Nexus One AI ๐Ÿ”” Basic Tier
Security & Privacy

Your Data Never Leaves Your Building

Nexus One AI runs entirely on your own servers. No internet connection required. No data sent to any cloud. Full control stays with your organisation.

๐Ÿ”’
Air-Gapped
Operates fully offline
๐Ÿ›๏ธ
On-Premises
Your hardware, your network
๐Ÿšซ
No Cloud
Zero external API calls
๐Ÿ“
Local Storage
All data stays on your server
๐Ÿ‘ค
Access Control
User login & permissions
The most important question: where does my data go?
๐Ÿ 

Nowhere. It stays on your server.

When you type a prompt, upload a document, or ask the AI a question, that data is processed entirely by the AI model running on your own server โ€” the same server sitting in your data centre or server room. It does not travel to OpenAI, Anthropic, Google, or any other company. It does not touch the internet. The AI model itself is stored locally and runs locally.

This is fundamentally different from consumer AI tools like ChatGPT or Gemini, where every message you send is transmitted to and processed by a third-party cloud. With Nexus One AI, the only network involved is your internal network.

How the architecture enforces this
01

Fully self-contained system

Every component โ€” the AI model, the chat interface, the document database, the API โ€” is installed on your server before deployment. Nothing is fetched from the internet at runtime. The system can operate in a facility with no external network connection whatsoever.

02

Models run on your GPU

The AI inference (the process of generating a response) happens on the NVIDIA GPU installed in your server. The model weights โ€” the "brain" of the AI โ€” never leave your hardware. You own the compute, you own the process.

03

Documents stored in your database

When you upload documents for AI analysis, they are stored in ChromaDB running on your server. Document contents, embeddings, and query results all remain within your infrastructure. Uploading a tender document to the AI is no different from saving it to a local file server โ€” it doesn't go anywhere external.

04

No telemetry or usage reporting

Nexus One AI does not collect usage statistics, prompt logs, or analytics and send them anywhere. There is no "phone home" behaviour. Cezen does not have visibility into what prompts you run, what documents you upload, or what responses the AI gives your staff.

05

Open-source models with known weights

The AI models used (Llama 3.1, Mistral, Gemma, and others) are open-source models with publicly auditable weights. There are no hidden backdoors or proprietary model components โ€” the model files are inspectable by your security team.

06

Network access is internal-only

The system is configured to be accessible only within your organisation's internal network (LAN). Access from outside your network requires your own VPN or jump server โ€” Nexus One AI does not expose any service to the public internet by default.

What this means for sensitive government data

Classified and restricted documents

You can use the AI to analyse documents at your organisation's classification level, as long as the server itself is appropriately secured and network-isolated for that classification. The AI processing does not introduce any new data pathway that wasn't already present on your network.

Personally identifiable information (PII)

Employee records, citizen data, and other PII can be processed without the risk of inadvertent disclosure to a third-party AI provider. Data handling obligations under your jurisdiction's privacy legislation remain manageable because all processing is internal.

Procurement and tender information

Commercially sensitive tender documents, vendor proposals, and contract terms can be analysed by the AI without any risk of exposure to competitors or external parties โ€” a critical requirement when dealing with active procurement processes.

Legal and compliance documents

Legal advice, audit findings, compliance assessments, and investigation records can be processed safely. Attorney-client privilege and regulatory confidentiality requirements are not compromised by AI usage because there is no third-party involved in the processing.

User access and authentication
1

Individual user accounts

Each staff member accesses Open WebUI with their own username and password. Accounts are created and managed by your system administrator. There is no shared login โ€” every session is tied to a specific user.

2

Conversation isolation

Each user's conversation history is private to their account by default. Staff cannot see each other's chats or the documents others have uploaded. Administrators can configure shared spaces where needed.

3

Administrator control

Your designated system administrator has full control over user accounts โ€” they can create, disable, or delete accounts at any time. When a staff member leaves, their account and conversation history can be removed immediately.

4

Network-level restriction

The system is accessible only from devices on your internal network. Staff cannot access the AI system from personal devices on home internet unless your IT team explicitly enables this through your own VPN infrastructure.

Nexus One AI vs. cloud AI services
Question โœ… Nexus One AI (On-Premises) โš ๏ธ Cloud AI (ChatGPT, Gemini, etc.)
Where is my data processed? On your own server, on your premises On third-party cloud servers overseas
Does the AI provider see my prompts? No โ€” Cezen has no access to your usage Yes โ€” provider receives and logs all input
Can I use it without internet? Yes โ€” fully air-gapped capable No โ€” requires internet connection
Is my data used to train future models? No โ€” data never leaves your network Depends on provider terms; often yes by default
Who controls user access? Your organisation's IT administrator Each user manages their own account
Where are documents stored after upload? In your local ChromaDB database On provider's cloud storage
Suitable for restricted/classified work? Yes, subject to your network classification No โ€” data leaves your security perimeter
Compliant with data residency requirements? Yes โ€” data never crosses borders Varies โ€” data may be stored internationally
Good security practices for your team

Use your own account

Never share your Open WebUI login with colleagues. Each person should have their own account. This ensures conversation history is private and access can be individually revoked when needed.

Lock your screen

The AI chat interface runs in a browser. Lock your computer when stepping away to prevent others from reading your conversation history or uploading documents under your account.

Log out when done (shared workstations)

On shared workstations, always log out of Open WebUI when you are done. Your conversation history, including any documents you have discussed, remains visible until you log out.

Report unusual behaviour

If the AI behaves unexpectedly, produces outputs that seem wrong, or if you notice anything unusual about the system, report it to your administrator. Don't share the output externally until the issue is understood.

๐Ÿ›ก๏ธ

Security questions or concerns?

If your organisation's security team needs technical documentation, architecture diagrams, or a briefing on the system's security posture, contact Cezen support.

Contact Cezen Support