Public AI exposes your data. SkaLean hosts everything locally.

SkaLean guarantees data residency by architecture, not by contractual promise. Three technical mechanisms make it physically impossible for your data to leave your geographic perimeter:

1. Local LLM execution: the language model runs on servers physically located in your datacenter or a cloud region you choose (OVHcloud Canada, AWS Canada-Central, Azure Canada East). No request is sent to American or foreign servers.
2. Complete network isolation: SkaLean instances can be deployed in air-gapped mode (disconnected from the internet). In this mode, even a malicious request could not exfiltrate data because there is no network path to the outside.
3. End-to-end AES-256 encryption: data is encrypted at rest and in transit with keys you control. For organizations subject to the American Cloud Act, SkaLean on Canadian or European sovereign infrastructure eliminates this risk: American authorities cannot seize data on servers not subject to their jurisdiction.

Monthly traceability report available to confirm that 0 bytes of data transited outside the perimeter.

The distinction is as much legal as technical.

Classic cloud hosting (AWS us-east-1, Azure Global): your data is physically in the United States or a region controlled by an American company. Even if the servers are in Canada, if the operator (Amazon, Microsoft, Google) is American, the US Cloud Act (2018) allows American authorities to access this data via a court order, without notifying you and without you being able to oppose it.

SkaLean sovereign hosting:

1. Infrastructure operated by a Canadian or European entity (OVHcloud, Hetzner, DigitalOcean Canada) without a majority American shareholder.
2. No data transits outside the chosen jurisdiction.
3. The Cloud Act is not applicable.
4. GDPR/Law 25 processing register maintained automatically.

What this changes for you concretely: during a GDPR audit or a Law 25 verification, you can precisely answer the question "where are your clients' personal data processed?" and prove it with logs. With classic cloud hosting, this answer is impossible or approximate.

SkaLean is designed from the ground up (privacy by design) to comply with these three regulatory frameworks.

GDPR (European Union):

1. Processing register automatically maintained for each module.
2. Right to erasure: any data can be permanently deleted on request, with deletion certificate.
3. Right of access: export of all data linked to an individual in one click.
4. Documented legal basis for each processing activity.

Law 25 (Quebec, in force since 2023):

1. Privacy Impact Assessment (PIA) available on request.
2. Privacy protection officer designatable in the administration interface.
3. Automatic incident notifications within 72h (legal obligation).
4. Logs of all personal information access.

HIPAA (United States, medical sector): SkaLean can be configured in HIPAA-compliant mode with a signable BAA (Business Associate Agreement), encryption of all PHI (Protected Health Information) at rest and in transit, and complete audit logs of medical data access.

Restriction: HIPAA compliance requires the Enterprise plan and specific configuration to validate with our team.

SkaLean applies six layers of personal data protection:

1. Automatic pseudonymization: before being sent to the LLM, any identified personal data (name, email, phone number, file number) is replaced by an anonymous identifier. The LLM never sees real personal data. The generated response is re-personalized after processing.
2. AES-256 encryption at rest: all stored data (documents, conversation histories, logs) is encrypted with keys derived from your tenant identifier. Even physical access to the server would not allow reading the data without the key.
3. TLS 1.3 encryption in transit: all communications between your browser/application and SkaLean are encrypted.
4. Multi-tenant isolation: your organization's data is strictly separated from other SkaLean clients' data at the database level (PostgreSQL Row-Level Security).
5. Role-based access control: each employee only accesses data corresponding to their role. Access logs are retained for audit.
6. Configurable retention period: you define how long data is retained (30 days to 7 years). Deletion is irreversible and certified.

SkaLean has a structured 5-phase incident response plan, aligned with ISO 27001 and the notification requirements of Law 25 and GDPR:

1. Phase 1 — Detection (< 15 minutes): intrusion detection systems (IDS) and anomaly monitoring active 24/7. Any abnormal activity triggers an immediate alert to your security team and ours.
2. Phase 2 — Containment (< 1 hour): automatic isolation of compromised components, revocation of suspicious access tokens, read-only mode activation if necessary.
3. Phase 3 — Notification (< 72 hours): in compliance with GDPR and Law 25, automatic notification to your DPO/Privacy Officer and competent authorities if personal data is affected.
4. Phase 4 — Investigation and restoration: complete audit log forensics (retained 12 months), root cause identification, restoration from encrypted snapshots (RPO < 1 hour, RTO < 4 hours for Enterprise plans).
5. Phase 5 — Post-incident report: detailed report with timeline, extent of affected data, corrective measures implemented — directly usable for your regulatory incident report.

SkaLean offers 4-level access management, adapted for organizations of 5 to 500 people:

1. Enhanced authentication: Single Sign-On (SSO) with your existing identity provider (Azure AD, Okta, Google Workspace), configurable mandatory multi-factor authentication (MFA), and time-limited sessions (60 minutes by default, configurable).
2. RBAC (Role-Based Access Control): 12 predefined roles covering all typical profiles (admin, manager, operator, reader, API developer). Custom roles creatable for organizations with specific needs.
3. Granular permissions by module and dataset: an employee can have access to the AI Assistant but not Studio AI, or access to HR documents but not legal documents. Permissions are managed visually without technical configuration.
4. Complete audit trail: every action (login, request, modification, export, deletion) is recorded with user identity, timestamp, source IP, and action result. Logs are retained 12 months (extensible to 7 years for regulated sectors) and exportable in CSV format for your audits.