ONE PLATFORM THREE WAYS TO PLACE IT
1
On-premises. Helm release on your Kubernetes, or OpenShift with restricted SCC — no privileged containers. Docker Compose covers VM-based zones and constrained proofs of concept. The engine sits as the final internal node before AI-provider egress.
2
Sovereign private cloud. The same artifacts deploy into a private or sovereign cloud tenancy you control. Placement follows the same rule: detection, vault, keys, and restore stay inside your controlled environment; providers receive tokens only.
3
Air-gapped. An offline bundle — images, models, signed license file — installs with no external connectivity. No license server, no phone-home, no vendor path in. Built for the strictest sovereignty postures.

What you stand up#

The reference footprint is deliberately small:

  • Gateway / data plane — stateless pods behind your load balancer; scale horizontally with throughput.
  • Detection service — runs the self-hosted PII model; GPU-backed where the local detection LLM is used at throughput, with deterministic validators handling structured identifiers on a CPU fast path.
  • Token vault — Postgres with high availability, envelope-encrypted, data keys wrapped by your KMS or HSM. The only stateful component, so your existing Postgres backup and recovery tooling applies.
  • Policy, admin, and audit services — policy-as-code, SSO/SAML and RBAC, token-only audit export to your SIEM.
  • Salus Desktop (Gateway deployments) — the thin endpoint agent, packaged for MDM deployment via Intune or Jamf.

Two packaging tiers#

Salus is packaged in two tiers that share the same engine:

Tier 1 — Salus Gateway Tier 2 — Salus Sovereign Gateway
Capture App/agent lane + Salus Desktop Adds an agentless network lane (ICAP / forward proxy)
Network insertion None — touches nothing in your egress path Optional, where proxy-layer enforcement is required
Identity & admin SSO/SAML, RBAC, audit export — standard Adds SCIM, fine-grained multi-tenancy, retention & legal hold
Key custody Customer-managed keys; HSM/KMS optional HSM/KMS-keyed vault as the standard posture
Resilience Basic high availability Active-active HA, DR runbooks
Sovereignty Full data residency for vault, models, keys, logs Adds air-gapped, no-phone-home operation

Tier 1 is the fast starting point — it requires no change to your network security stack and no decrypting-proxy prerequisite, so a pilot can start with app owners and MDM owners. Tier 2 is the high-assurance expansion for sovereign and heavily regulated environments.

How a rollout runs#

Deployments follow a consistent two-phase pattern, then widen:

  1. Observe. One team, one app or agent, a small managed-device group. Salus runs in observe mode and produces a measured report of what sensitive data was leaving to external AI — including the miss rate and latency distribution measured on your own traffic, not quoted from a datasheet.
  2. Enforce. Masking is switched on. Providers receive tokens; users keep getting useful answers. Failure behavior is agreed per data class before enforcement begins.
  3. Roll out. Coverage widens across teams, apps, and device groups; Tier 2 controls come in when and where the environment requires them.