Built to be trusted.

Sovereignty is a property of the architecture, not a marketing line. Below is what that means in practice: where your data lives, how the system updates, what we can and cannot see, and the commitments that ship with every appliance.


Sovereignty by construction

The Arsenale appliance runs inference, agent execution, and learning on its own hardware. There is no cloud component in the loop for the system to function. The default posture is on-premises; everything else is opt-in.

Data on premises

Documents, conversations, agent state, and learning data sit on the appliance you own. The product does not require outbound connectivity to operate.

Owned outright

Hardware is purchased, not rented. There is no per-token billing, no per-seat licence on the inference itself, and no remote kill-switch tied to a subscription.

Designed and built in Britain

The runtime is UK-engineered. The corporate entity, registered office, and operations are UK-domiciled. The appliance is shipped from the UK.

Air-gap capable

The appliance functions on isolated networks for deployments where outbound connectivity is forbidden. Updates can be applied via signed offline packages.


Remote access: what we can and cannot see

Most customers want a remote dashboard. We offer three options across a spectrum from convenience to maximal privacy. We describe each accurately rather than claim end-to-end on the convenient default.

Option What it is What can see content Status
Managed tunnel
default
Reverse tunnel terminating TLS at a global edge network. Zero customer setup. Reachable from anywhere a browser is. The edge provider and Arsenale, technically. Random observers see encrypted traffic only. SHIPPED
VPN tunnel
end-to-end
Customer connects via a WireGuard or Tailscale client straight to the appliance. TLS terminates only on the appliance itself. No third party, including us. Connection metadata is observable at the network layer; content is not. SHIPPING
LAN only Remote access disabled. Dashboard reachable only from devices on the same local network as the appliance. No external party. Anything inside the network the customer controls. SHIPPED
BYO domain Customer points their own domain at the appliance and supplies their DNS credentials. Edge layer becomes theirs to choose or skip. Whoever the customer puts in front of the appliance, or no one. SHIPPED

Customers can change between options at any time. The hardware and the data do not move; only the path by which the dashboard is reached.


Security posture

Five years of security included

Every appliance ships with five years of Syntex OS security patches at no additional charge. Security is not behind the optional annual licence; only feature updates are.

Signed update channel

Updates are delivered through a cryptographically signed package channel. Unsigned or tampered packages are rejected by the appliance before being applied.

Tamper-evident audit log

Every licence event, activation, and policy-relevant action is logged to an append-only ledger with a per-unit HMAC chain. Modifying or deleting any row breaks the chain and is detectable.

Offline licence activation

Licence keys validate against an offline checksum. The appliance does not phone home to verify the key, and continues to operate during network outages.

Per-unit secrets

Each appliance is provisioned with its own cryptographic secrets. There is no shared default key across the fleet, and no master credential that, if extracted, compromises other deployments.

Minimal attack surface

The appliance exposes the dashboard and the agent endpoints, nothing else. No remote management daemon, no admin SSH on by default, no inbound service the customer did not enable.


What we don't do

An honest description of constraints is as important as a list of features. The items below are deliberate.

No cloud back-channel

The appliance does not send inference data, agent traces, or customer documents to us for analysis, telemetry, or model improvement. The product would still work if we vanished.

No third-party model APIs

Inference runs against weights stored on the appliance, including a model we develop ourselves. The system does not call out to commercial LLM APIs in the background to fill gaps or improve quality.

No third-party trackers

The appliance dashboard ships without third-party analytics, advertising tags, or session-replay tools embedded.

No remote kill-switch

We do not retain a capability to remotely disable the appliance once it has been delivered. Operation does not depend on our continued willingness to authorise it.


Privacy and Civil Liberties by Architecture

The conventional approach to protecting privacy and civil liberties in vendor-supplied AI systems is to centralise customer data in the vendor's infrastructure and then employ engineers, lawyers, and policy specialists to defend how that data is used. We took the other route. Arsenale's design removes the centralisation step entirely; there is no vendor-held customer data to defend, because there is no vendor-held customer data.

Each commitment below is a property of the platform, not a policy promise. Policies can be revised; properties of the architecture cannot.

Your data does not leave your premises

Documents, conversations, agent state, and learning data sit on the appliance you own. There is no telemetry, no model-improvement tap, no analytics call-home. The product would still operate if Arsenale ceased to exist tomorrow.

No vendor-held copy to subpoena

Because Arsenale does not hold customer operational data, there is nothing for a third party (civil litigant, law-enforcement agency, or regulator) to compel from us about your conversations, documents, or agent activity. Only the entity that holds the data can be compelled, and that entity is you.

No remote deplatforming

Once an appliance is delivered, operation does not depend on Arsenale's continued willingness to authorise it. The licence validates against an offline checksum; the appliance does not phone home. You cannot be deplatformed by us for content, customer base, or political reasons.

Air-gap capable, by design

The appliance functions on isolated networks. Updates can be applied via signed offline packages. For journalism, legal counsel, intelligence work, human-rights documentation, or any context where outbound connectivity is itself a risk, the appliance can run with no internet at all.

Tamper-evident audit log, owned by the customer

Every licence event, activation, and policy-relevant action is recorded to an append-only ledger with a per-unit HMAC chain. The log lives on your appliance, exportable by you at any time, and any modification breaks the chain detectably. We cannot rewrite your audit history because we do not hold your audit history.

Single-tenant by hardware

Each customer operates on their own physical unit. There is no shared infrastructure where one customer's data could leak to another through a logical-separation failure. The separation is enforced by physics, not by configuration.

A privacy and civil liberties function staffed by engineers, lawyers, and policy specialists is a credible response to the centralised-vendor-data model. It is not the only response. The architectural response (design the platform so the concerns do not arise) is older, more durable, and harder to roll back. Arsenale is built on the architectural response.


Frameworks & compliance

The Arsenale Appliance is designed against published NCSC guidance for sovereign and on-premise systems, and our internal posture is structured against the ISO 27001 control objectives. We do not yet hold third-party-audited certifications and we will not claim ones we have not earned. The plan to obtain them is honest about the company's current stage.

Milestone Target Trigger
NCSC-aligned design IN PLACE Architecture, encryption, key management, and update channel structured against current NCSC guidance for sovereign systems.
ISO 27001-aligned internal posture IN PLACE Information Security Posture document, Data Classification Policy, vulnerability disclosure process, incident response procedure; all written, all in use.
Cyber Essentials Q4 2026 UK government baseline certification. Routine investment, no contract dependency.
Cyber Essentials Plus Within 6 months of first UK government framework contract Audited certification, standard procurement requirement for government framework awards.
ISO 27001 readiness Within 12 months of Series A or first enterprise contract Formal ISMS, control implementation evidence, internal audit.
ISO 27001 full certification Within 18 months of Series A or first enterprise contract External certification body audit.

A redacted version of the Information Security Posture document is available to counterparties under NDA on request.


NCSC Cloud Security Principles

The NCSC's 14 Cloud Security Principles are the standard reference UK government and regulated-sector procurement use to assess sovereign and on-premise systems. Below is how the Arsenale Appliance addresses each principle. The mapping is self-attested; we will replace it with externally-audited statements when a third-party assessment is available.

# Principle How the Arsenale Appliance addresses it Status
01 Data in transit protection TLS on all external traffic to and from the appliance dashboard. On-premise dashboard-to-LAN traffic is protected by the customer's network controls. The appliance does not initiate outbound traffic to Arsenale unless explicitly configured for the signed update channel. IN PLACE
02 Asset protection & resilience Customer-owned hardware on customer premises. No Arsenale-controlled storage of customer operational data. Resilience is the customer's deployment choice (single appliance, paired appliances, or offline backup). The product does not require continued Arsenale availability to operate. IN PLACE
03 Separation between users The appliance is single-tenant by hardware. Each customer operates their own physical unit. There is no shared infrastructure between customers, and therefore no logical-separation challenge typical of multi-tenant cloud platforms. STRUCTURAL
04 Governance framework Documented Information Security Posture (ISO 27001-aligned), Data Classification Policy, vulnerability disclosure process, and incident response procedure. Director-level accountability. Available to procurement under NDA. IN PLACE
05 Operational security Cryptographically signed update channel; tamper-evident audit log with per-unit HMAC chain; minimal exposed network surface; published vulnerability-disclosure SLA (acknowledge within 5 business days, assess within 10, default 90-day coordinated window). IN PLACE
06 Personnel security Engineer Day-One Briefing covers information security, ethical conduct, and modern-slavery awareness, with signed acknowledgement. UK right-to-work checks for all engaged personnel. Currently a sole-Director operation; controls scale with headcount. IN PLACE
07 Secure development Source code in local git repositories on company-controlled hardware. No GitHub or GitLab. Update packages cryptographically signed before release. No external CI/CD service has access to source code. IN PLACE
08 Supply chain security Subprocessors disclosed below on this page and reviewed annually. Hardware sourced from established suppliers in Tier-1 manufacturing jurisdictions; modern-slavery exposure assessed at /modern-slavery. Open-source dependencies tracked in the supplier file. IN PLACE
09 Secure user management Customer-controlled identity model on the appliance. Per-unit cryptographic secrets; no shared default credentials across the fleet. Account creation, role assignment, and offboarding remain entirely with the customer. IN PLACE
10 Identity and authentication Local authentication on the appliance dashboard at first boot. Customer identity-provider integration (SAML/OIDC) is on the roadmap; current deployments use shared-secret or LAN-restricted access patterns. No Arsenale-side identity service to compromise. PARTIAL
11 External interface protection The appliance exposes only the dashboard and the agent endpoints. No remote management daemon, no inbound SSH on by default, no service the customer did not enable. Default posture is air-gap-capable; remote access is opt-in across four documented options (managed tunnel, VPN tunnel, LAN-only, BYO domain). IN PLACE
12 Secure service administration No remote administration by Arsenale once the appliance is delivered. Customers administer the appliance themselves through the local dashboard or via the customer-chosen remote access option. No vendor backdoor; no remote kill-switch. IN PLACE
13 Audit information for users Tamper-evident audit log records every licence event, activation, and policy-relevant action. Per-unit HMAC chain; modifying or deleting any row breaks the chain and is detectable on inspection. The log is exportable by the customer at any time. IN PLACE
14 Secure use of the service Customer documentation includes secure-configuration guidance, the four remote-access options with their explicit trade-offs (see Remote access section above), and update procedures. Five years of security patches included in the base price; security is not behind the optional annual licence. IN PLACE

STRUCTURAL indicates the principle is satisfied by the architecture itself (e.g., separation by single-tenant hardware) rather than by an active control. PARTIAL indicates the control is in place for current deployments but a planned feature will extend or formalise it. The full evidence pack mapping each row to specific implementation artefacts is available to procurement under NDA.


Vulnerability disclosure

Security researchers acting in good faith are welcome to report suspected vulnerabilities. Reports may be submitted to security@arsenale.ai or via the machine-readable contact in our security.txt file.

Service levels

Acknowledgement within 5 business days. Initial severity assessment and preliminary remediation plan within 10 business days. Default coordinated disclosure window of 90 days, agreed with the reporter.

Safe harbour

We will not pursue legal action against researchers who make a good-faith effort to avoid privacy violations and service disruption, report promptly, allow reasonable remediation time before public disclosure, and do not exploit a vulnerability beyond what is necessary to demonstrate it.

What to include

A clear description of the issue, reproduction steps, the affected component or URL, an assessment of impact, and your preferred name for any subsequent acknowledgement. Encrypted submission is welcome on request.

Out of scope

Reports based on automated-scanner output without manual verification, social-engineering attempts on staff, physical security of premises, and findings on third-party services we don't operate (Cloudflare, etc.); for those, report to the third party directly.


Subprocessors

Third parties with access to data we hold are listed below. The list is current as of the page's last update; material changes are reflected here within a reasonable period. We deliberately keep this list short.

Subprocessor What we use it for What it can see Jurisdiction
Cloudflare DNS, static page hosting, edge tunnel (managed-tunnel option only), inbound email routing, Turnstile bot challenge Public site requests; if the managed tunnel is selected, request content and dashboard traffic in transit; inbound email destined for arsenale.ai addresses Global edge / UK
Google Workspace Outbound transactional email and operator inbox forwarding Outbound email content and recipient addresses; inbound forwarded mail content Ireland / global
Stripe Payment processing for the optional £1 NDA-access fee (investor-purpose flow only) Cardholder information, transaction metadata for that flow only Ireland / UK

Customer appliance operational data (agent state, conversations, documents, learning) does not pass through any subprocessor. It is held on the customer's appliance only. Subprocessors above touch only the public website, marketing email, and pre-purchase enquiry flows.


Corporate & disclosures

Entity

Arsenale Limited
Registered in England and Wales
Company No. 17126962
71-75 Shelton Street, Covent Garden,
London, WC2H 9JQ

Data protection

UK GDPR / Data Protection Act 2018. Customer operational data remains on the customer's appliance and is not transferred to Arsenale. See the Privacy Policy for the full notice on data we hold for enquiries and reservations, or write to contact@arsenale.ai.

Security disclosure

Researchers reporting suspected vulnerabilities are welcome. Please write to security@arsenale.ai with reproduction steps and your preferred coordinated-disclosure window.

Procurement & due diligence

For institutional procurement queries (information security questionnaires, contractual terms, supplier onboarding documentation), write to contact@arsenale.ai.


Trajectory

The cloud sells AI as a service. We sell it as infrastructure you own outright, and we are closing that stack layer by layer, from the application down to the model itself. That work has now reached the weights: the model on the appliance is ours to shape, not a stock third-party download.

Today

Sovereign AI runtime in production, running a frontier-class model we develop in-house on our own UK hardware, built around how the system is actually used rather than shipped stock. Real-time responses, under £0.01 per decision.

Next

A specialist model of our own, purpose-built for the workloads our customers run. Smaller and faster, so more capability fits on the same box.

Long horizon

A fully sovereign stack, owned outright. The layers your business depends on are yours: not rented, not metered, not deprecable by anyone else.


Accuracy note

This page describes the posture of the production appliance and any item marked SHIPPED. Items marked SHIPPING are imminent and time-bounded; their planned availability is documented to procurement teams under NDA on request. If anything on this page conflicts with how the product actually behaves on the unit you have, the unit's behaviour is authoritative and we want to hear about it.