// security & privacy architecture

Your data never leaves
your machine. Ever.

Vvault is built on a single architectural principle: zero external data transmission. This page documents exactly how that works — for your IT security team, compliance officer, or procurement department.

Download Whitepaper PDF Book security review call →
AFTER INSTALL
Zero outbound network connections
AI MODEL
Runs 100% on your hardware
YOUR DATA
Never transmitted. Verifiable independently.
GDPR
Compliant by architecture, not policy
// system architecture

Every component. Fully documented.

Vvault runs as a set of Docker containers on your local machine. After the initial installation, all communication is internal between containers on localhost. No component has permission or capability to reach external servers.

SYS_01
Zero external network calls
After installation, Vvault makes no outbound connections. Your questionnaire content, policy documents, and answers never leave your network. Verifiable with Wireshark or any network monitoring tool.
SYS_02
Local AI model — phi3:mini
The language model runs entirely on your hardware via Ollama. No API calls to OpenAI, Anthropic, Microsoft, or any other provider. The model is downloaded once at install and runs offline permanently.
SYS_03
Encrypted credentials & HTTPS
Passwords hashed with bcrypt and salt — never stored plaintext. JWT tokens for session management with 12-hour expiry. HTTPS enforced with certificate. Role-based access control for admin and viewer users.
SYS_04
Full audit trail
Every approve, reject, and edit action is logged with username, timestamp, and full question/answer content. Audit logs are exportable for compliance review and internal security assessments.
SYS_05
Isolated Docker containers
Each component — backend API, database, AI model runner, and frontend — runs in its own isolated Docker container. Components communicate only over the internal Docker network, not the public internet.
SYS_06
Data sovereignty
Your data is stored exclusively in a PostgreSQL database running on your own machine. You control it entirely. Complete removal is achievable with a single command — docker-compose down -v.
// network transparency

Every network connection. Documented.

This is the complete list of network connections Vvault makes — from installation through to daily operation. Nothing is hidden.

Installation phase — one time only
Destination Domain Purpose Frequency
Docker Hub hub.docker.com Pull base container images One-time only
Ollama Registry ollama.com Download phi3:mini model (~2.3 GB) One-time only
Ollama Registry ollama.com Download nomic-embed-text model (~270 MB) One-time only
PyPI pypi.org Install Python dependencies during build One-time only
Runtime phase — ongoing operation
Zero outbound connections after installation
Once installed, Vvault makes zero external network calls during normal operation. All runtime traffic is internal: your browser communicates with localhost:3443, and the backend communicates with the database and AI model over the internal Docker network (172.x.x.x). No external IP addresses are contacted.
// data flow

What happens to your data.

Step by step — exactly what Vvault does with your policy documents and questionnaire content.

STEP_01
Policy document upload
Your policy documents (PDF, TXT, DOCX) are received by the FastAPI backend running locally. Documents are chunked into semantic segments and stored in the local PostgreSQL database. The embedding model generates vector representations for each chunk — also stored locally. No content leaves the machine.
STEP_02
Questionnaire parsing
Your Excel, Word, or PDF questionnaire is parsed locally to extract questions. Parsing occurs in memory. The questionnaire file is not permanently stored — only the extracted question text is retained in the session.
STEP_03
Answer generation — three-tier local lookup
For each question: (1) Cache lookup — searches previously approved answers using local vector similarity. (2) Template matching — matches against 20 pre-defined SOC2 templates using local keyword and semantic matching. (3) LLM generation — if no match, phi3:mini generates an answer using your policy excerpts as context. All three tiers run entirely locally. The LLM receives only the question and relevant policy text — no credentials, metadata, or sensitive system information.
STEP_04
Human review — mandatory
All generated answers are presented in the review dashboard with confidence scores and source attribution. No answers are automatically submitted. Your team approves, edits, or rejects each answer. Every action is logged in the audit trail with username and timestamp.
STEP_05
Export and download
The completed questionnaire is written to an Excel file and downloaded directly from your locally-running application to your browser. The file never passes through any external server. It is a direct local download.
// independent verification

Verify it yourself.

Our zero-transmission claim is independently verifiable using standard network monitoring tools. We encourage your IT security team to verify this before and after installation.

Method 1 — Wireshark (all platforms)
Method 2 — Docker network inspection
docker exec vvault_backend netstat -tn | grep ESTABLISHED

Expected result: only internal Docker network addresses (172.x.x.x) and localhost. No external IP addresses.

Method 3 — macOS Little Snitch

Create a rule to monitor all connections from Docker Desktop. During Vvault operation you will observe zero connection attempts to external addresses.

Method 4 — Windows Firewall logging
Need help with verification?
We offer a free 30-minute screen share session for IT security teams evaluating Vvault. We will set up network monitoring together and demonstrate zero external transmission live. Contact girish@getvvault.com to book.
// gdpr & compliance

GDPR compliant by architecture.

Vvault's local architecture eliminates the most common GDPR challenges with SaaS compliance tools. Here is how each key article applies.

GDPR Article Requirement Vvault Position
Art. 5(1)(c) — Data minimisation Collect only what is necessary No telemetry, analytics, or behavioural data collected. Only operational data stored.
Data localisation Control where data is stored All data stored on your infrastructure. Vvault has no mechanism to transmit data externally.
Art. 17 — Right to erasure Ability to permanently delete data docker-compose down -v permanently destroys all data. Irreversible.
Data controller status Clear data controller identification Your organisation is the sole data controller. Vvault developers have zero access to your data.
Sub-processor assessment Assess third-party processors Vvault has no sub-processors. AI models run locally — not provided as a service by any third party.
Third-country transfers Restrict data transfers outside EEA No transfers occur. Data never leaves your machine or network.
// ai model details

The AI model — fully disclosed.

Vvault uses two AI models, both running locally via Ollama. Neither model contacts any external service during operation.

Language model — phi3:mini
PropertyDetail
Modelphi3:mini — 3.8 billion parameters
DeveloperMicrosoft Research
LicenseMIT — permits commercial use
Size~2.3 GB on disk
RuntimeOllama — open source local model runner
External callsZERO — runs entirely on local CPU/GPU
What the model seesQuestion text + relevant policy excerpts (max 2,000 characters). No credentials, company names, or sensitive metadata.
Important accuracy limitation
phi3:mini is a small language model. Answer quality depends on the completeness of your uploaded policy documents. Vvault flags low-confidence answers for mandatory human review. All answers require approval before use — Vvault is a drafting assistant, not an auto-submit tool. Final responsibility for answer accuracy remains with your compliance team.
// security faq

Questions your security team will ask.

Does Vvault send any data to your servers?
No. After installation, Vvault makes zero outbound network connections. The developers of Vvault have no access to your data, your questions, your policy documents, or your answers. This is independently verifiable using the network monitoring methods on this page.
Is the AI model provided as a cloud service?
No. phi3:mini and nomic-embed-text are downloaded once during installation and run entirely on your hardware using Ollama. There are no API calls to Microsoft, Nomic AI, or any other provider during operation.
Who can access our data?
Only users with valid Vvault credentials on your local network. The admin account controls user creation. Vvault developers, support staff, and any external party have zero access to your Vvault installation or data.
Can Vvault be deployed on an air-gapped network?
Yes. After the initial installation — which requires internet to download Docker images and AI models — Vvault operates with zero internet connectivity. It is suitable for air-gapped and high-security environments.
What happens to our data if we stop using Vvault?
Your data remains on your machine until you choose to delete it. Running docker-compose down -v permanently and irreversibly removes all Vvault data including the database, knowledge base, and answer library.
Is Vvault itself SOC2 certified?
Vvault v1.0 is not SOC2 certified. As an early-stage product, certification is on the roadmap. However, because Vvault is locally-deployed with zero external data transmission, the majority of SOC2 cloud-related concerns are architecturally eliminated.
Can we review the source code?
The Vvault codebase is available for review under NDA for enterprise customers conducting security assessments. Contact girish@getvvault.com to arrange code review access.
How do we report a security vulnerability?
Email support@getvvault.com with subject line "Security Vulnerability Report". We acknowledge within 24 business hours and commit to providing critical fixes within 30 days.
// technical whitepaper
VVAULT SECURITY DOCUMENT
Security & Privacy
Architecture Whitepaper
14 pages  ·  Version 1.0  ·  For IT security review and vendor assessment  ·  PDF
Covers: System architecture · Complete network connection list · Data flow documentation · AI model details · GDPR analysis · Independent verification guide · FAQ for security teams
Download PDF Book security review call

Free 30-min screen share with founder

// get started

Ready to see it in action?

Book a 20-minute demo. We'll run it on a real questionnaire — live, on your machine.

Book a demo → Back to home