Architecture · deployment boundary · 2026.4

Your VPC. Your weights. Zero egress.

NODES deploys single-tenant inside your cloud account. Model training, inference, scoring, and every decision trace run on infrastructure you own. No external API calls. No OpenAI or Anthropic in your supply chain. No data leaves the boundary, because there is nowhere for it to go. The same boundary applies to every decision the brain makes, regardless of decision type.

Book an architecture review CISO FAQ

Deployment

Single-tenant VPC

Attestation

SOC 2 Type II

Egress

0 bytes / call / day

Weights

Customer-owned

boundary_manifest · v2026.4 signed · cust-vpc

Inside customer boundary12

✓Model weights (nodes-substrate-2026.04) customer-owned · KMS-encrypted · no export
Legacy artifact name: carrier-hire-2025.11 (Hire & Develop calibration)in-vpc

✓Inference endpoint in-cluster gpu · p50 74msin-vpc

✓Training & fine-tune pipeline quarterly retrains · on customer datain-vpc

✓Decision trace store signed · append-only · reproduciblein-vpc

✓Candidate, employee, ticket, deal, and decision data ATS · HRIS · CRM · ticketing · calendar metadata read-through · never copied outin-vpc

✓Ticketing system read-through ServiceNow · Zendesk · Jira Service Desk · Freshservice · read incoming · write back drafted resolutions · never copied outin-vpc

✓Calendar / email metadata read Google Workspace · Microsoft 365 · metadata only · no content scraping · signal aggregation only · never copied outin-vpc

✓Adverse-action floor validator in-cluster · validates every adverse-action recommendation against structural floor · rejects any save that violates the floor · no autonomy level can overridein-vpc

✓Audit stream siem export to customer-owned sinkin-vpc

Outside boundary · never crossed05

✕OpenAI / Anthropic / third-party LLM APIs not in the chain · not in the packageblocked

✕NODES-operated inference NODES does not host your modelblocked

✕Decision data egress zero bytes out, by network policyblocked

✕Training data upload nothing sent back to NODESblocked

✕Telemetry with PII aggregate ops only · opt-in · scrubbedblocked

single-tenant · zero egress reviewed · 2026-04-14

Legal & security review

One Fortune 500 carrier rejected six AI vendors in eighteen months. They approved NODES in seventeen days.

Most AI vendor reviews collapse at data residency, model supply chain, or egress controls. NODES answers those three objections structurally: there is nothing to approve because there is nothing that leaves your cloud account.

The side-by-side below is a redacted composite of one actual deployment timeline versus the prior vendor stack that procurement, security, and legal had already rejected.

Prior stack · hosted gen-AI vendor

547 days · rejected

547d

Day 001Initial procurement intakeRFP · scoring rubric · vendor shortlistopened

Day 048DPA & subprocessor disclosureOpenAI + Anthropic flagged as subprocessorsstalled

Day 127Security architecture reviewdata egress to vendor cloud · unresolvedstalled

Day 284Model supply-chain reviewthird-party LLM weights · not inspectableblocked

Day 402Counsel review · regulator pre-briefNYDFS · NAIC model-audit exposureblocked

Day 547Final disposition6 vendors in rotation · none approvedrejected

outcome · 0 deployments cycle · 18 months

NODES · single-tenant vpc

17 days · approved

17d

Day 01Kickoff · architecture walkthroughshared VPC diagram · boundary manifest · SOC 2 reportcleared

Day 03DPA signedno subprocessors · no egress · template acceptable as-iscleared

Day 06Security architecture reviewterraform module reviewed · network policies verifiedcleared

Day 09Model supply-chain reviewopen-source foundation · weights delivered in-clustercleared

Day 13Counsel review · regulator pre-briefauditable decision traces · no black-box exposurecleared

Day 17Final approval · deployhelm install · first score written back to ATS in 4happroved

outcome · production deployment cycle · 17 days

Deployment boundary

Everything runs inside your VPC. Nothing crosses the line.

Four lanes, one account, one tenant: control plane, model plane, customer data, audit. No shared infrastructure with another customer. No NODES-operated inference. No path to the public internet from anything that touches your data.

deployment_boundary · customer-vpc · single-tenant network policy · egress=0

Customer VPC · single-tenant cidr · 10.40.0.0/16

Control plane

Orchestratorjob graph · retries · quorum

Admin consoleSSO · SCIM · RBAC

Model plane

Weights storeKMS-encrypted · customer-owned

Inferencein-cluster gpu · p50 74ms

Fine-tunequarterly · on customer data

Customer data · read-through

ATSWorkday · Greenhouse · iCIMS · Avature · SmartRecruiters

HRISWorkday HCM · UKG · ADP · Rippling

CRMSalesforce · Dynamics · HubSpot

TicketingServiceNow · Zendesk · Jira Service Desk · Freshservice

Calendar / EmailGoogle Workspace · Microsoft 365 · metadata only

Performance & LMSperformance databases · Cornerstone · Docebo · SAP SuccessFactors Learning

Audit & telemetry

Decision tracesigned · append-only

SIEM exportSplunk · Datadog · custom

Secrets / KMScustomer-held keys

Egress = 0network policy enforced · denied by default

Outside boundary · attempted traffic is dropped

openai.com anthropic.com api.nodes.inc vendor inference public model registry candidate telemetry PII exfil

External API calls

Per inference. Per day. Per deployment. Verified by egress policy.

Bytes egressed

No candidate, employee, or production data leaves the boundary.

Inference p50

74ms

In-cluster gpu. Customer VPC. No round-trip to a vendor cloud.

Weights owned by

Customer

Delivered into your weights store. Encrypted with your KMS keys.

Tenants on your cluster

Single-tenant by design. No noisy neighbor. No cross-tenant index.

NODES-operated infra

None

NODES ships software. NODES does not run your inference.

Model supply chain

No third-party AI in the chain.

NODES ships a fine-tuned open-source foundation model and calibrates it inside your boundary on your four-year production trace. There is no call out to a hosted LLM provider at training time, at inference time, or in the audit stream.

model.provenance · nodes-substrate-2026.04

Open foundation.
Customer-calibrated.
Customer-owned.

Every weight under every inference is the weight the customer owns. Retrains happen in-cluster, on rolling 18-month production. Weight artifacts never leave the VPC.

FoundationOpen-source baseapache-2.0 · inspectable · pinned digestverified

Fine-tuneYour 4-yr production10,765 agents · p75+ validated cohortin-vpc

CalibrationPer role · per location28 dimensions · quarterly refitin-vpc

InferenceIn-cluster gpup50 74ms · 0 external callsin-vpc

WeightsKMS-encrypted artifactcustomer-held keys · never exportedcustomer-owned

What is not in the chain

The supply-chain questions counsel always asks, all answered "no."

✕
OpenAI, Anthropic, Google, or any hosted LLM providernot a subprocessor · not called at train or inference time
✕
Third-party embedding APIsembeddings produced in-cluster · no round-trip
✕
NODES-operated inference endpointsNODES ships the binary · the customer runs it
✕
Training data shipped back to NODESno telemetry with PII · aggregate ops only · opt-in
✕
Closed-weight foundation modelsNODES does not pull weights you cannot inspect

Data posture

Every asset. Where it lives. Who can read it.

The ledger your counsel will screenshot. Each row is enforced by network policy, IAM, or KMS (not just documented). Retention is customer-configurable; defaults shown.

Asset

Where it lives

Who can read it

Encryption

Default retention

Model weightsnodes-substrate-2026.04

customer vpc · weights stores3 + object-lock or equivalent

NODES service roleread · no export

aes-256 · customer kms

indefinite · customer-controlled

Candidate, employee, ticket, deal, and decision dataATS · HRIS · CRM · ticketing · calendar · performance database

customer source systemsread-through · never copied out

customer IAM · NODES read-scope

aes-256 · at-rest & tls 1.3

inherits source system

Decision tracessigned · reproducible

customer vpc · trace storeappend-only · sig-hashed

customer IAM · NODES read

aes-256 · customer kms

7 years · adjustable

Embedding indexproduced in-cluster

customer vpc · vector store

NODES service role

aes-256 · customer kms

rebuilt quarterly

Inference trafficrequest + scored response

in-cluster onlynever mirrored out

customer ats write-back

tls 1.3 · mTLS between services

ephemeral · trace only

Audit streamevery admin + scoring event

customer siem sinksplunk / datadog / custom

customer security team

tls 1.3 · hmac-signed

customer siem policy

Operational telemetryaggregate · no PII

opt-in · redacted exportopt-in · scrubbed · pii-free

NODES SRE · aggregate only

tls 1.3 · per-field scrub

30 days

Compliance & controls

The attestations your reviewer already has a checklist for.

Controls are implemented in the deployment, not bolted on in policy. Every certification below is backed by the same single-tenant-VPC architecture. The architecture is the control.

01 · attestation

SOC 2 Type II

Annual report covering security, availability, confidentiality. Delivered under NDA on Day 01 of architecture review.

availableannualNDA

02 · attestation

Penetration testing

Third-party pen tests on every major release. Reports delivered under NDA. Remediation windows aligned to CVSS severity and contractually committed.

annual + releaseNDA

03 · regulation

GDPR · CCPA · DPA templates

Controller / processor DPA templates with no external subprocessors. Data subject request flows land in your HRIS, not in NODES systems.

no subprocessorsDSAR-ready

04 · identity

SSO · SCIM · SAML

Okta, Azure AD, Ping, Google Workspace. Group-mapped RBAC. SCIM provisioning ties admin access to your HRIS state.

oktaazure adping

05 · keys

Customer-held KMS

Bring your own keys. AWS KMS, Azure Key Vault, GCP KMS, HashiCorp Vault. Revoke keys; inference stops. That is the point.

BYOKrevoke-to-kill

06 · audit

SIEM-native audit stream

Every scoring, admin, and retrain event hashed and streamed to your SIEM. Signed decision traces reproducible seven years out.

splunkdatadogsigned

Deploys where you already run.

Single-tenant vpc
terraform module · helm chart
BYOK · mTLS · SSO / SCIM
Air-gapped variant on request

CloudAWS · incl. GovCloud

CloudAzure · incl. Gov

CloudGCP · Assured Workloads

IaCTerraform module · pinned

IaCHelm chart · versioned

IaCPulumi · on request

IdentityOkta · Azure AD · Ping · Google

NetworkVPC peering · PrivateLink · TGW

SecretsAWS KMS · Azure KV · GCP KMS · Vault

ObservabilityDatadog · Splunk · New Relic

AuditSIEM export · custom sinks

RegionUS · EU · APAC · in-country

terraform · nodes_vpc_deployment module v2026.4 · pinned

# One module. Your account. Your KMS. Your subnets.
module "nodes" {
 source = "nodes-inc/nodes/aws"
 version = "2026.4"

 # deployment boundary
 vpc_id = var.vpc_id
 private_subnets = var.private_subnets
 allow_egress = false # enforced · default-deny

 # customer-held keys
 kms_key_arn = aws_kms_key.nodes.arn
 weights_bucket = aws_s3_bucket.weights.id
 object_lock = "compliance"

 # identity + audit
 sso_provider = "okta"
 siem_sink = var.splunk_hec_endpoint
 audit_stream = true

 # model
 model_artifact = "nodes-substrate-2026.04"
 retrain_cadence = "quarterly"
 inference_gpu = "g5.2xlarge"
}

CISO FAQ

The seven questions every security reviewer has asked.

Answered once, here, with the spec IDs your counsel will want to cite. For anything not covered, the architecture review (Day 01) is a working session with a NODES security engineer, not a sales call.

01 Does any candidate, employee, ticket, deal, or decision data ever leave our VPC? +

No. The deployment enforces a default-deny egress policy at the subnet level. Candidate, employee, ticket, deal, and decision data is read through from your source systems (ATS, HRIS, CRM, ticketing, calendar, performance database) and never copied out of your cloud account. Inference request bodies, scored responses, and decision traces all stay in-cluster. The only opt-in traffic that ever leaves is aggregate operational telemetry with every PII field scrubbed server-side before it is emitted, and that opt-in can be turned off in Terraform.

Referenceref · boundary_manifest · v2026.4
ref · terraform allow_egress=false
ref · spec · net-policy-01

02 Who has access to our model weights? +

You do. The weights artifact is delivered into a bucket you own, encrypted with a KMS key you hold. The NODES service role has read access, scoped to the cluster; the artifact cannot be exported. Revoke the KMS key and inference stops, which is what every customer tests on Day 07 of deployment.

Referenceref · spec · kms-01
ref · spec · weights-01

03 Is OpenAI or Anthropic in the supply chain? +

No. NODES fine-tunes an open-source foundation model with a pinned digest; there is no call out to a hosted LLM provider at training, fine-tune, or inference time. The DPA lists zero external subprocessors for model operations. This is the question that stalls most vendor reviews; here, it is answered by the deployment topology, not by policy.

Referenceref · model.provenance · nodes-substrate-2026.04
ref · DPA · subprocessor schedule

04 How are model retrains handled on a per-customer basis? +

In-cluster, on your data, on a quarterly cadence, producing a new signed weights artifact that lives only in your VPC. Retrain jobs run under the NODES service role with scoped IAM. NODES does not pull your data back to retrain a shared model. There is no shared model. Your weights are yours.

Referenceref · spec · retrain-01
ref · prov_chain · fine-tune stage

05 What happens to our deployment if NODES is acquired or shuts down? +

The deployment keeps running. The weights are in your bucket under your KMS key. The inference binary is in your cluster. The Terraform module and Helm chart are pinned in your CI. A source-escrow clause in the master agreement gives you the right to rebuild the binary from source after a triggering event. "Lights-on without NODES" is a stated design goal.

Referenceref · MSA · source escrow
ref · spec · lights-on-01

06 How do GDPR / CCPA data subject requests flow? +

To your HRIS or ATS, never to NODES. Because candidate and employee records live in your source-of-truth systems and are read through into NODES only at scoring time, a delete or export request fulfilled in your HRIS is automatically reflected in NODES on the next read. Decision traces bound to deleted subjects are tombstoned on the same schedule.

Referenceref · spec · dsar-01
ref · DPA · controller/processor

07 Can you support air-gapped or GovCloud deployments? +

Yes. The Terraform module runs in AWS GovCloud, Azure Government, and GCP Assured Workloads out of the box. For air-gapped environments NODES ships weights, binaries, and the Helm chart as signed offline artifacts. Retrains are triggered by a scheduled job inside the air-gapped cluster, with no return path. Talk to the architecture review team for the offline delivery process.

Referenceref · spec · govcloud-01
ref · spec · airgap-01

Architecture review

One hour with a NODES security engineer. Not a sales call.

NODES walks through the deployment diagram against your cloud account topology, shares the SOC 2 report, and leaves you with a DPA template and a Terraform plan your team can review offline. Most reviewers come out with enough to open an internal architecture ticket the same day.

Book the review Review the security artifacts

Architecture walkthrough against your cloud topology60 min · security engineer · your VPC diagram

SOC 2 Type II report under NDAdelivered in the same session

DPA template + subprocessor scheduleno external subprocessors · ready for counsel

Terraform module walkthroughpinned · reviewable in your CI

Reference-customer call (optional)Fortune 500 carrier · 17-day approval

One moment.

Your VPC. Your weights. Zero egress.

Deployment

Single-tenant VPC

Attestation

SOC 2 Type II

Egress

0 bytes / call / day

Weights

Customer-owned

# One module. Your account. Your KMS. Your subnets. module "nodes" { source = "nodes-inc/nodes/aws" version = "2026.4" # deployment boundary vpc_id = var.vpc_id private_subnets = var.private_subnets allow_egress = false # enforced · default-deny # customer-held keys kms_key_arn = aws_kms_key.nodes.arn weights_bucket = aws_s3_bucket.weights.id object_lock = "compliance" # identity + audit sso_provider = "okta" siem_sink = var.splunk_hec_endpoint audit_stream = true # model model_artifact = "nodes-substrate-2026.04" retrain_cadence = "quarterly" inference_gpu = "g5.2xlarge" }

One hour with a NODES security engineer. Not a sales call.