Security & Compliance
BareMetalRT is built on a simple security premise: your data never leaves your hardware. Inference runs entirely on your own GPU, and chat content is encrypted on your device — it is never transmitted to, stored by, or readable by Bare Metal AI.
Architecture & Data Residency
- Local inference. Prompts, model outputs, and conversation history are processed and stored on your machine. They never touch our servers.
- Minimal hosted footprint. Our hosted services handle only accounts, optional remote-relay routing, billing, and software-update distribution. The data involved is listed in our Privacy Policy.
- Air-gap option. The daemon can run fully offline (
BMRT_AIRGAP=1) with no connection to Bare Metal AI at all — suitable for classified, regulated, or disconnected environments.
Data Protection
- Encryption in transit: all daemon–server traffic uses TLS (HTTPS/WSS).
- Encryption at rest: chat history is AES-256-GCM encrypted on your device using PBKDF2-derived keys.
- Credential handling: passwords are hashed (never stored in plaintext) and API keys are stored as SHA-256 hashes.
Access & Identity
- Enterprise SSO via OIDC and SAML, with SCIM provisioning and role-based access control.
- Per-seat access is enforced at authentication; daemon and node registration are authenticated.
Infrastructure & Sub-processors
Hosted services run on vetted providers. We disclose every third party that processes data on our behalf on our Sub-processors page. None are engaged when the software runs offline or in air-gap mode.
Compliance Status
| Framework | Status |
|---|---|
| GDPR (data processing & SCCs) | Available — via our Data Processing Addendum |
| Air-gap / no-egress attestation | Available — self-serve verification documented |
| SOC 2 Type II | Planned — on our compliance roadmap |
We do not claim certifications we do not hold. For the current status of our SOC 2 plans, a security questionnaire, or to discuss specific compliance requirements, contact [email protected].
Vulnerability Disclosure
If you believe you've found a security vulnerability, please report it responsibly to [email protected]. We will acknowledge your report and work with you on a coordinated disclosure. Please do not publicly disclose an issue before we've had a reasonable opportunity to address it.
Contact
Bare Metal AI, Inc. · [email protected]