It runs in your environment.
Deployed on-premise as a single-tenant stack. Your case data, documents, and audit trail live in a database you control — there is no shared multi-tenant cloud that mixes your data with another customer’s.
This overview describes how Regisseur is designed, deployed, and operated, so a security team can assess it against their own controls. It is written to be accurate rather than aspirational — where a control is in place we say so, and where something is a shared responsibility or on our roadmap rather than shipped today, we say that too.
Regisseur runs structured, auditable workflows with AI agents kept on a short, deterministic leash. It is built for regulated industries — insurance underwriting, energy, and similar domains where every action must be attributable and every decision reviewable.
Deployed on-premise as a single-tenant stack. Your case data, documents, and audit trail live in a database you control — there is no shared multi-tenant cloud that mixes your data with another customer’s.
Every language-model call is made against your provider account under your commercial terms. Regisseur operates no shared inference endpoint and keeps no copy of your prompts, documents, or completions outside your deployment.
Row-level security is enabled on every table, tenancy is derived on the server (never trusted from the browser), and credentials are scoped so one workspace’s configuration cannot be used by another.
Credentials are protected with AES-256-GCM envelope encryption under a master key that is never written to the database. The secret layer is pluggable to HashiCorp Vault, Azure Key Vault, or a customer-managed key.
The deployment actively blocks egress to vendor clouds at the network layer and refuses to start against any hosted database. It is capable of running fully air-gapped.
Container images and license files are signed and verified offline, and each installation is cryptographically bound so a license cannot be copied to a second stack.
Every action — a node activating, an agent completing, a person approving, an external party opening a link — is written to an append-only, tamper-evident event ledger with full lineage, and can be exported for audit.
Agents run a deterministic pipeline, may only call an explicit allowlist of tools, produce schema-validated output, and can be halted instantly. Personal and protected health information can be one-way masked at the point of storage.
Regisseur is delivered as a self-contained stack — application, PostgreSQL database, authentication service, and API gateway — that you run inside your own infrastructure. Each customer stack serves exactly one tenant. There is no multi-tenant SaaS surface where customers share a database or an application instance.
A stack provisions itself into a single workspace on first run and then refuses to create a second one; workspace setup is reachable only through an internal, secret-gated path, so a stack cannot be turned into a multi-tenant host after the fact. For customers running several stacks, an optional operator console can sit above them for status and coordination — it reaches each stack only through that stack’s authenticated status API, never touching your database directly.
Your data never traverses a Regisseur-operated service. The blast radius of any issue is one tenant, in your environment, under your network and identity controls.
Row-level security is enabled on every application table. Access is scoped by workspace membership that the server resolves from the session — the browser never asserts which records it may see, and object references in URLs are resolved through the same membership-scoped query, which prevents an authenticated user from reaching another tenant’s records by guessing an identifier.
Credentials are protected with a two-layer envelope scheme. A 32-byte master key is supplied at startup from your environment or secret store and is never stored in the database; each credential is encrypted under a unique per-credential data key, itself stored only in encrypted form under the master key, with AES-256-GCM and a random per-record initialization vector. Resolved secrets are cached in memory only briefly, and are never written to logs, returned in an API response, or persisted in clear text.
The default backend keeps encrypted secrets in your PostgreSQL database; the same interface drives HashiCorp Vault and Azure Key Vault for customers who want secrets held in an external KMS. In air-gapped mode the platform restricts itself to the local encrypted backend automatically. The stack ships with a gateway that can terminate TLS and is designed to sit behind your TLS-terminating edge, so transport encryption is enforced under your existing certificate and cipher policy.
Regisseur integrates with your identity provider over standard SAML 2.0 and OIDC, so multi-factor authentication is enforced by your IdP policy and authentication strength stays under your control. Even with SSO, access is not automatic: a user must hold a pending invitation before an account is provisioned, and just-in-time provisioning then maps them to one of four roles — technician, member, admin, and owner — with authorization checked on the server at each protected route.
Every request into the platform authenticates through one of four well-defined mechanisms, and no others. External and machine callers are never issued a user session token; each path carries only the privilege it needs.
This is where Regisseur differs most from a typical AI product, and it is usually a CISO’s first question.
You configure Regisseur with your own provider — Azure OpenAI, AWS Bedrock, Google Vertex, or Anthropic through a private gateway — using your credentials in the encrypted secret layer. The platform reads no model keys from environment variables; a build-time check fails the release if any provider key is read that way. Because every inference call runs against your account under your agreement, retention and training policy is governed by your contract with that provider, not by us.
An agent is not a free-form model prompt. It executes a fixed, typed pipeline where the language model is one constrained step, not the controller, and its output is schema-validated before it is used.
When an agent may call external tools, both the tool server and the individual tool must appear on its explicit allowlist. An empty allowlist permits nothing, and every rejected call is recorded as an audit event.
A per-workspace masking option — off by default, enabled only by an administrator — replaces configured fields with a one-way hash at the point of persistence, so the underlying value is never written to storage. Agent definitions can carry compliance markers (HIPAA, Medicare, legal-privilege) that gate additional verification.
RoadmapAgent behaviour is exercised by an evaluation harness that produces tamper-evident drift certificates. We use this to detect regressions in agent quality — it is not a substitute for a formal AI-governance attestation, which is on our roadmap (see §11).
Pointed at any hosted database endpoint, the application fails to start rather than silently connecting out.
An initialization step installs outbound reject rules for vendor cloud domains before the application starts. Only endpoints you explicitly allow are reachable.
A CI gate scans the codebase on every change for any hosted-database reference and fails the build if one appears, so the guarantee cannot regress unnoticed.
The result is a deployment that can run fully air-gapped by default, with a demonstrable, tested outbound posture rather than a promise. Optional collaboration channels (for example Microsoft Teams) are off by default and opt-in per workspace. When you enable one, you keep your core private with a relay pattern: a small, hardened component you host in your own cloud tenant is the only public entry point — it verifies each provider-signed message and forwards it inward over private connectivity you control (VPN, private link, or a dedicated circuit). Your Regisseur core is never directly exposed, and the channel can be turned off instantly.
Container images and license files are signed with Sigstore cosign and verified offline against a bundled public key — verification makes no network call and depends on no external transparency service, so it works in an air-gapped install. The signing toolchain is pinned to a specific version with a checksum and built into the image rather than fetched at runtime.
Each license is cryptographically bound to the specific installation through a fingerprint derived from stable installation secrets. Copying a license to a different stack fails verification, and cloning an entire stack reproduces the same workspace rather than minting a new licensable one. Every change also runs an automated secret scan (verified secrets only) and a dependency vulnerability audit for high and critical advisories.
Not yet shippedA formal software bill of materials (SBOM) is on our roadmap.
Regisseur treats the audit trail as a first-class product surface. Every meaningful action writes an immutable row to an append-only event ledger — node activations, agent completions, human decisions, recoveries, errors, and communications. Rows are never updated or deleted.
External parties are first-class records, not free-text metadata, and because a case is pinned to the exact version it started under, a later change never rewrites the history of a case already in progress.
Every push and pull request runs a release gate that includes:
Fast versions of the isolation and key-scan checks also run locally before every commit, so violations are caught before they ever reach the shared branch.
A single control halts all agent execution and background processing for a workspace without losing state: every queued task checks the halt flag before running. This is the primary “stop everything now” mechanism for an incident, and it preserves in-flight work so operations resume cleanly.
Because the workflow engine is event-driven and every step is recorded, a halted or interrupted case can be resumed from its last recorded state rather than restarted.
Because Regisseur runs on-premise with your identity provider, your model provider account, and your keys, many controls a SaaS vendor would need to attest to are satisfied by your existing, already-audited infrastructure. For PHI workloads in particular, the platform is typically deployed so that Regisseur the vendor has no standing access to your data; the scope of any Business Associate Agreement should be assessed against your specific deployment.
| Area | Regisseur provides | You own |
|---|---|---|
| Physical & network perimeter | Hardened, single-tenant deployment | Data centre / cloud account, VPC, firewalls |
| Host, OS & container patching | Signed, versioned images | Running and patching host and runtime |
| Edge TLS & certificates | A gateway that can terminate TLS | Certificate policy and termination at your edge |
| Identity & MFA | SAML/OIDC, RBAC, invitation gating | Your IdP, MFA policy, and user lifecycle |
| Model provider & AI spend | BYO-provider integration, deterministic pipeline | Your provider account, keys, and contract |
| Master encryption key | Envelope encryption; key never stored in DB | Custody and rotation of the master key |
| Application security | Authz, RLS, audit, encryption, egress lockdown | Reviewing and accepting the deployment |
| Secure SDLC & releases | Signed releases, CI security gates | Verifying signatures on what you deploy |
| Data classification & retention | Masking, audit export, retention tooling | Classification, retention, and legal-hold policy |
| Backup & disaster recovery | A single, self-contained database to back up | Backup, restore, and DR of your infrastructure |
| Incident response | Emergency halt, immutable forensics trail | Your IR process; we support investigation |
We would rather earn a longer first conversation than a short one. Reach out and we will set up an architecture walkthrough, a live controls demonstration, or a written response to your vendor-risk assessment.