Enterprise Data Governance
Control plane / data plane architecture. Your data stays in your environment by default. Cloud model API calls are made only when you configure external providers. Zero-trust networking (mTLS with per-tenant certificates), 4-level classification, and controls designed to support compliance with HIPAA, GDPR, ISO 27001, and EU AI Act frameworks.
Architecture Overview
Interactive Authoring Layer
Policy & Orchestration
Processing & Storage
Key Capabilities
Control Plane / Data Plane Split
Central hub manages configuration, licensing, and observability. Customer data plane executes all workflows locally - LLM calls, tool execution, and data processing stay within your VPC by design.
4-Level Data Classification
Public, Internal, Confidential, Restricted. Classification enforced at the platform level through structural safeguards. LLM access gated by classification level.
Encryption at Rest & In Transit
Strong encryption for data at rest. TLS for all data in transit. Key rotation with configurable retention policies. Customer-managed keys (BYOK) with AWS KMS, GCP, Azure, and HashiCorp Vault.
PII Scrubbing Gateway
All data crossing from data plane to control plane passes through PII detection. Sensitive data is automatically masked - only redacted metrics cross the boundary.
Zero-Trust Networking
mTLS with per-tenant client certificates. Outbound-only connectivity - zero inbound firewall rules needed. Service identity verification with short-lived credentials.
Compliance by Architecture
Cryptographically chained audit logs, encryption at rest and in transit, data residency policy configuration, controls aligned with ISO 27001, and EU AI Act SBOM and risk classification. Compliance support is structural, not bolted on.
Deployment Flexibility
From managed cloud to air-gapped - your architecture, your rules.
Both planes hosted by PrivateFlow. Zero infrastructure to manage.
- Vendor-managed
- Auto-scaling
- 99.9% target uptime SLA
- Compliance-support architecture
Control plane in PrivateFlow Cloud. Data plane in your VPC. Data stays in your environment by default.
- Customer VPC execution
- Outbound-only connection
- Encryption at rest
- Data residency
Both planes in your infrastructure. You own everything. PrivateFlow provides support and updates.
- Complete isolation
- Custom networking
- Own backup strategy
- Air-gap capable
Zero network connectivity. Shipped as container images. Updates via secure transfer.
- Zero network calls
- Container image delivery
- Offline license validation
- USB-safe updates
Framework Alignment
Architecture designed to support the frameworks that matter.
- Encryption at rest & in transit
- PII scrubbing before LLM calls
- BAA-compatible providers
- End-to-end audit trails
- Data residency configuration
- Right to erasure
- Consent tracking
- Cross-border transfer controls
- AI SBOM generation
- Risk classification
- Human oversight
- Transparency documentation
PrivateFlow provides controls designed to support compliance with these frameworks. PrivateFlow itself is not yet certified under these standards.
How It Works
Deploy Data Plane
Install via Helm chart or Docker Compose into your VPC. Single command. Outbound-only connection to control plane.
Configure Policies
Set classification levels, residency rules, encryption preferences, and LLM access gates through the visual policy editor.
Sync & Execute
Control plane pushes flow templates, guardrails, and model routing. Data plane executes locally with full offline capability.
Monitor & Audit
Redacted metrics flow to the central dashboard. Detailed audit records stay local. Export to your SIEM - S3, Syslog, or HTTP.
Technical Stack
Ready to build production
Self-host in minutes with Docker, or use the cloud. Either way, you own your data and your models.