Classified and sensitive data never leaves the boundary — so the entire stack has to run inside it, air-gapped.
For government and defense workloads, the data — classified material, citizen records, mission information — cannot leave the boundary under any circumstance, which rules out every hosted AI vendor before the conversation starts. Sovereignty is the precondition, not a feature. But assembling a self-hosted stack from disparate open-source projects and vendors, each with its own update path that wants to phone home, is a non-starter in an air-gapped facility. Visca is the whole stack — open-weight models, identity, scoped access, and a tamper-evident record — as one ecosystem that runs self-managed inside the boundary, up to and including fully air-gapped, with controls a federal reviewer recognizes.
Why the data can't leave
For classified and sensitive workloads, the runtime cannot phone home. Updates must arrive as offline packages; nothing leaves the boundary.
Every action by every automated actor must be attributable to an authorizing principal, with a chain back to a human — non-negotiable for accountability in government.
Bespoke security stories don't clear authorization. Controls need to map to recognized frameworks, with evidence.
One ecosystem, not a stitched stack
Every actor's Sigil chains its lineage back to the principal that authorized it. Accountability is structural, not a logging convention.
Capability Grants with human-in-the-loop consent flows for consequential actions, scoped and time-bound, audited on both sides.
Cryptographically chained audit that an investigator can trust and an authorizing official can sign against.
The runtime runs self-managed with no outbound dependency. Updates delivered via offline packages. Same primitives, isolated facility.
What you get
Relevant frameworks
Visca Cloud has not yet completed formal certification against these frameworks; the stack is architected to meet them and audits are in progress. See the compliance roadmap.
In practice
Inside an isolated facility, analysts run autonomous workflows over sensitive data. The runtime never reaches the internet; updates arrive on signed offline media. Every action carries a Sigil chained to an authorizing officer, every data access is a consented Capability Grant, and the Chronicle is the authoritative, tamper-evident record the authorizing official signs against.
Account data, balances, and PII can't go to a hosted model. The whole stack has to run inside the bank.
PHI can't be shipped to a model API. The scribe, the audit, and the model all have to live in your tenancy.
Operational telemetry stays on-site, and software agents and robots run on one self-hosted ecosystem.
Pricing, sourcing, and customer data each stay inside their own walls — across a stack neither company could stitch alone.
Process recipes and plant telemetry stay on the floor — on one self-hosted ecosystem, not a stack stitched per vendor.
The whole stack. Self-hosted. One ecosystem.
Models, identity, tools, voice, payments, runtime, and audit — as one integrated ecosystem, self-hosted, sovereign, air-gapped. Nothing stitched from vendors. Nothing leaves your perimeter. Open at the core. No license rug-pulls, ever.