It never leaves your house.
Dimbo is sovereign by construction. The whole system runs where you control it — a benchmarked local model, local vision, local transcription — so air-gapped is the default, not a premium tier. When an external model is ever used, PII is anonymized first. Your raw data stays in your database, every edge carries its provenance, and no agent acts until a person says so.
Same platform, same intelligence — you choose where the model runs.
On-prem appliance, EU-hosted, or PII-gated cloud. The only thing that changes is the perimeter. Every tier gets the full pipeline, the full graph, the full Action Center — sovereignty is a deployment choice, never a feature you buy back.
Air-gapped by default
The whole system runs inside your walls on a local GPU — a benchmarked local LLM, local vision, and local Whisper transcription. Nothing crosses the perimeter, ever. The default demo appliance runs a local model measured at reference-parity on the real agent task set.
Inside the Union, no CLOUD Act
An EU-hosted, OpenAI-compatible model for firms that want managed infrastructure without leaving European jurisdiction — data-residency in the EU, no US CLOUD Act exposure. The key lives encrypted in your platform secrets, never in code.
Frontier model, masked first
Want the strongest frontier model? Every payload passes the Presidio gateway first — IBANs, cards, phone numbers, credentials and more are anonymized before a single token leaves. The external model never sees a raw identifier.
One gate stands between your data and any external model.
Every signal takes the same path. The masking gate is a hard wall in the pipeline — not a setting someone can forget. Local deployments never reach it; when a payload does, it is anonymized before it crosses.
Signal arrives
Email, document, ERP record, voice note, machine reading — read-only, into the pipeline.
Raw stays home
The un-anonymized original is written to your PostgreSQL and never leaves it. Only a masked copy travels.
Presidio gateway
The hard wall. PII is anonymized on the copy bound for any external model — configured entirely from one file, no code changes.
On-prem / EU
On-prem and EU-hosted tiers keep everything inside the perimeter — nothing is exposed at all.
Masked only
The frontier model receives the anonymized payload and returns its reasoning. It never sees a raw identifier.
Your data is already leaking — into consumer AI.
Prohibition doesn't work; people paste contracts, customer records and source code into public models to get their jobs done. The remedy is substitution — a governed, sovereign assistant that answers from live company knowledge inside your perimeter, with PII gating and a full audit trail.
Microsoft/LinkedIn · Work Trend Index 2024
Microsoft/LinkedIn · Work Trend Index 2024
IBM · Cost of a Data Breach 2024
At “Adriatica Pharma Services,” a CDMO, a chemist needs a draft from a proprietary batch record.
Pasted into a public chatbot, that batch record is a GMP and GDPR event nobody logs. With Dimbo's sovereign, role-scoped assistant, the same draft is produced inside the perimeter — the query and the evidence land in the audit trail, and the record never leaves the building. Substitution, not a policy poster. Representative scenario.
Not a compliance checkbox — a property of how the system is built.
Anonymization isn't a toggle bolted on at the edge; it's a wall in the pipeline. What gets masked is controlled from one config file — IBANs, cards and credentials are always masked, names and dates stay visible for the matching that makes the graph work. Change what's masked without touching a line of code.
Your raw text is stored un-anonymized in your own database and stays there. Only the copy bound for an external model is masked. Every entity, every link, every agent decision carries its provenance — where it came from and how sure Dimbo is — so the audit trail is a query, not an archaeology project.
Masked before it leaves
PII anonymized before any external model sees a token — configured from one file, reloadable at runtime.
Un-anonymized in your DB
The original is written to your PostgreSQL and never travels. Only a masked copy does.
On every edge
Every connection is traceable to its source, stamped internal-operations vs external-world-knowledge.
Every decision, logged
Explicit agent actions land in an append-only log — what was proposed, by whom, on what evidence.
Human oversight is the mechanism — not a bolt-on.
The EU AI Act asks for meaningful human oversight of AI systems. Dimbo meets it with the autonomy ladder — the same mechanism that runs the product. Every capability starts passive: it proposes, a person approves, edits or rejects. Nothing acts on its own until a process has earned it, and promotion is always the customer's decision.
Oversight is per-process and revocable. A single master kill-switch holds auto-execution off until you turn it on. At the top of the ladder actions carry an undo window — and any human disagreement demotes that process one rung, downward-only, automatically. Every level change is audited and emitted as an event.
- Per-process levels 0→4 — oversight scoped to each action type, not a blanket setting
- Promotion is user-only — the vendor never elevates a process on your behalf
- Downward auto-demotion on any human reject or edit — trust contracts instantly
- Master kill-switch — auto-execution ships off; you decide when it arms
- Every level change audited & emitted as an event — oversight you can prove
Level 1 · Propose
Real properties, honest status.
We state what the system actually does — and we don't claim certifications we don't hold. GDPR-by-design is a property of the architecture, not a badge on a wall. Here's the honest register.
Properties we hold · things we don't claim
We do not assert SOC 2, ISO 27001 or any certification we haven't earned — and we won't dress a property up as a badge. What we sell is what the architecture actually gives you: sovereignty, on-prem, PII anonymization, provenance, audit trail, and human oversight built into the core. GDPR-by-design, not a compliance checkbox.
See it run on your infrastructure.
The free Deadline Audit runs on your data, on your infrastructure — the surest way to see the sovereignty story is to watch it never leave the building.