, JWT). Aeira filters in-band on every result; Bolt's pipeline applies policy guardrails before any prompt reaches the LLM. No bypass mode for callers.

Encrypted & auditable

KMS-enveloped storage with per-tenant key isolation. Provable cryptographic erasure for GDPR & HIPAA obligations. Audit trail on every query — including which results were filtered and why. Specific KMS posture and crypto choices reviewed under NDA.

Patent-pending architecture

Bolt's patent-pending architecture covers the runtime architecture, the priority engine, and the overlay UI. Detailed claim language is shared under NDA.

Tamper-evident audit you can verify yourself

Every privileged action is sealed into an Ed25519-signed Merkle chain. Export a self-contained proof bundle and an auditor verifies it completely offline — no database, and nothing from Sparcle, in the verification loop.

Streams to your SIEM out of the box

Audit events forward to your SIEM — Splunk, Microsoft Sentinel, or syslog — with no extra tooling. Your security team watches Bolt activity in the same place it watches everything else.

Compliance Posture

What's deployable today, what's on the roadmap.

We use precise language about compliance: an architecture is "deployable" for a regime when it can be configured to satisfy that regime's technical requirements, but a formal certification is a separate process with a third-party auditor. Here's where we are honestly.

Regime
Status
Notes
HIPAA
Architecture deployable
Self-hosted variants meet HIPAA technical safeguards. BAAs available on enterprise contracts during pilot evaluation.
SOX
Architecture deployable
Audit-trail responses, tamper-evident logging, and role-based controls support SOX IT general controls. Customer-specific scope reviewed during pilot.
ITAR / Export Control
Architecture deployable
Air-gapped Federated tier available. US-person-only access controls and data residency enforced via deployment configuration.
GDPR / UK GDPR
Architecture deployable
Provable cryptographic erasure for Right to be Forgotten. EU + UK data residency via region-pinned deployments.
FCA / PRA (UK financial services)
Architecture deployable
Self-hosted posture supports SYSC 8 outsourcing, SS1/21 + PS21/3 operational resilience, SS1/23 third-party risk, and DP5/22 AI model risk. Customer remains the regulated entity; Sparcle ships software, the firm runs it. Architecture brief + DPA + third-party-register template under NDA.
DORA (EU financial services)
Architecture deployable
Self-hosted + BYO LLM avoids ICT third-party concentration risk. Exit-portable via Helm / Docker Compose. ICT incident logging + reporting hooks available.
SOC 2 Type II
Roadmap
Audit engagement planned. Honest framing: no formal certification yet. Aligned controls implemented; happy to share gap analysis under NDA.
FedRAMP Moderate
Roadmap
Federated tier targeted. Multi-quarter effort; we work with sponsoring agency partners during pilot.
ISO 27001
Roadmap
Audit engagement on the path; controls aligned. NDA brief covers timeline.

Deployment Models

Your data plane stays in your perimeter, always.

Self-Hosted (every Bolt tier, Aeira Dynamic / Enhanced)

You run the data plane and the AI inference. Sparcle ships software, updates, and support. Docker Compose for staging, Kubernetes for production HA, air-gap option available. Most regulated buyers start here. From $30/seat/month for Bolt; from $999/month for Aeira Dynamic.

Managed AI option (any tier)

You keep the data plane in your perimeter. If you'd rather not run inference yourself, Sparcle routes only LLM calls through a managed gateway under an MSA + DPA with zero-retention guarantees from upstream providers. Your data plane never leaves your perimeter; only PII-masked prompts reach the gateway.

Air-Gapped (Aeira Federated)

No outbound, no inbound, no telemetry. Multi-region VPC or physically air-gapped. License validation via offline-signed token, refreshed on a customer-controlled schedule. Defense, federal, and the most-regulated industries. Custom annual contracts from $500K/year.

Available under NDA

Where the technical depth lives.

We deliberately don't publish implementation specifics on the public site. Below is what we share under a mutual NDA during pilot evaluation:

  • Architecture brief — component-level diagrams of Bolt's runtime and Aeira's data plane, including the cache hierarchy, the priority engine's scoring model, and the security pipeline's specific layers
  • Security posture documentation — threat model, encryption details, key management semantics, audit log format and retention
  • Patent claim summaries — what the patent-pending architecture covers and how it maps to the runtime
  • Pen-test results — latest external assessment findings and remediation status
  • Compliance gap analysis — honest current-vs-target view for SOC 2, ISO 27001, FedRAMP
  • Reference customer conversations — design partners willing to take a call about their experience
  • Deployment runbook — Helm charts, Docker Compose, Kubernetes manifests, and the operational guides used during go-live

Take the next step.

Schedule a 30-minute call to walk through the architecture, request the security brief under NDA, or arrange a reference conversation with a design partner.

Request Security Brief (NDA) Schedule Architecture Review