Trust
Security and compliance.
The primary security property of Modelsmith is architectural: your training data and model weights never leave the hardware you control. This page documents that architecture, where we are on formal certifications, and how to report a vulnerability.
Architecture
The air-gap is structural, not contractual.
Most AI compliance questions reduce to data egress: where does your data go, who processes it, and under what legal basis. With Modelsmith, the answer is that your data does not go anywhere. The architecture eliminates the egress problem rather than trying to govern it.
- Training data stays on your hardware
- Modelsmith runs the entire iterate loop on the compute node you provision. Training scenarios, fine-tuning runs, and eval transcripts are written to your local filesystem. No training data is transmitted to Agentsia or any third party at any point in the cycle.
- Model weights are yours
- Promoted models are standard open-weights artefacts stored in your model registry. Agentsia does not retain a copy. You can export, serve, or migrate the weights at any time without our involvement.
- Evidence bundles are local
- Every promotion decision produces an evidence bundle: eval transcripts, scoring rubrics, decision log, and model card. These are written to your infrastructure and never transmitted to Agentsia. Your governance team reviews them from your own tooling.
- No inference call leaves the network
- Deployed specialist models serve inference on your hardware. There is no callback to a cloud API, no usage telemetry sent to Agentsia, and no network dependency for production inference.
- The Modelsmith CLI and MCP tools are the only network surface
- The CLI and MCP control-plane tools communicate with your local Modelsmith runtime. They do not phone home. Licence validation is handled at installation; there is no per-use licence check that requires a network call.
- Air-gap deployment is supported
- Modelsmith can be installed and operated in fully air-gapped environments. The base model weights are downloaded once from Hugging Face at setup time; after that, no external connectivity is required.
Compliance
Where we are, honestly.
We publish this matrix because regulated buyers in health, fintech, and automotive need to know the actual state of certifications before starting an evaluation. We will update this page as each milestone is reached.
UK GDPR
Website and product
Product architecture eliminates data-processor relationships. Website privacy policy published. Cookieless analytics. DPO contact available.
SOC 2 Type II
Product
Controls mapping complete. Audit engagement scheduled. Target: Q3 2026.
ISO 27001
Organisation
Scheduled after SOC 2 audit. Gap analysis in progress. Target: H1 2027.
External pentest
Website and CLI
First external penetration test of the website and Modelsmith CLI scheduled Q2 2026.
SLAs
Licence tiers B and C
Response SLAs are defined per licence tier. Enterprise (Tier C) SLAs are negotiated per contract.
Sub-processors
Product
Modelsmith has no sub-processors. The product runs entirely on customer infrastructure. Website sub-processors: Vercel and Resend (see privacy policy).
Vulnerability disclosure
Report a vulnerability.
If you discover a security vulnerability in agentsia.uk or the Modelsmith platform, please report it to us privately. We will acknowledge receipt within one business day, investigate, and keep you informed of our progress.
We ask that you do not publicly disclose the vulnerability until we have had a reasonable opportunity to investigate and remediate it. We will agree a disclosure timeline with you.