The data cannot leave the perimeter — not even to prove that it is being protected.

Local & federated evidence

The diagnostic travels.
The patient record does not.

Every AL360° Oceans diagnostic executes inside your own infrastructure. Only the signed Evidence Record crosses the boundary — the finding, never the record, the corpus, the prompt, or the weights.

Self-hosted or air-gappedRecord-only egressSigning key stays with youVerifiable offline

The evidence boundary

Inside your perimeter

Clinical records
Prompts & corpora
Model weights
Minors' data
Signing key
The diagnostic runs here
only this leaves →

Evidence Record ER-2026-ART9-042

checkart9_exposure
score0.97 (pass)
model versionsha256:9c1e…
raw datanot included
signatureed25519:a3f8…

The data cannot leave. The evidence still must.

Health AI, financial AI, and minor-facing AI share one constraint: the data that would prove the system is safe is precisely the data that must not move. So it does not. The diagnostic goes to the data, and a signed Evidence Record comes back — which is the only thing a reviewer needed in the first place.

Data boundary

What stays. What leaves.

The boundary is enforced by the container, not by a setting. There is no configuration that turns raw egress on, and no support ticket that will enable it.

Stays inside your perimeter

  • Clinical records, financial records, and minors' data
  • Prompts, completions, and retrieval corpora
  • Training and fine-tuning data
  • Model weights and embeddings
  • The Ed25519 signing key — it never leaves your infrastructure

Leaves as an Evidence Record

  • A signed Evidence Record — the check, the score, the result
  • The runner name and version, and the parameters used
  • The model version the result is bound to (so a swap invalidates it)
  • An Ed25519 signature any reviewer can verify offline

Available checks

Six checks. Each one seals a section of the passport.

These are the diagnostics that close the gaps a scan finds — Art. 9 and Art. 8 exposure, Art. 10 bias examination, Art. 15 accuracy under shift, and the corpus-integrity check that catches an injected instruction before the agent acts on it.

Special-category exposure

Detects GDPR Art. 9 health and biometric data, and Art. 8 minors' data, reaching the model or its prompts. The finding is exported; the matched text never is.

Sensitive Data Detection

Bias examination — AI Act Art. 10

Group disparity analysis across the protected characteristics that matter in this deployment — including whether a removed attribute is being reconstructed from postcode, device, or referral pathway.

Group Disparity Analysis

Retrieval grounding and corpus integrity

Faithfulness and context precision on your own corpus, plus injected-instruction detection: a retrieved document that instructs rather than informs inherits the system's data access.

Grounding and Response Quality

Prompt injection surface

Jailbreak and injection pattern detection across active templates and retrieval paths. Anomalies are raised without the prompt content ever being logged.

Prompt Safety Current

Accuracy under distribution shift

AI Act Art. 15 robustness re-tested against the population currently in front of the model — not the cohort it was validated on two model versions ago.

Schema and Data Quality

Security posture

Dependency vulnerability audit and AI-specific surface assessment, executed entirely inside your perimeter.

OWASP · Bandit

Where this is the only option

Health AI. Financial AI. Minor-facing AI. Sovereign deployments.

Health AI

Patient data cannot leave the clinical network — not to a vendor, and not to a compliance tool.

The diagnostic executes on-premise. Bias examination under Art. 10 and Art. 9 exposure checks run against the real cohort, and only the signed Evidence Record attaches to the passport. No clinical record exits, and MDR obligations are unaffected.

Financial AI

Under DORA and residency rules, model inputs and outputs stay inside the institution's ICT perimeter.

The capsule runs inside your VPC. Art. 15 accuracy under shift and Art. 22 contestability evidence are produced locally, signed with your key, and attached to the passport as sealed records.

Public sector and sovereign

All diagnostic activity must remain inside sovereign or classified infrastructure. No external network calls.

Fully air-gappable. Evidence Records are exported by secure channel or by hand, and remain verifiable offline by a competent authority without any connection to us.

Minor-facing AI

Under GDPR Art. 8 and DSA Art. 28, a child's data must not be moved to a third party to demonstrate that it is being protected.

The diagnostic goes to the data. Exposure and oversight evidence is produced without a single record of a minor leaving the service that holds it.

Architecture

Deploy in your own perimeter.

Runs inside your perimeter

A container you deploy on-premise, in your VPC, or air-gapped. No external network call is required to execute a diagnostic — and none is made.

No second-class evidence

Every runner executes identically to the hosted version: same checks, same scores, same record format. A reviewer cannot tell where the diagnostic ran, and does not need to.

Record-only egress

Only signed Evidence Records cross the boundary. The Ed25519 signing key never leaves your infrastructure, and any reviewer can verify a record offline without contacting us.

01

Deploy

Pull the container into your own infrastructure — on-premise, VPC, or air-gapped. No external access is required.

02

Hold the key

Generate the Ed25519 signing key inside your perimeter. It is never transmitted, and we never hold it.

03

Run the check

Trigger from your pipeline or from Oceans. Execution is local; the data never crosses the boundary.

04

Seal the passport

The signed Evidence Record attaches to the Ripple, closing the gap the scan named — and binding it to the model version tested.

Common questions

In-perimeter evidence — addressed.

We already use an observability stack.

Observability tells you what happened, to you. An Evidence Record proves a diagnostic result to someone else — a supervisory authority, a hospital's DPO, a notified reviewer — without granting them access to your systems and without asking them to trust you.

We could run the hosted version on anonymised data.

Anonymisation is not a guarantee, and for health, biometric, or minors' data the re-identification risk is exactly the risk the regulation is written about. Federated execution removes the question rather than arguing it: the data does not move.

How does a signed record prove the diagnostic ran correctly?

The record binds the runner and its version, the parameter hash, the model version under test, the score, and the result — signed with the key pair registered to your organisation. A reviewer verifies it offline. What it does not prove is that the diagnostic was the right one to run; a human decides that, on the record.

Is in-perimeter execution a reduced version?

No. Every runner — sensitive-data detection, group disparity, retrieval grounding, prompt safety, schema and data quality — executes identically, produces identical scores, and emits an identical record format. There is no feature gap and no second-class evidence.

Sovereign and in-perimeter deployment

Send the diagnostic to the data.
Never the reverse.

For health, financial, minor-facing, and sovereign deployments where the data cannot move. We will scope the container, the signing key, and the egress boundary against your own constraints — before anything is installed.

AffectLog provides technical and operational evidence to support AI access decisions. Not legal advice, certification, notified-body conformity assessment, or regulatory approval.