Network
On-premise inference. No outbound. Air-gap supported.
Security
Sovereign security posture.
Air-gappable deployment. No outbound calls. No third-party telemetry. No US CLOUD Act exposure. Hospital-owned identity, hospital-owned data, hospital-owned audit.
Security, by construction
Data
Patient data never leaves the hospital. Encrypted at rest, in transit, in inference.
Identity
Hospital-owned identity. No third-party auth provider. No SSO leak.
Telemetry
None. No third-party analytics. No third-party trackers. No phone-home.
Threat model
CLOUD Act exposure: zero, the inference does not cross the perimeter. Vendor compromise: containable, the model is hospital-owned and offline-capable. Side channel: the audit chain is append-only and portable, evidence survives the box. Insider threat: every query, every signature, every reasoning step is on the chain.
- 0
- outbound calls
- 0
- third-party telemetry
- Air
- gap supported
- On
- prem identity
Why no third-party JavaScript
A medical instrument that loads scripts from a CDN is not a medical instrument. LUMEN ships every animation library, every script, every asset, self-hosted. Zero third-party JavaScript. Zero analytics. Zero trackers.