Skip to main content
rogueai
Home / Blog / Announcement
Announcement

Introducing Vaultic: Private AI for Regulated Teams

RRogue AI··10 min read
A self-hosted AI assistant running inside a sealed server rack with a glowing audit-log chain and a default-deny firewall boundary around it, no data leaving the building

Every data-sensitive team we work with hits the same wall. They want an AI assistant over their own contracts, policies, incident reports and case files, and every credible product on the market wants to ship those documents to someone else’s servers to answer a question. “Don’t worry, it’s the EU region” gets you through procurement and dies in the security review, because an EU region on a US cloud is still a US company’s control plane. So we put a name on the thing we kept rebuilding by hand for those teams: Vaultic, a private AI platform that runs entirely on your own infrastructure.

One thing up front: this is a pilot-stage launch. Vaultic is built, it runs end-to-end, and we’re opening a small number of design-partner deployments on real organisations’ own hardware. It is not a finished enterprise SaaS and we have no paying customers yet. We would rather say that than pad the announcement with metrics we haven’t earned.

What Vaultic Is

Vaultic is a self-hosted AI assistant over your own documents. You point it at a folder (PDF, TXT, MD, CSV) and you get a private chat assistant that answers onlyfrom those documents and cites every source it used. No general-knowledge guessing, no quietly reaching out to an API you didn’t authorise. If the answer isn’t in your corpus, it says so instead of inventing one.

Installation is one command, and there is no hardware appliance to buy. That omission is deliberate. The usual on-prem AI model is a six-figure GPU box you sign for before you have proven a single use case, which locks you in on day one. Vaultic is software only:

  1. Drop it on your own server or VPC.
  2. Run docker compose up.
  3. Point it at a folder of documents and start asking questions.

Under the hood it runs open-weight models locally via Ollama (Qwen2.5 as the default), a local embedding model (nomic-embed-text), a Qdrant vector store, and Postgres. No external API calls, zero data egress by default. If you read our case for self-hosted AI versus cloud APIs, Vaultic is what that argument looks like once it’s packaged. The promise in one line: a complete AI assistant over your own documents and systems, running entirely on your infrastructure; your data never leaves the building; every answer is sourced and logged; secured by a network-security engineer, not bolted on afterwards.

Your Data Never Leaves the Building

“Runs locally” is a claim. Most products that make it can’t prove it, and in the security review the burden of proof falls on you. Vaultic was built by a network-security engineer, so the network boundary is part of the product rather than a line in the deployment guide.

Vaultic reads the endpoints you have actually configured and derives an egress manifest from them: every destination the system could in principle talk to. From that it computes an air-gap verdict, a plain answer to “can anything in here reach the internet?” And it doesn’t stop at reporting. It exports ready-to-apply default-deny-egress firewall rules for iptables, nftables and Windows Firewall. The Windows path drops onto a DOCKER-USER chain that logs and drops outbound traffic, which is exactly where naive Docker-on-Windows setups leak. There is also a one-command check you can run from inside the container to prove nothing escapes.

Egress manifest

Derived from your configured endpoints, not from a hopeful default. It’s the list you hand an auditor who asks “where can this data go?”

Air-gap verdict

A computed yes/no on whether the deployment can reach anything outside your boundary, not a marketing assertion that it can’t.

Exportable firewall rules

Default-deny-egress rules for iptables, nftables and Windows Firewall, plus an in-container check to prove nothing leaves.

This is the discipline we wrote about in securing self-hosted AI infrastructure and the data-control argument from EU data sovereignty for AI, turned into something you can run and verify rather than promise.

Every Answer Is Sourced and Logged

Two things separate a private AI assistant you can defend in an audit from one you can’t: it has to show its work, and it has to keep a record you can’t quietly rewrite.

Every answer Vaultic gives is grounded in retrieved chunks and carries citations back to the exact source document, which is the baseline for any honest production RAG pipeline. The part most products skip is the record. Every question and every answer is written to an immutable, tamper-evident audit log: a SHA-256 hash-chained record where each entry seals the previous one. Change an earlier entry and the chain breaks, visibly. A live integrity badge verifies the whole chain, so you can see at a glance whether the history has been touched.

This isn’t logging for its own sake. When someone asks “what did the system tell that user in March, and on what basis?”, you have a sourced, sealed answer instead of a guess.

Built Like a Security Engineer Would

Retrieval-augmented generation has two failure modes most teams discover in production: personal data leaking into places it shouldn’t, and poisoned documents steering the model. Vaultic addresses both at ingest, before anything reaches the index.

  • PII detection and redaction in and out. Personal data is caught at ingest, before it is indexed, and again on the way out, before it is shown. A name or ID that slips into a document shouldn’t become permanently searchable.
  • Injection and RAG-poisoning quarantine. A prompt-injection screen runs at ingest. Documents carrying injected instructions, the “ignore your previous instructions” payloads buried in a PDF, are quarantined and never indexed. It’s the defence we described in securing RAG pipelines against prompt injection, shipped in the box.

A detector is only as good as the cases it is tested against, so Vaultic ships a red-team self-test: 13 adversarial cases fired at the injection and PII detectors. It reports its honest score (around 11 of 13 today) and names the cases it does not yet catch, such as base64-obfuscated injection, instead of claiming a vanity 100%.

Why we ship the 11/13, not a 100%

A security product that claims it catches everything is wrong, and that error surfaces at the worst possible moment. Naming the gaps is the point: you deploy knowing exactly which class of attack still needs a compensating control.

Evidence, Not Certificates

Vaultic can export an evidence pack that maps its controls to the frameworks your auditors actually ask about: ISO 27001, EU AI Act Article 12 (record-keeping and logging), DORA, NIS2, the OWASP LLM Top 10 (LLM01 prompt injection and LLM08), and GDPR.

The wording there matters. This supports your audit file: it gives you a documented, traceable line from a control the system implements to the article it speaks to. It does notcertify compliance. No software does. Anyone selling you a “compliance certificate” out of a Docker container is overstating what software can do. What you get here is the evidence that makes a real audit shorter, which is the honest version of the same value, and the framing we took in EU AI Act compliance for builders.

Who It’s For, and What It Is Not

Vaultic is for European, data-sensitive small and mid-market teams in regulated work, the band the big sovereign-cloud vendors ignore while they chase governments and tier-one banks. If your documents can’t leave your infrastructure and you don’t have a platform team to build private RAG from parts, you’re who we built this for.

Equally important is what Vaultic is not:

  • Not a hardware box. There’s nothing to buy and rack.
  • Not a US-cloud wrapper with an EU sticker on it.
  • Not a compliance certificate. It produces evidence, not attestations.
  • Not a finished enterprise SaaS. It’s an early, honest v0.

Where It Is Today

Vaultic is an early build. It runs end-to-end on a single workstation GPU. There are no paying customers yet, and we’re not going to manufacture social proof to suggest otherwise. Two things on the near roadmap are honestly not in the v0 build:

  • Streaming answers. Today you wait for the full response; token-by-token streaming is on the roadmap.
  • A local cross-encoder re-ranker. Retrieval works, but the re-ranking pass that sharpens precision is planned, not shipped.

Regulated sales cycles are long, and we would rather start narrow and real than wide and vague. So we’re opening a small number of pilot / design-partner deployments on real organisations’ own hardware. The deployment story is the same one we documented in Docker AI deployment for production: one compose file, your infrastructure, your rules.

If you run a data-sensitive team that has been told “no” on every cloud AI option, and you would work with an early build to get private RAG that actually stays private, we’d like to hear what you’re trying to do. No price to quote, no form to fill out: a conversation about whether the fit is real.

The Short Version

Vaultic is the private AI assistant we kept building by hand, now in one command: open-weight models on your own box, answers that cite their sources, a tamper-evident audit log, PII redaction and injection quarantine at the door, and a network boundary you can actually prove. It’s early, it’s honest about its gaps, and it never lets your data leave the building.

Related reading

Keep going: EU data sovereignty for AI, securing self-hosted AI infrastructure, and securing RAG pipelines against prompt injection.

Quick Reference

What ships in v0, and what is on the roadmap

CapabilityStatus
Private chat over your documents, every answer citedIn v0
Fully local — Ollama, Qdrant, Postgres, zero egressIn v0
Tamper-evident SHA-256 hash-chained audit logIn v0
PII redaction + prompt-injection quarantine at ingestIn v0
Egress manifest, air-gap verdict, exportable firewall rulesIn v0
Evidence pack (ISO 27001, EU AI Act, DORA, NIS2, OWASP, GDPR)In v0
Token-by-token streaming answersRoadmap
Local cross-encoder re-rankerRoadmap

Frequently Asked Questions

What is Vaultic?

Vaultic is a self-hostable private AI assistant over your own documents. You install it on your own server or VPC with one command, point it at a folder, and get a chat assistant that answers only from those documents and cites every source. It runs fully locally with open-weight models — no external API calls, zero data egress by default.

Does my data leave my infrastructure?

No. Vaultic runs open-weight models locally and makes no external API calls by default. It derives an egress manifest from your configured endpoints, computes an air-gap verdict, and can export default-deny-egress firewall rules plus an in-container check so you can prove nothing escapes.

Does Vaultic certify compliance?

No, and no software can. Vaultic exports an evidence pack that maps its controls to ISO 27001, EU AI Act Article 12, DORA, NIS2, the OWASP LLM Top 10, and GDPR. That supports your audit file with a traceable line from control to article — it does not certify compliance.

Is Vaultic available now?

It is an early, pilot-stage build that runs end-to-end, with no paying customers yet. We are opening a small number of pilot and design-partner deployments on real organisations' own hardware. Streaming answers and a local re-ranker are on the roadmap, not in the v0 build.

Related Articles

Technical Guide

Self-Hosted AI vs Cloud APIs: Cost, Privacy, Control

10 min read

Technical Guide

Building LLM Features That Survive Production

11 min read

← All articles