Intelligence infrastructure must be as secure as the intelligence it carries.
MIOS is built for environments where security is not a feature · it is a precondition. Every architectural decision, from ingestion to storage to access, reflects that requirement. Trust is not a policy position here. It is an engineering constraint · embedded in access controls, audit systems, data handling and AI transparency.
🇮🇳 Built in India · Deployed for institutions
AES-256 · TLS 1.3
Authenticated · logged
In-jurisdiction only
Encryption at rest
Encryption in transit
Access model
India-first deployment
Core principles
Security architecture built for national-level deployments.
Six commitments define how MIOS handles data, grants access and governs its own intelligence outputs. Each one is enforced in the architecture, not just written in a policy.
Privacy by Default
Data minimization is a design constraint, not a setting. Behavioral data is never monetized, never profiled beyond intelligence scope and never shared with third parties. Your conversations, inputs and files remain yours.
Zero Trust Access
Every access request · internal or external · is authenticated, authorized and logged. No implicit trust based on network location. Role-based controls govern data access down to the individual record.
Sovereign Infrastructure
India-first deployment architecture. Government deployments operate within the client's jurisdiction. No intelligence data is routed through foreign infrastructure. Sovereign cloud and on-premise options are available for every government contract.
Full Auditability
Every Merdot AI output carries confidence scores, data provenance and a reasoning chain. Every data access event writes to an immutable audit trail. Outputs are examinable, exportable and challengeable.
DPDP Aligned
Compliance posture aligned with India's Digital Personal Data Protection Act 2023. No secondary monetization of processed data, and no handling that conflicts with the client's own regulatory obligations.
Human Decision Authority
MIOS is an intelligence support system. AI enhances human judgment · it never replaces it. Every consequential decision remains with the operator, and MIOS is engineered to keep it that way.
Deployment models
Three configurations for three security postures.
MIOS meets institutions where their security requirements are · from managed private cloud to fully air-gapped, client-owned hardware.
Configuration A
Sovereign Cloud
MIOS deployed on cloud infrastructure within the client's national jurisdiction. All data, processing and model inference occurs inside the sovereign boundary. Recommended for government and defence-adjacent deployments.
- Infrastructure within national jurisdiction
- No cross-border data transfer
- Client-managed encryption keys
- Dedicated tenancy, no shared infrastructure
- Compliant with national data protection frameworks
- Merdot access requires explicit client authorization
Configuration B
Air-Gapped On-Premise
Fully isolated MIOS deployment on the client's own physical infrastructure. Zero network dependency for core intelligence functions. Built for environments with the highest security classifications.
- Deployed on client-owned hardware
- No internet dependency for core functions
- Model and signature updates via secure channel
- Physical security controls at client discretion
- No telemetry or usage data leaves the environment
- Available for classified government environments
Configuration C
Managed Private Cloud
MIOS hosted on Merdot's managed infrastructure with dedicated tenancy, enhanced access controls and enterprise SLA. For corporate intelligence deployments requiring maximum security without on-premise overhead.
- Dedicated cloud tenancy · no shared resources
- SOC 2 Type II compliant infrastructure
- Client-defined data residency options
- 99.9% uptime SLA with active incident response
- Quarterly security audits and penetration testing
- Full audit log export on request
The security stack
Secured at every layer · from signal to operator.
Security is not applied at the edge and hoped for elsewhere. It is enforced at each stage of the intelligence pipeline, inside the deployment boundary.
Ingestion
Signals enter through hardened, authenticated channels. Provenance and source quality are tagged at the point of ingest · before anything reaches the graph.
Processing
Entity recognition, sentiment calibration and narrative parsing run inside the deployment boundary. No intelligence data is sent to external providers.
Reasoning
The Merdot AI engine runs on a dedicated model instance per deployment. Model weights, inference and training pipelines stay within the sovereign boundary.
Storage
AES-256 at rest, client-managed keys, dedicated tenancy. Encryption keys never leave the deployment jurisdiction.
Access
Every operator request is authenticated, role-scoped and written to an immutable audit trail · down to the individual record.
Technical controls
Security controls across every system layer.
A baseline that applies to every deployment · with additional controls layered in for sovereign and air-gapped environments.
| Control area | Measure | Standard |
|---|---|---|
| Data in Transit | TLS 1.3 enforcement across all connections | Mandatory |
| Data at Rest | AES-256 encryption for all stored data | Mandatory |
| Authentication | Multi-factor authentication for all operator accounts | Mandatory |
| Access Control | Role-based access with least-privilege enforcement | Mandatory |
| Audit Logging | Immutable audit trails for all data access events | Mandatory |
| Key Management | Client-managed keys for sovereign deployments | Default |
| Vulnerability Management | Continuous scanning + quarterly penetration testing | Active |
| Incident Response | 24/7 security operations with a defined SLA | Active |
Merdot AI operates within your security boundary.
The reasoning engine that powers MIOS is not a shared, external API. It runs inside the deployment · so intelligence data never leaves the jurisdiction it belongs to.
Inside the sovereign boundary
The Merdot AI reasoning engine · model weights, inference infrastructure and training pipelines · can be deployed entirely within the client's sovereign boundary. No intelligence data is sent to external AI providers or third-party model APIs.
Dedicated model instances
Merdot AI does not use shared model infrastructure. Each institutional deployment maintains its own model instance. Training on client data for customized models occurs entirely within the deployment boundary.
Offline mode for the highest classifications
For the highest-security deployments, Merdot AI operates offline: models are pre-loaded and updated via secure channel, with no runtime external network calls required for intelligence generation.
Governance & acceptable use
Powerful intelligence, bound by clear rules.
MIOS is deployed under an Institutional Deployment Agreement that defines who may use it and how. These rules are enforced, and their violation ends access.
Access and eligibility
MIOS is an institutional platform. Access is restricted to clients that have executed a Master Services Agreement or Institutional Deployment Agreement. It is not available to private individuals, or to entities whose intended use conflicts with our Acceptable Use Policy.
Permitted use
Clients may monitor and analyze information environments within their legitimate operational jurisdiction, generate briefings for internal decision-making and integrate the MIOS API with their own systems · under the terms of the applicable agreement.
Prohibited use
MIOS may not be used to generate or amplify disinformation or coordinated inauthentic behavior, to target people by religion, ethnicity, caste or political belief, to suppress journalists or legitimate opposition, or for offensive information operations. Violation ends access.
Confidentiality
Merdot does not disclose client intelligence data, usage patterns or configuration details to third parties except as required by law or authorized in writing by the client. Classified deployments follow the handling requirements of the applicable agreement.
MIOS provides intelligence analysis and advisory outputs. All consequential decisions remain the responsibility of the client and its authorized users. These Terms are governed by the laws of India, with jurisdiction in the courts of Ahmedabad, Gujarat, unless a bilateral agreement or treaty relevant to a government client provides otherwise.
Found something? Tell us.
We take security reports seriously. If you believe you have discovered a vulnerability affecting MIOS or Merdot infrastructure, report it privately and give us a reasonable window to remediate before any public disclosure. We do not pursue good-faith researchers who act within these terms.
Report to contact@merdot.comContinuous scanning
Automated vulnerability scanning runs continuously across the deployment surface.
Quarterly pen testing
Independent penetration testing on a defined quarterly cadence, with summaries available under NDA.
Immutable audit trails
Every access event is logged to a tamper-evident trail, exportable in full on request.
24/7 incident response
A security operations function with a defined response SLA for active incidents.
Security documentation
Review our full security posture.
Detailed technical specifications, penetration testing summaries, compliance certifications and deployment architecture documentation are available under NDA for qualified institutional evaluations.
Merdot Technologies · Ahmedabad, Gujarat, India · contact@merdot.com