Training is ephemeral and cloud-bound. Production is steady-state and on-prem. The two never touch.
Panel A · Training phase EPHEMERAL · CLOUD
Your storage → TLS 1.3 upload → Reyatech-managed cloud GPU (encrypted volume) → fine-tuning → adapter export → TLS 1.3 download → your storage. Cloud volume destroyed within 7 days of adapter delivery. Certificate of destruction signed and emailed.
cert-of-destruction.pdfsigned within 7 days
Panel B · Production phase STEADY-STATE · ON-PREM
Customer end-user → Customer LAN → Caddy (TLS) → LiteLLM → Ollama/vLLM (local model + adapter) → Langfuse (local audit) → response back to user. No outbound calls. Air-gap supported.
100% on-premair-gap supported
In production, ZERO data leaves your building.
§3 · Compliance matrix
The load-bearing table.
Every claim maps to a regulation, a control, and an evidence artefact your auditor can request. Rows on amber are roadmap items; rows on white are currently aligned.
Patching cadence by severity, scanning on every release.
Dependency scanningevery release
CVE checks across all open-source components in the stack — Ollama, vLLM, LiteLLM, Qdrant, Langfuse, Keycloak, Caddy, Prometheus, Grafana, Restic.
Per release
Penetration testingannual + per major release
Annual third-party pen-test. Additional test after every major release change. Summary report shareable under NDA.
Annual + Δ
Responsible disclosureRFC 9116
PGP key published at /.well-known/security.txt. Disclosure inbox privacy@reyatech.com. SLA: acknowledgement within 24h.
/security.txt
Patching cadence
Normal severity
Monthly
Routine patches batched into the monthly cycle. Customer notified ahead of any production-impacting change.
High · CVSS ≥ 7.0
≤ 7 days
Out-of-band patch with change-control record. Customer notified before deploy.
CISA KEV · actively exploited
≤ 24 hours
Emergency patch with post-incident review. Notification to customer within the same window as the deploy.
§6 · Incident response
Detection on your hardware. Clock starts when your SIEM sees the event.
Detectionon-prem
Prometheus alerts on latency, error rate, resource anomalies. Langfuse anomalies — e.g. PII regex hits, unauthorised role access, prompt-rate spikes.
On your SIEM
Response SLAper AMC tier
Sev-1 / Sev-2 / Sev-3 thresholds defined per AMC tier; named on-call engineer during business hours.
AMC-defined
Customer notificationregulatory clocks
Inside the RBI §17(8) 6-hour window and the DPDPA 72-hour Significant Personal Data breach window. Both clocks start when your SIEM raises the alert.
6h / 72h
Vendor-out-of-loopby construction
Because the system runs on your infrastructure, your SIEM sees events first. The 6-hour clock is yours to manage — no offshore queue between event and reporting.
Your clock
§7 · BCP & DR
Recovery targets, defaults, and what's configurable.
RPOrecovery point objective
Default 24 hours. Configurable down to 1 hour with continuous-backup mode.
24h → 1h
RTOrecovery time objective
Default 4 hours. Configurable down to 1 hour with HA hardware (spare GPU node hot-standby).
4h → 1h
Off-site backupcustomer-designated target
Restic to customer-designated target — S3-compatible object store, NFS, or removable media. Encrypted at source; key escrow at customer.
Restic
Adapter portabilityno vendor lock-in
Adapter file is portable. A replacement box brings production back once hardware is available — base model + adapter + Qdrant snapshot = full restore.
Portable
Annual DR drillscope included
Drill scope and report included in AMC Enterprise tier. Documented walkthrough with failover, restore, and integrity-check artefacts.
AMC Enterprise
§8 · Licensing transparency
Apache 2.0 and MIT base models only.
No Llama licence flow-down. No Mistral MRL paid-redistribution ban. No Gemma flow-down or unilateral remote-restriction clause. Selection is deliberate.
In scope · approved
Used in production
Qwen 3 32BApache 2.0No restrictions on commercial use. Default base model.
Gemma 3Gemma Use Lic.Flow-down clause plus unilateral remote-restriction clause — incompatible with on-prem customer ownership.
§9 · Audit readiness
Auditors walk in. We meet them there.
RBI auditors, WHO / FDA / CDSCO inspectors can walk into your server room and inspect the system directly. The artefact list below is available pre-audit on 24-hour notice.
System validation dossierIQ / OQ / PQ · per release
Architecture diagramstraining + production phases
Data flow mapsper integration boundary
Access control reportsKeycloak export · role · last access
This document describes the security and compliance posture of OwnAI, a product of Reyatech Systems Private Limited (CIN: U62013KA2025PTC212560). It is generated from the same source-of-truth as the public web page at /compliance and regenerated quarterly.
For the most current version, including evidence artefacts referenced in §3 and §9, contact the document owner at rishi@reyatech.com.
Document version v2026.05 ·
Last reviewed 2026-Q2 ·
Next review 2026-Q3 ·
Owner Rishi Tode, Founder & CEO ·
Disclosure inbox privacy@reyatech.com