The data cannot leave the perimeter — not even to prove that it is being protected.
Local & federated evidence
The diagnostic travels.
The patient record does not.
Every AL360° Oceans diagnostic executes inside your own infrastructure. Only the signed Evidence Record crosses the boundary — the finding, never the record, the corpus, the prompt, or the weights.
The evidence boundary
Inside your perimeter
Evidence Record ER-2026-ART9-042
The data cannot leave. The evidence still must.
Health AI, financial AI, and minor-facing AI share one constraint: the data that would prove the system is safe is precisely the data that must not move. So it does not. The diagnostic goes to the data, and a signed Evidence Record comes back — which is the only thing a reviewer needed in the first place.
Data boundary
What stays. What leaves.
The boundary is enforced by the container, not by a setting. There is no configuration that turns raw egress on, and no support ticket that will enable it.
Stays inside your perimeter
- Clinical records, financial records, and minors' data
- Prompts, completions, and retrieval corpora
- Training and fine-tuning data
- Model weights and embeddings
- The Ed25519 signing key — it never leaves your infrastructure
Leaves as an Evidence Record
- A signed Evidence Record — the check, the score, the result
- The runner name and version, and the parameters used
- The model version the result is bound to (so a swap invalidates it)
- An Ed25519 signature any reviewer can verify offline
Available checks
Six checks. Each one seals a section of the passport.
These are the diagnostics that close the gaps a scan finds — Art. 9 and Art. 8 exposure, Art. 10 bias examination, Art. 15 accuracy under shift, and the corpus-integrity check that catches an injected instruction before the agent acts on it.
Special-category exposure
Detects GDPR Art. 9 health and biometric data, and Art. 8 minors' data, reaching the model or its prompts. The finding is exported; the matched text never is.
Sensitive Data Detection
Bias examination — AI Act Art. 10
Group disparity analysis across the protected characteristics that matter in this deployment — including whether a removed attribute is being reconstructed from postcode, device, or referral pathway.
Group Disparity Analysis
Retrieval grounding and corpus integrity
Faithfulness and context precision on your own corpus, plus injected-instruction detection: a retrieved document that instructs rather than informs inherits the system's data access.
Grounding and Response Quality
Prompt injection surface
Jailbreak and injection pattern detection across active templates and retrieval paths. Anomalies are raised without the prompt content ever being logged.
Prompt Safety Current
Accuracy under distribution shift
AI Act Art. 15 robustness re-tested against the population currently in front of the model — not the cohort it was validated on two model versions ago.
Schema and Data Quality
Security posture
Dependency vulnerability audit and AI-specific surface assessment, executed entirely inside your perimeter.
OWASP · Bandit
Where this is the only option
Health AI. Financial AI. Minor-facing AI. Sovereign deployments.
Health AI
Patient data cannot leave the clinical network — not to a vendor, and not to a compliance tool.
The diagnostic executes on-premise. Bias examination under Art. 10 and Art. 9 exposure checks run against the real cohort, and only the signed Evidence Record attaches to the passport. No clinical record exits, and MDR obligations are unaffected.
Financial AI
Under DORA and residency rules, model inputs and outputs stay inside the institution's ICT perimeter.
The capsule runs inside your VPC. Art. 15 accuracy under shift and Art. 22 contestability evidence are produced locally, signed with your key, and attached to the passport as sealed records.
Public sector and sovereign
All diagnostic activity must remain inside sovereign or classified infrastructure. No external network calls.
Fully air-gappable. Evidence Records are exported by secure channel or by hand, and remain verifiable offline by a competent authority without any connection to us.
Minor-facing AI
Under GDPR Art. 8 and DSA Art. 28, a child's data must not be moved to a third party to demonstrate that it is being protected.
The diagnostic goes to the data. Exposure and oversight evidence is produced without a single record of a minor leaving the service that holds it.
Architecture
Deploy in your own perimeter.
Runs inside your perimeter
A container you deploy on-premise, in your VPC, or air-gapped. No external network call is required to execute a diagnostic — and none is made.
No second-class evidence
Every runner executes identically to the hosted version: same checks, same scores, same record format. A reviewer cannot tell where the diagnostic ran, and does not need to.
Record-only egress
Only signed Evidence Records cross the boundary. The Ed25519 signing key never leaves your infrastructure, and any reviewer can verify a record offline without contacting us.
Deploy
Pull the container into your own infrastructure — on-premise, VPC, or air-gapped. No external access is required.
Hold the key
Generate the Ed25519 signing key inside your perimeter. It is never transmitted, and we never hold it.
Run the check
Trigger from your pipeline or from Oceans. Execution is local; the data never crosses the boundary.
Seal the passport
The signed Evidence Record attaches to the Ripple, closing the gap the scan named — and binding it to the model version tested.
Common questions
In-perimeter evidence — addressed.
“We already use an observability stack.”
Observability tells you what happened, to you. An Evidence Record proves a diagnostic result to someone else — a supervisory authority, a hospital's DPO, a notified reviewer — without granting them access to your systems and without asking them to trust you.
“We could run the hosted version on anonymised data.”
Anonymisation is not a guarantee, and for health, biometric, or minors' data the re-identification risk is exactly the risk the regulation is written about. Federated execution removes the question rather than arguing it: the data does not move.
“How does a signed record prove the diagnostic ran correctly?”
The record binds the runner and its version, the parameter hash, the model version under test, the score, and the result — signed with the key pair registered to your organisation. A reviewer verifies it offline. What it does not prove is that the diagnostic was the right one to run; a human decides that, on the record.
“Is in-perimeter execution a reduced version?”
No. Every runner — sensitive-data detection, group disparity, retrieval grounding, prompt safety, schema and data quality — executes identically, produces identical scores, and emits an identical record format. There is no feature gap and no second-class evidence.
Sovereign and in-perimeter deployment
Send the diagnostic to the data.
Never the reverse.
For health, financial, minor-facing, and sovereign deployments where the data cannot move. We will scope the container, the signing key, and the egress boundary against your own constraints — before anything is installed.
AffectLog provides technical and operational evidence to support AI access decisions. Not legal advice, certification, notified-body conformity assessment, or regulatory approval.