Security

Your data never leaves your network

Aegis is built for environments where data sovereignty, access control, and compliance are non-negotiable. No external API calls, no cloud dependencies, no compromises.

Deployment

100% On-Premises

Aegis runs entirely on your infrastructure. Every component — API, worker, vector store, LLM — is deployed within your network boundary.

  • Docker Compose or Kubernetes deployment
  • No outbound network calls required
  • Air-gapped environment support
  • Local LLM inference with vLLM or Ollama
  • All data stored in your own databases
1# docker-compose.yml
2services:
3 aegis-api:
4 image: class="text-emerald-400">"aegis/api:latest"
5 environment:
6 - AEGIS_LLM__PROVIDER=class="text-emerald-400">"local"
7 - AEGIS_VECTORSTORE__TYPE=class="text-emerald-400">"qdrant"
8 networks:
9 - internal
10
11 aegis-worker:
12 image: class="text-emerald-400">"aegis/worker:latest"
13 networks:
14 - internal

Access Control

ACL Enforced at Every Layer

Document-level access control is not a bolt-on — it's woven into the ingestion pipeline, vector store, and query engine.

  • Permissions synced from source systems during ingestion
  • ACL metadata stored alongside every vector embedding
  • Query-time filtering before results reach the LLM
  • Group-based and user-based permission models
  • Deny-by-default: no ACL = no access
1# Ingestion: permissions preserved
2document.metadata = {
3 class="text-emerald-400">"source": class="text-emerald-400">"confluence",
4 class="text-emerald-400">"acl_users": [class="text-emerald-400">"alice", class="text-emerald-400">"bob"],
5 class="text-emerald-400">"acl_groups": [class="text-emerald-400">"engineering"],
6}
7
8# Query: filtered by caller identity
9# Alice sees engineering docs
10# Charlie (marketing) does not

Authentication

Enterprise Identity Integration

Integrate with your existing identity provider. Aegis supports OIDC, SAML, LDAP, and trusted reverse proxy headers out of the box.

  • OpenID Connect (Okta, Auth0, Azure AD, Keycloak)
  • SAML 2.0 federation
  • LDAP / Active Directory groups
  • Trusted proxy header pass-through (X-Auth-User)
  • Environment-aware: strict in prod, flexible in dev
1auth:
2 provider: class="text-emerald-400">"oidc"
3 oidc:
4 issuer: https://sso.corp.com/realms/main
5 client_id: aegis-api
6 client_secret_file: /run/secrets/oidc
7 admin_group: aegis-admins
8 session:
9 lifetime: 3600
10 refresh: true

Compliance

Compliance-Ready Architecture

Aegis provides the technical controls needed for SOC 2, HIPAA, GDPR, and other regulatory frameworks.

  • Full audit log of every query and data access
  • Data retention policies with automated purging
  • Encryption at rest and in transit (TLS 1.3)
  • Role-based access to admin APIs
  • Exportable compliance reports
1# Audit log entry
2{
3 class="text-emerald-400">"timestamp": class="text-emerald-400">"2026-02-08T10:30:00Z",
4 class="text-emerald-400">"user": class="text-emerald-400">"alice@corp.com",
5 class="text-emerald-400">"action": class="text-emerald-400">"query",
6 class="text-emerald-400">"query": class="text-emerald-400">"data retention policy",
7 class="text-emerald-400">"documents_accessed": 3,
8 class="text-emerald-400">"acl_filtered": 7,
9 class="text-emerald-400">"response_time_ms": 1240
10}

Data Flow

How Your Data Moves Through Aegis

Two isolated pathways: ingestion writes data in, queries read it out. Both enforce ACL at every step.

Ingestion PathData SourcesConfluence, Slack...ConnectorsFetch + SyncIngestionParse + ChunkACL SyncPermissionsVector StoreEmbed + IndexNetwork Boundary — All Data On-PremQuery PathUserAuthenticatedAPI GatewayAuth + Rate LimitACL FilterPermission CheckRAG AgentSearch + GenerateLLMOn-Prem InferenceCited AnswerWith Sources

See Aegis in Action

Schedule a personalized demo and see how Aegis transforms your team's knowledge into a secure, searchable resource.

Request a Demo