Air-gapped deployments

What it actually means

An air gap is the absence of a wire.

An air-gapped system is one with no network path — physical or logical — to anything outside the trust boundary. No internet. No corporate VPN. No vendor "support tunnel" that quietly checks in once a day. The only thing crossing the gap is what your security officer signs off on, when they sign off on it, on media they choose.

It's the configuration banks use for HSM enclaves, that classified networks use for SIPRNet, that nuclear plants use for safety systems. Done right, it makes most modern threats irrelevant: ransomware can't dial home, exfiltration can't reach the internet, and supply-chain compromises can't auto-update themselves into your environment.

The trade-off is operational. Air-gapped systems are harder to install, harder to update, and harder to monitor. That's the work we do.

/ai·er·gap/ · noun

Aërgap — /ɛːrɡæp/

1. A small studio that installs business software on infrastructure you fully control. Founded 2024.

2. The methodology behind every deployment: no shared tenant, no phone-home, no vendor with a key to your data.

3. The literal capability to ship every tool we deploy with complete network isolation, when the job requires it.

Outbound connections 0 No telemetry, no licence check, no auto-update. By configuration, not promise.

Vendor access None We don't keep keys. There is no support tunnel. Every change is initiated by you.

Update channel Signed bundle Cryptographically signed offline package. You verify, then apply.

Evidence pack Auditor-ready Runbooks, access logs, change history and SBOM bundled at handover.

Three deployment postures

Not every workload
needs full isolation.

Most teams don't actually need a SIPRNet-grade air gap. We offer three deployment postures and help you pick the one that matches your real threat model. You can move between them later as needs change.

Level 01 · Sovereign

Self-hosted, internet-connected.

Standard private deployment. Your VPC, your region, your DNS — but with normal outbound traffic for updates, mail relays and SSO.

Single-tenant on your cloud or on-prem
SSO via your IdP (Okta · Entra · Google)
Online updates with version pinning
Encrypted backups to your storage

Most common~85% of deployments

Level 02 · Restricted

Disconnected, with controlled egress.

No vendor traffic, no telemetry. Egress is limited to a small, allow-listed set of internal services — typically your IdP, mail gateway and update proxy.

No outbound to vendor or third-party SaaS
Egress allow-list reviewed quarterly
Updates from an internal mirror
Local backups + offsite encrypted copy

Regulated workloadsHIPAA · PCI · GDPR

Level 03 · Air-gapped

No network path. At all.

The literal configuration. The protected network has no route to the internet, no route to your corporate LAN, and the only ingress is a sealed jump host with strict change control.

Zero outbound, zero inbound from internet
Signed offline update bundles only
Sealed jump host with two-person rule
SBOM + chain-of-custody at install
Compatible with classified network enclaves

Defense · classified · OTQuote-based

Where it matters

Teams who can't phone home.

If your operating environment lists "no outbound traffic" as a control, or your legal team has redlined "vendor access" out of every contract for the last three years, the rest of this page was written for you.

Defense & classified

Programs operating on networks where SaaS is categorically prohibited. Helpdesk, ticketing, classroom and ERP on the right side of the diode.

ITAR · CMMC · IL4 — IL6 · SIPRNet-adjacent

Government & agencies

Sovereign-cloud or on-prem deployments where data residency is a statute, not a setting. Configurable for FedRAMP-aligned, EU-only or GCC-only operation.

FedRAMP-aligned · UK Official-Sensitive · EU sovereign

Healthcare & pharma

Hospitals, payers, clinical research, GMP manufacturing. PHI never traverses an internet link it shouldn't, and audit logs are ready before the regulator asks.

HIPAA · HITECH · 21 CFR Part 11 · GxP

Banks & finance

Regulated business lines, brokerages, payment processors, and any team whose risk register has "third-party SaaS data egress" near the top.

SOX · PCI DSS · MiFID II · DORA

Critical infrastructure & OT

Energy, water, transport, manufacturing — anywhere an IT system sits next to operational technology and an air gap is the safety control.

NERC CIP · IEC 62443 · NIS2

Law & professional services

Privileged client data, M&A data rooms, sensitive litigation. Strict tenancy guarantees with no cross-tenant inference and no third-party LLMs by default.

ABA Model Rule 1.6 · SRA · attorney-client work product

Universities & research

Institutes holding student records, exam material, controlled-unclassified research (CUI) and grant-funded data with sovereignty clauses.

FERPA · CUI · export-controlled research

Sovereign-cloud-only

Public sector and SOEs in countries with data-localisation laws. We deploy into your national cloud (or hardware) without ever leaving the jurisdiction.

GDPR Art. 28 · CN PIPL · IN DPDP · KSA NDMO · UAE DPL

How we ship it

The same playbook,
five careful steps.

An air-gapped install is not a different product — it's the same Zammad, Odoo and AI workloads (and Classverse, July 2026) we deploy everywhere else, fitted into a network with strict ingress and zero egress. The work is in the chain of custody, not the software.

Threat-model session

We sit with your security officer to map the trust boundary, define the gap (physical, logical, or both), and pick the deployment posture. Output: a one-page topology you can show your CISO.

~1 week

Sealed bundle build

We build a deterministic install bundle with pinned versions, SBOM, and SHA-256 + GPG signatures. Tested end-to-end in a mirror environment that matches yours bit-for-bit.

SHA-256 · GPG · SBOM

Transfer & verify

Bundle moves through your sanctioned data-diode or sealed jump host. Your team verifies signatures on the receiving side. Nothing installs until you say so.

Two-person rule

Install & harden

CIS-benchmark baselines, role-segregated SSO from your local IdP, encrypted storage, least-privilege admin accounts. All deployment automation runs inside the gap.

CIS · STIG-aligned

Handover pack

Runbooks, access matrix, change history, SBOM, and the signed offline-update process — printed and on encrypted media. You operate. We're a phone call away, by your choice.

Evidence pack

Compliant by configuration, not by promise.

We don't sell certifications — we configure the deployment to align with the frameworks your auditor uses.

Request our evidence pack →

SOC 2 Type IITrust-Services Criteria controls mapping

ISO 27001Annex A controls catalog

HIPAA · HITECHTechnical safeguards, audit log retention

FedRAMP-alignedNIST 800-53 Moderate/High

CMMC L2 / L3DoD contractor environments

PCI DSS v4Network segmentation, scoped CDE

GDPR · Art. 28Processor agreements, residency controls

NIS2 · DORAEU operational-resilience essentials

FIPS 140-3Validated cryptographic modules

NERC CIPBulk electric system cyber assets

IEC 62443Industrial automation & control

CJISCriminal-justice information services

FAQ

Questions your
CISO will ask.

If yours isn't here, a 20-minute call with us and your security officer is usually the fastest path.

Talk to a human →

Is this a real air gap, or a marketing one?

Both kinds exist on this page. Level 02 ("Restricted") is what most vendors call air-gapped — disconnected with a small allow-list. Level 03 is the real article: no route to the internet, no support tunnel, signed offline updates only. We don't blur the line. Your security officer picks the posture and we deploy to it.

How do updates work without internet access?

We build a deterministic, version-pinned update bundle with an SBOM and detached GPG signature, tested in a mirror environment. The bundle is delivered through your sanctioned transfer process (data diode, sealed jump host, encrypted media). Your team verifies the signature on the inside, then applies on a maintenance window. There is no auto-update.

Can we still get SSO, backups and monitoring?

Yes — from your internal services, not vendor ones. SSO via your in-environment IdP (Active Directory, internal Keycloak, classified SAML). Backups to your storage, encrypted with keys you hold. Monitoring via your existing SIEM (Splunk, Elastic, Wazuh). Everything lives inside the gap with you.

What about AI features — those need cloud, right?

They don't, and we make a point of this. AI features run on local open-weights models (Llama, Mistral, Qwen and the like) hosted inside your environment, with retrieval pulling only from your data. No prompt or response ever traverses an outbound link. Performance is bounded by your GPU budget, not by what a public API will allow you to send.

Do you keep access to our system after handover?

On Level 03 deployments, no. There is no aërgap-controlled account, no break-glass tunnel, no third-party support hop. When you call us, you screen-share, or you bring us in via your sanctioned vendor-escort process. On Level 01/02 deployments we can hold a time-bound, IP-allow-listed admin role if you want us to — entirely your call.

What evidence do we get for our auditor?

A handover pack containing: the architecture diagram with trust boundaries, the SBOM for every shipped component, control mappings (we'll align to whichever framework you use — SOC 2, ISO 27001, HIPAA, FedRAMP, CMMC), the runbook, the change-log template, the backup/DR drill records, the SSO and RBAC matrices, and the signed-update workflow. Printable and on encrypted media.

Can you deploy into a SCIF, IL5/IL6 enclave, or sovereign cloud?

Yes — provided you can sponsor us through your access process. We've designed deployments for SCIF environments, IL4 — IL6 classified clouds (AWS GovCloud, Azure Government, Oracle Government), and several national sovereign clouds in EMEA and APAC. Air-gapped on-prem hardware is also fully supported.

What's the price difference vs. a normal deployment?

Level 01 and 02 are within our standard pricing bands. Level 03 air-gapped deployments are quote-based — typically 1.5× to 3× the equivalent connected install, driven by the bundle-build process, the on-site time, the documentation rigour, and any clearance overhead. Still cheaper than the per-seat alternative once you cross ~20 users.

Bring your air-gap requirements. We'll meet them.

Most teams leave a 30-minute call knowing whether Level 02 is enough or they actually need Level 03 — and how much each would cost. No deck, no slide-ware. Bring your security officer.

Book a call → Request a written quote