Introducing Vaultic: Private AI for Regulated Teams

Every data-sensitive team hits the same wall. They want an AI assistant over their own contracts, policies, incident reports, and case files, but the obvious products move that context onto someone else’s servers. For regulated teams, an EU region alone often does not answer the control-plane, audit, and confidentiality questions. So we named the thing we kept rebuilding by hand for those teams: Vaultic, a private AI platform that runs entirely on infrastructure you own.
One caveat before anything else: this is a pilot-stage launch. Vaultic is built and runs end-to-end, and we’re opening a handful of design-partner deployments on real organisations’ own hardware. It is not a finished enterprise SaaS, and there are no paying customers yet. We would rather tell you that than dress the announcement up in metrics we haven’t earned.
What Vaultic Is
Vaultic is a self-hosted AI assistant over your own documents. Point it at a folder, PDF, TXT, MD, CSV, and you get a private chat assistant that answers only from those files and cites every source behind each claim. No quiet call to an API you never authorised. When the answer is not in your corpus, it says so instead of dressing a guess up as a citation.
Installation is one command, and there is no hardware appliance to buy, an omission we made on purpose. The usual on-prem AI pitch is a six-figure GPU box you sign for before a single use case is proven, locking you in on day one. Vaultic is software only:
- Drop it on your own server or VPC.
- Run docker compose up.
- Point it at a folder of documents and start asking questions.
Under the hood, open-weight models run locally through Ollama (Qwen2.5 by default), alongside a local embedding model (nomic-embed-text), a Qdrant vector store, and Postgres. No external API calls; zero data egress out of the box. If you read our case for self-hosted AI versus cloud APIs, Vaultic is what that argument looks like once it’s packaged into one command. The promise in a single line: a private AI assistant over your own documents and systems, running on infrastructure you control; every answer is sourced and logged; secured with the discipline of network-security engineering.
Your Data Never Leaves the Building
“Runs locally” is a claim. Most products that make it can’t prove it, and in the security review, the burden of proof lands on you, not the vendor. Vaultic was built by a network-security engineer, so the network boundary ships as part of the product instead of a reassuring sentence in the deployment guide.
Vaultic reads the endpoints you have actually configured and derives an egress manifest from them: every destination the system could in principle talk to. From that it computes an air-gap verdict, a plain answer to “can anything in here reach the internet?” And it doesn’t stop at reporting. It exports ready-to-apply default-deny-egress firewall rules for iptables, nftables and Windows Firewall. The Windows path drops onto a DOCKER-USER chain that logs and drops outbound traffic, which is exactly where naive Docker-on-Windows setups leak. There is also a one-command check you can run from inside the container to prove nothing escapes.
Egress manifest
Derived from your configured endpoints, not from a hopeful default. It’s the list you hand an auditor who asks “where can this data go?”
Air-gap verdict
A computed yes/no on whether the deployment can reach anything outside your boundary, not a marketing assertion that it can’t.
Exportable firewall rules
Default-deny-egress rules for iptables, nftables and Windows Firewall, plus an in-container check to prove nothing leaves.
This is the discipline we wrote about in securing self-hosted AI infrastructure and the data-control argument from EU data sovereignty for AI, turned into something you can run and verify rather than promise.
Every Answer Is Sourced and Logged
Two things separate a private AI assistant you can defend in an audit from one you can’t: it has to show its work, and it has to keep a record nobody can quietly rewrite after the fact.
Every answer Vaultic gives is grounded in retrieved chunks and carries citations back to the exact source document, which is the baseline for any honest production RAG pipeline. The part most products skip is the record. Every question and every answer is written to an immutable, tamper-evident audit log: a SHA-256 hash-chained record where each entry seals the previous one. Change an earlier entry and the chain breaks, visibly. A live integrity badge verifies the whole chain, so you can see at a glance whether the history has been touched.
This isn’t logging for its own sake. When someone asks “what did the system tell that user in March, and on what basis?”, you have a sourced, sealed answer instead of a guess.
Built Like a Security Engineer Would
Retrieval-augmented generation has two failure modes most teams only discover in production: personal data leaking into places it shouldn’t, and poisoned documents quietly steering the model. Vaultic handles both at ingest, before anything reaches the index.
- PII detection and redaction in and out. Personal data is caught at ingest, before it is indexed, and again on the way out, before it is shown. A name or ID that slips into a document shouldn’t become permanently searchable.
- Injection and RAG-poisoning quarantine. A prompt-injection screen runs at ingest. Documents carrying injected instructions, the “ignore your previous instructions” payloads buried in a PDF, are quarantined and never indexed. It’s the defence we described in securing RAG pipelines against prompt injection, shipped in the box.
A detector is only as good as the cases it is tested against, so Vaultic ships a red-team self-test: 13 adversarial cases fired at the injection and PII detectors. It reports its honest score (around 11 of 13 today) and names the cases it does not yet catch, such as base64-obfuscated injection, instead of claiming a vanity 100%.
Why we ship the 11/13, not a 100%
A security product that claims it catches everything is wrong, and that error surfaces at the worst possible moment. Naming the gaps is the point: you deploy knowing exactly which class of attack still needs a compensating control.
Evidence, Not Certificates
Vaultic can export an evidence pack that maps its controls to the frameworks your auditors actually ask about: ISO 27001, EU AI Act Article 12 (record-keeping and logging), DORA, NIS2, the OWASP LLM Top 10 (LLM01 prompt injection and LLM08), and GDPR.
The wording there matters. This supports your audit file: it gives you a documented, traceable line from a control the system implements to the article it speaks to. It does notcertify compliance. No software does. Anyone selling you a “compliance certificate” out of a Docker container is overstating what software can do. What you get here is the evidence that makes a real audit shorter, which is the honest version of the same value, and the framing we took in EU AI Act compliance for builders.
Who It’s For, and What It Is Not
Vaultic is for European, data-sensitive small and mid-market teams doing regulated work, the band the big sovereign-cloud vendors skip while they chase governments and tier-one banks. If your documents can’t leave your infrastructure and you don’t have a platform team to assemble private RAG from parts, this was built for you.
Equally important is what Vaultic is not:
- Not a hardware box. There’s nothing to buy and rack.
- Not a US-cloud wrapper with an EU sticker on it.
- Not a compliance certificate. It produces evidence, not attestations.
- Not a finished enterprise SaaS. It’s an early, honest v0.
Where It Is Today
Vaultic is an early build. It runs end-to-end on a single workstation GPU. There are no paying customers yet, and we’re not going to manufacture social proof to suggest otherwise. Two things on the near roadmap are honestly not in the v0 build:
- Streaming answers. Today you wait for the full response; token-by-token streaming is on the roadmap.
- A local cross-encoder re-ranker. Retrieval works, but the re-ranking pass that sharpens precision is planned, not shipped.
Regulated sales cycles are long, and we would rather start narrow and real than wide and vague. So we’re opening a small number of pilot / design-partner deployments on real organisations’ own hardware. The deployment story is the same one we documented in Docker AI deployment for production: one compose file, your infrastructure, your rules.
If you run a data-sensitive team that has been told “no” on every cloud AI option, and you would work with an early build to get private RAG that actually stays private, we’d like to hear what you’re trying to do. No price to quote, no form to fill out: a conversation about whether the fit is real.
The Short Version
Vaultic is the private AI assistant we kept rebuilding by hand, now in a single command: open-weight models on your own box, answers that cite their sources, a tamper-evident audit log, PII redaction and injection quarantine at the door, and a network boundary you can actually prove. It’s early, it’s honest about its gaps, and it never lets your data leave the building.
Related reading
Keep going: EU data sovereignty for AI, securing self-hosted AI infrastructure, and securing RAG pipelines against prompt injection.
Quick Reference
What ships in v0, and what is on the roadmap
| Capability | Status |
|---|---|
| Private chat over your documents, every answer cited | In v0 |
| Fully local, Ollama, Qdrant, Postgres, zero egress | In v0 |
| Tamper-evident SHA-256 hash-chained audit log | In v0 |
| PII redaction + prompt-injection quarantine at ingest | In v0 |
| Egress manifest, air-gap verdict, exportable firewall rules | In v0 |
| Evidence pack (ISO 27001, EU AI Act, DORA, NIS2, OWASP, GDPR) | In v0 |
| Token-by-token streaming answers | Roadmap |
| Local cross-encoder re-ranker | Roadmap |
Frequently Asked Questions
What is Vaultic?
Vaultic is a self-hostable private AI assistant over your own documents. You install it on your own server or VPC with one command, point it at a folder, and get a chat assistant that answers only from those documents and cites every source. It runs fully locally with open-weight models, no external API calls, zero data egress by default.
Does my data leave my infrastructure?
No. Vaultic runs open-weight models locally and makes no external API calls by default. It derives an egress manifest from your configured endpoints, computes an air-gap verdict, and can export default-deny-egress firewall rules plus an in-container check so you can prove nothing escapes.
Does Vaultic certify compliance?
No, and no software can. Vaultic exports an evidence pack that maps its controls to ISO 27001, EU AI Act Article 12, DORA, NIS2, the OWASP LLM Top 10, and GDPR. That supports your audit file with a traceable line from control to article, it does not certify compliance.
Is Vaultic available now?
It is an early, pilot-stage build that runs end-to-end, with no paying customers yet. We are opening a small number of pilot and design-partner deployments on real organisations' own hardware. Streaming answers and a local re-ranker are on the roadmap, not in the v0 build.