SECURITY & SOVEREIGNTY

It never leaves your house.

Dimbo is sovereign by construction. The whole system runs where you control it — a benchmarked local model, local vision, local transcription — so air-gapped is the default, not a premium tier. When an external model is ever used, PII is anonymized first. Your raw data stays in your database, every edge carries its provenance, and no agent acts until a person says so.

Deployment

Same platform, same intelligence — you choose where the model runs.

On-prem appliance, EU-hosted, or PII-gated cloud. The only thing that changes is the perimeter. Every tier gets the full pipeline, the full graph, the full Action Center — sovereignty is a deployment choice, never a feature you buy back.

Tier 3 · On-prem appliance

Air-gapped by default

The whole system runs inside your walls on a local GPU — a benchmarked local LLM, local vision, and local Whisper transcription. Nothing crosses the perimeter, ever. The default demo appliance runs a local model measured at reference-parity on the real agent task set.

Tier 1–2 · EU-hosted

Inside the Union, no CLOUD Act

An EU-hosted, OpenAI-compatible model for firms that want managed infrastructure without leaving European jurisdiction — data-residency in the EU, no US CLOUD Act exposure. The key lives encrypted in your platform secrets, never in code.

Cloud · PII-gated

Frontier model, masked first

Want the strongest frontier model? Every payload passes the Presidio gateway first — IBANs, cards, phone numbers, credentials and more are anonymized before a single token leaves. The external model never sees a raw identifier.

The privacy gateway

One gate stands between your data and any external model.

Every signal takes the same path. The masking gate is a hard wall in the pipeline — not a setting someone can forget. Local deployments never reach it; when a payload does, it is anonymized before it crosses.

01 · Ingest

Signal arrives

Email, document, ERP record, voice note, machine reading — read-only, into the pipeline.

02 · Store

Raw stays home

The un-anonymized original is written to your PostgreSQL and never leaves it. Only a masked copy travels.

03 · Mask

Presidio gateway

The hard wall. PII is anonymized on the copy bound for any external model — configured entirely from one file, no code changes.

04 · Reason — local

On-prem / EU

On-prem and EU-hosted tiers keep everything inside the perimeter — nothing is exposed at all.

04 · Reason — cloud

Masked only

The frontier model receives the anonymized payload and returns its reasoning. It never sees a raw identifier.

Why sovereignty, and why now

Your data is already leaking — into consumer AI.

Prohibition doesn't work; people paste contracts, customer records and source code into public models to get their jobs done. The remedy is substitution — a governed, sovereign assistant that answers from live company knowledge inside your perimeter, with PII gating and a full audit trail.

75%
of knowledge workers already use generative AI at work — most of it outside any governance.
Microsoft/LinkedIn · Work Trend Index 2024
78%
bring their own AI (“BYOAI”) — pasting company data into tools IT never approved.
Microsoft/LinkedIn · Work Trend Index 2024
$4.88M
average cost of a data breach in 2024 — the collision point with GDPR, the EU AI Act, NIS2 and Schrems II.
IBM · Cost of a Data Breach 2024
The governed alternative — a representative case

At “Adriatica Pharma Services,” a CDMO, a chemist needs a draft from a proprietary batch record.

Pasted into a public chatbot, that batch record is a GMP and GDPR event nobody logs. With Dimbo's sovereign, role-scoped assistant, the same draft is produced inside the perimeter — the query and the evidence land in the audit trail, and the record never leaves the building. Substitution, not a policy poster. Representative scenario.

Privacy & GDPR by design

Not a compliance checkbox — a property of how the system is built.

Anonymization isn't a toggle bolted on at the edge; it's a wall in the pipeline. What gets masked is controlled from one config file — IBANs, cards and credentials are always masked, names and dates stay visible for the matching that makes the graph work. Change what's masked without touching a line of code.

Your raw text is stored un-anonymized in your own database and stays there. Only the copy bound for an external model is masked. Every entity, every link, every agent decision carries its provenance — where it came from and how sure Dimbo is — so the audit trail is a query, not an archaeology project.

Presidio gateway

Masked before it leaves

PII anonymized before any external model sees a token — configured from one file, reloadable at runtime.

Raw stays home

Un-anonymized in your DB

The original is written to your PostgreSQL and never travels. Only a masked copy does.

Provenance

On every edge

Every connection is traceable to its source, stamped internal-operations vs external-world-knowledge.

Audit trail

Every decision, logged

Explicit agent actions land in an append-only log — what was proposed, by whom, on what evidence.

Governance & the EU AI Act

Human oversight is the mechanism — not a bolt-on.

The EU AI Act asks for meaningful human oversight of AI systems. Dimbo meets it with the autonomy ladder — the same mechanism that runs the product. Every capability starts passive: it proposes, a person approves, edits or rejects. Nothing acts on its own until a process has earned it, and promotion is always the customer's decision.

Oversight is per-process and revocable. A single master kill-switch holds auto-execution off until you turn it on. At the top of the ladder actions carry an undo window — and any human disagreement demotes that process one rung, downward-only, automatically. Every level change is audited and emitted as an event.

  • Per-process levels 0→4 — oversight scoped to each action type, not a blanket setting
  • Promotion is user-only — the vendor never elevates a process on your behalf
  • Downward auto-demotion on any human reject or edit — trust contracts instantly
  • Master kill-switch — auto-execution ships off; you decide when it arms
  • Every level change audited & emitted as an event — oversight you can prove
dimbo · action center
Action Centerhuman oversight
financeawaiting approval
Payment-reminder reply drafted for an invoice trending past terms
2 signals · 1 sourceconfidence 0.79
ApproveEditReject
Autonomy ladder · Draft replies · Client Marelli
Level 1 · Propose
7 clean approvals · promotion is your callPromote
Honest by policy

Real properties, honest status.

We state what the system actually does — and we don't claim certifications we don't hold. GDPR-by-design is a property of the architecture, not a badge on a wall. Here's the honest register.

Properties we hold · things we don't claim

On-prem appliance live EU-hosted tier live PII anonymized before any external model live GDPR-by-design live Provenance on every edge live EU AI Act oversight-by-design live Raw data stays in your database live Full audit trail on every action live Formal third-party certification (SOC 2 / ISO 27001) not claimed

We do not assert SOC 2, ISO 27001 or any certification we haven't earned — and we won't dress a property up as a badge. What we sell is what the architecture actually gives you: sovereignty, on-prem, PII anonymization, provenance, audit trail, and human oversight built into the core. GDPR-by-design, not a compliance checkbox.

See it run on your infrastructure.

The free Deadline Audit runs on your data, on your infrastructure — the surest way to see the sovereignty story is to watch it never leave the building.