Security Data residency On-prem

Residency is where your data sits. Sovereignty is who can be ordered to hand it over.

Most "data stays in your region" promises solve the first and leave the second untouched. On the on-prem Hive deployment, your data stays inside your own infrastructure, so there is no third party left to compel.

Book a Demo See how it works

The distinction that matters

A local datacentre run by an out-of-jurisdiction company is still reachable under that company's law.

Data residency means the bytes are physically located in a chosen country. It is a real property and it matters. It is not the same as data sovereignty, which is about which jurisdiction governs the company that operates the infrastructure.

A cloud provider answers to the law of the jurisdiction it is controlled from, wherever its datacentres are. Placing your data in that provider's local region changes where the bytes sit. It does not change who can be ordered to produce them. Sovereignty is reached only when there is no out-of-jurisdiction third party in the path at all, and the strongest version of that is hardware you own and operate yourself.

Fig. 1 With Hive on-prem, the boundary has no outbound path. Without it, your data follows a path out to an external cloud, into a jurisdiction that may not be only yours.

What on-prem removes

Two ways your data leaves your control, and how on-prem closes both.

Cross-jurisdiction reach

A cloud provider can be compelled, under the law it answers to, to disclose customer data regardless of where that data is physically stored. The US CLOUD Act is one well-known instance of this general rule. Residency does not defeat it, because the obligation attaches to the provider, not to the datacentre. On-prem Hive removes the provider from the equation, so there is nothing for such an order to reach.
Litigation discovery

Prompts and responses sent to a third-party AI service are records held by another party. They are discoverable, subject to subpoena and preservation, and outside your control once they have left. On-prem inference keeps those records inside your own systems, where your existing legal holds and retention policies already govern them.

A US court has already ordered a major AI provider to preserve chat logs.

The architecture

When the data never leaves, there is nothing to compel.

The exposure exists because a third party holds your data. Hive's on-prem deployment is built so that no third party ever does.

Open-weight model weights run entirely on your hardware.
Every inference executes locally.
No prompt, no response, and no document calls an external API or leaves your network boundary.

Designed-for controls, not certifications

Not a compliance certification. A control architecture you can audit.

Hive is designed for on-prem data residency, and customers validate regulatory fit with their own counsel. The controls below are architectural facts you can inspect, not badges we claim.

The model runs inside your network.
The inference path has no outbound call.
You hold the hardware, the keys, and the logs.

Designed to support, verify with counsel

Hive provides the control architecture. Your auditor confirms the fit.

The following is general information, not legal advice. Hive is not compliant with, certified for, or ready for any of these frameworks, and we are not pursuing such a certification. What we describe is the on-prem control architecture Hive provides to help you meet obligations you already carry, mapped to the relevant area. Confirm scope and current text against your own auditor or counsel.

Finance
Hive provides the on-prem control architecture to help financial institutions meet OSFI Guideline B-10 (third-party and outsourcing risk), OSFI Guideline B-13 (technology and cyber risk), SOC 2, and PCI DSS obligations, among others. Keeping data on hardware you control simplifies third-party isolation and audit, and removes the cross-border transfer step from the picture. Validate with your own auditor.
Healthcare and privacy
Hive provides the on-prem control architecture to help health and privacy obligations under HIPAA (US healthcare), PHIPA (Ontario), and PIPEDA (Canada), among others. Keeping personal health information on hardware the custodian controls keeps it under the custodian's direct accountability, with no external service provider in the data path. HIPAA applies to US healthcare only and does not cover banking. Validate with your own counsel.
Legal
Professional duties of confidentiality, such as those under the Law Society of Ontario rules in Ontario and SRA rules in the UK, expect client confidences to stay protected. On-prem keeps client matter data inside the firm, with no third-party processor in the chain. Validate with your own counsel.
Government and defence
For environments that permit no outbound network path, Hive supports air-gapped and offline deployment, so inference runs with no external connectivity at all. Validate suitability for your accreditation requirements with your own authority.
Region notes
In the UK, FCA and PRA SS2/21 cover material-outsourcing audit rights, documented exit plans, and concentration risk, and UK GDPR covers international-transfer controls. On-prem removes the material-outsourcing relationship and the international-transfer step. In Canada, Quebec Law 25 requires a privacy impact assessment before transferring personal information outside Quebec, and on-prem removes that transfer trigger. Validate current text and scope with your own counsel.

Hive Cloud is different

We state the boundary plainly.

The hosted Hive tiers run on third-party infrastructure. They run only on in-region infrastructure under your own jurisdiction, which removes the cross-jurisdiction reach an out-of-region host would carry, but they still do not carry the same data-residency properties as the on-prem edition. If your requirement is that data stays on hardware you control, the on-prem edition is the one that meets it.

Disclaimer

Hive's on-prem deployment is designed so that your data does not leave your infrastructure. This is an architectural property, not a compliance certification. Whether this architecture satisfies your organisation's obligations under PIPEDA, HIPAA, or other frameworks is a determination your team must make with qualified legal counsel. S Cubed does not provide legal or compliance advice.

Common questions

Frequently asked questions

What is the difference between data residency and data sovereignty?

Residency is where your data physically sits. Sovereignty is which jurisdiction governs the company that holds it. A provider's Canadian data centre keeps the bytes in Canada, but if that provider is foreign-controlled a foreign court order can still reach them. On-prem Hive removes the third party from the data path.

Can Hive run in an air-gapped environment?

Yes. Hive runs inference entirely on hardware you own, with no outbound network path required, which supports fully air-gapped and offline deployments.

See it run inside your own network.

Book a Demo See Pricing