Sovereign Edition

Sovereign AI DLP — on-premise, CLOUD Act-immune

ZeusLock Sovereign Edition is the only AI DLP that runs entirely inside your perimeter. No US cloud dependency. No CLOUD Act exposure. No FISA 702 risk. Built for banks, defence contractors, public-sector agencies and regulated healthcare.

Why a US AI DLP is a compliance risk in 2026

Every major US-domiciled AI DLP — Nightfall, Strac, LayerX, Microsoft Purview, Cyberhaven — is subject to the U.S. CLOUD Act and FISA 702. A European subsidiary or eu-region deployment does not change this: the parent entity can be compelled to disclose customer data without notice. For ANSSI-regulated banks, French defence primes, EBA-supervised institutions and healthcare data under HDS, that exposure is unacceptable.

What ZeusLock Sovereign Edition delivers

Sovereign Edition deploys the full ZeusLock detection engine — including jailbreak and prompt-injection blocking, the MCP guard and the desktop CLI agent — as a containerised stack inside your infrastructure. Data never leaves your perimeter. Updates ship as signed container images you pull on your schedule. Telemetry is opt-in, scoped and outbound-only. No callback to a US cloud, ever.

What ships with Sovereign Edition

On-premise detection engine

Kubernetes-native deployment. Runs on OpenShift, Rancher, k0s or a hardened bare-metal Docker. Hardware sizing guide provided.

Air-gapped operation

Optional fully-isolated mode. Signed container images delivered offline. No outbound network requirement.

HSM-backed key custody

Customer-owned keys via PKCS#11. Tested with Thales Luna, Atos Trustway and SoftHSM.

Sovereign update channel

Quarterly signed releases with provenance attestation (SLSA Level 3). Hotfixes delivered out-of-band.

Compliance reporting

Pre-built reports for GDPR Article 30, NIS2 incident logging, DORA ICT register, EU AI Act Article 53.

On-call escalation

Direct line to ZeusLock engineering. SLA available: 4-hour response on Sev-1, 24/7 in EU business hours.

Who runs Sovereign Edition

Banking & insurance

EBA outsourcing guidelines and DORA require demonstrable control over ICT third-party risk. Sovereign Edition removes the third party entirely.

Defence & aerospace

IGI 1300, ITAR-adjacent IP, NATO-restricted contracts. AI assistants used by engineers stay inside the perimeter.

Healthcare (HDS-regulated)

French HDS certification requires data hosting by an HDS-certified party. On-premise Sovereign Edition keeps you HDS-compliant by construction.

Public sector

SecNumCloud-aligned deployment options. UGAP referencing in progress.

Legal & professional services

Attorney-client privilege survives intact — no third party ever sees the prompt.

Regulations Sovereign Edition is built for

  • GDPR (Articles 25, 28, 30 — privacy by design, processor obligations, records)
  • EU AI Act (Article 53 — transparency for general-purpose AI use)
  • NIS2 (essential and important entities — incident reporting, supply-chain risk)
  • DORA (digital operational resilience, ICT third-party risk register)
  • CLOUD Act / FISA 702 — full immunity via on-premise deployment
  • French HDS (Hébergement de Données de Santé) — when paired with an HDS host
  • SecNumCloud — alignment via on-premise installation
  • ISO 27001 — certification in progress for the SaaS edition

Frequently asked questions

Is Sovereign Edition really immune to the CLOUD Act?

Yes. The CLOUD Act compels U.S. providers to disclose data they hold or process. With Sovereign Edition, ZeusLock holds no customer data — the detection engine runs inside your infrastructure and processes prompts locally. ZeusLock cannot disclose what it does not have access to.

Does it work without internet access?

Yes. Air-gapped mode is supported. Container images and signature updates ship via signed offline bundles. Telemetry is opt-in and can be disabled entirely.

How does pricing differ from SaaS?

Sovereign Edition is licensed per node, not per user, and includes a flat support fee. Total cost of ownership is typically lower than SaaS for organisations above 500 users, before factoring in the avoided compliance overhead.

Can you provide HSM integration?

Yes. PKCS#11-based integration with Thales Luna, Atos Trustway and SoftHSM is tested and documented. Other HSMs supported on quote.

What is the minimum infrastructure?

For up to 1,000 users: 3 Kubernetes worker nodes, 16 vCPU and 64 GB RAM each, 500 GB SSD. PostgreSQL 15+ for state. Detailed sizing guide is part of the architecture review.

Do you support classified networks?

Sovereign Edition is deployable on Diffusion Restreinte / NATO Restricted networks following the IGI 1300 process. Higher classifications on a case-by-case basis with prior security clearance.

Talk to a ZeusLock sovereignty architect

15-minute briefing. We share reference architectures, sizing guides and a sample DPA — no slide deck, just the answers your CISO and DPO need.

Book a sovereignty briefing