Data Sovereignty.

Your data is yours. Full stop.

Ophanix operates on a single, contractually binding principle: customer data is the customer's data. We do not aggregate it across tenants. We do not train shared models on it. We do not move it without permission. We do not retain it after a customer leaves.

This page describes how that principle is enforced — technically, contractually, and operationally — across every Ophanix engagement.

Single-tenant by default.

Every Ophanix customer receives a logically isolated tenant. Multi-tenant deployments are available only for shared light-touch surfaces (such as public-facing RoboChat) and never for sensitive workloads. For regulated and sovereign customers we deploy in three modes:

• Managed— Ophanix operates the platform inside a dedicated cloud account, region of the customer's choosing.
• Customer cloud— Ophanix deploys into the customer's AWS, Azure, or GCP organisation; the customer holds the root account.
• On-premises / air-gapped— full deployment inside the customer's data centre, with no outbound dependencies for production operations.

Your data does not leave the region you choose.

Production data — raw signal, derived features, inference outputs, operator decisions — remains in the customer-selected region. No replication, backup, telemetry, or support access crosses that boundary without an explicit, signed customer authorisation.

Available regions: EU (Frankfurt, Amsterdam, Paris), UK (London), Switzerland (Zurich), UAE (Dubai), Singapore, US (us-east-1, us-west-2). On-prem deployments are unconstrained.

No shared learning from your data.

Models retrained on customer data are retrained in the customer's tenant and their weights remain there. We do not aggregate customer fine-tunes into shared models. We do not use customer prompts, inputs, or outputs to improve generally-available models. Where the customer authorises a federated approach, the boundary is documented and audited.

Foundation models (e.g. GPT, Claude, Gemini) are accessed under data-processing agreements with the upstream provider. Customer data is sent only with the explicit prompt enabled in customer policy, and the provider's no-training contract clause is verified on every onboarding.

Encryption everywhere, with keys you can hold.

• In transit — TLS 1.3 on all customer-facing endpoints; mutual TLS for service-to-service.
• At rest — AES-256, envelope-encrypted for sensitive features.
• Bring-your-own-key (BYOK) — customer-managed KMS (AWS KMS, Azure Key Vault, GCP KMS, on-prem HSM) supported on all deployment modes. Key revocation renders tenant data unrecoverable within 60 minutes.
• Sensitive features — PII fields and biometric signals are tokenised with per-tenant salts; raw values are never logged.

Who can see your data, and when.

Ophanix engineering access to a customer tenant is off by default. Access is granted only on customer ticket, time-limited, logged, and audited. The customer security team receives the access log on the same cadence as their own SIEM.

We publish a sub-processor list per region and notify customers at least 30 days before any addition. Customers have a right to object; we either find an alternative or the change does not happen for that customer.

You can leave. Cleanly.

• Export — full export of raw signal, derived features, model artefacts, audit logs, and operator decisions in open formats (Parquet, JSONL, COG, STAC), available within 30 days of request.
• Deletion — on contract termination, primary stores are wiped within 30 days, backups within 90, and we deliver a signed certificate of destruction including KMS key IDs invalidated.
• Right to be forgotten — per-subject GDPR / equivalent deletion requests honoured within statutory windows; we propagate to upstream foundation-model providers where required.