Classified and sensitive data never leaves the boundary. The whole stack runs inside it — air-gapped, and able to maintain itself there.
For government and defense workloads, the data — classified material, citizen records, mission information — cannot leave the boundary under any circumstance, which rules out every hosted AI vendor before the conversation starts. Sovereignty is the precondition, not a feature. But self-hosting inside an air gap has always been the hardest ops problem there is: no vendor reach-in, no phone-home updates, every patch a ceremony performed by cleared staff. Visca is the whole stack — identity, credentials, runtime, and audit — running inside the boundary, up to and including fully air-gapped, with its own operators maintaining it where no vendor can reach. Updates arrive as signed offline packages; the operators apply them, in-perimeter, with every action attributable and recorded.
Why the data can't leave
For classified and sensitive workloads, the runtime cannot phone home. Updates must arrive as offline packages; nothing leaves the boundary.
Every action by every automated actor must be attributable to an authorizing principal, with a chain back to a human — non-negotiable for accountability in government.
Inside an air gap, the vendor's ops team doesn't exist. The burden lands on cleared staff, and every hand-run fix — an SSH session, a console change — is unrecorded risk in the most record-sensitive environment there is.
One stack, not a stitched one
Every actor's identity chains its lineage back to the principal that authorized it. Accountability is structural, not a logging convention.
Every access is scoped and time-bound, with human sign-off required for consequential actions — audited on both sides of the approval.
The runtime has no outbound dependency. Models run inside the boundary; updates arrive as signed offline packages. Same stack, isolated facility.
Every operation — maintenance included — lands on one tamper-evident, chained record that an investigator can trust and an authorizing official can sign against.
The stack's own operators deploy, upgrade, patch, rotate credentials, and answer incidents inside the boundary. Humans declare intent, sign approvals, and hold the kill-switch — all three recorded.
What you get
Relevant frameworks
Visca Cloud has not yet completed formal certification against these frameworks; the stack is architected to meet them and audits are in progress. See the compliance roadmap.
In practice
Inside an isolated facility, analysts run autonomous workflows over sensitive data. The runtime never reaches the internet; updates arrive on signed offline media and are applied by the resident operators under scoped credentials. Every action chains to an authorizing officer, and the record — workloads and maintenance alike — is the authoritative, tamper-evident ledger the authorizing official signs against.
Account data, balances, and PII can't leave the bank. The stack that handles them runs inside it — and answers the examiner.
PHI can't be shipped to a model API. The scribe, the model, and the record all run in your tenancy — on a stack that maintains itself.
Telemetry, layouts, and shipment data stay on-site. Software agents and robots run on one in-perimeter stack, under one record.
Pricing, sourcing, and customer data stay inside each company's walls — while their agents still work across the boundary.
Process recipes and plant telemetry stay on the floor — on one in-perimeter stack, not a console per vendor.
The Autonomy Stack for regulated industries
Identity, credentials, runtime, and audit — shipped as part of your product, run inside your customer's walls, operated by agents under the same ledger as everything else. Nothing leaves the perimeter. Nothing is off the record.