Architecture · deployment boundary · 2026.4

Your VPC. Your weights. Zero egress.

Nodes deploys single-tenant inside your cloud account. Model training, inference, scoring, and every decision trace run on infrastructure you own. No external API calls. No OpenAI or Anthropic in your supply chain. No data leaves the boundary — because there's nowhere for it to go.

Book an architecture review CISO FAQ
Deployment
Single-tenant VPC
Attestation
SOC 2 Type II
Egress
0 bytes / call / day
Weights
Customer-owned
Legal & security review

One Fortune 500 carrier rejected six AI vendors in eighteen months. They approved Nodes in seventeen days.

Most AI vendor reviews collapse at data residency, model supply chain, or egress controls. Nodes answers those three objections structurally — there is nothing to approve because there is nothing that leaves your cloud account.

The side-by-side below is a redacted composite of one actual deployment timeline versus the prior vendor stack that procurement, security, and legal had already rejected.

Prior stack · hosted gen-AI vendor
547 days · rejected
547d
Day 001Initial procurement intakeRFP · scoring rubric · vendor shortlistopened
Day 048DPA & subprocessor disclosureOpenAI + Anthropic flagged as subprocessorsstalled
Day 127Security architecture reviewdata egress to vendor cloud · unresolvedstalled
Day 284Model supply-chain reviewthird-party LLM weights · not inspectableblocked
Day 402Counsel review · regulator pre-briefNYDFS · NAIC model-audit exposureblocked
Day 547Final disposition6 vendors in rotation · none approvedrejected
outcome · 0 deployments cycle · 18 months
Nodes · single-tenant vpc
17 days · approved
17d
Day 01Kickoff · architecture walkthroughshared VPC diagram · boundary manifest · SOC 2 reportcleared
Day 03DPA signedno subprocessors · no egress · template acceptable as-iscleared
Day 06Security architecture reviewterraform module reviewed · network policies verifiedcleared
Day 09Model supply-chain reviewopen-source foundation · weights delivered in-clustercleared
Day 13Counsel review · regulator pre-briefauditable decision traces · no black-box exposurecleared
Day 17Final approval · deployhelm install · first score written back to ATS in 4happroved
outcome · production deployment cycle · 17 days
Deployment boundary

Everything runs inside your VPC. Nothing crosses the line.

Four lanes, one account, one tenant: control plane, model plane, customer data, audit. No shared infrastructure with another customer. No Nodes-operated inference. No path to the public internet from anything that touches your data.

deployment_boundary · customer-vpc · single-tenant network policy · egress=0
Customer VPC · single-tenant cidr · 10.40.0.0/16
Control plane
Orchestratorjob graph · retries · quorum
Admin consoleSSO · SCIM · RBAC
Model plane
Weights storeKMS-encrypted · customer-owned
Inferencein-cluster gpu · p50 74ms
Fine-tunequarterly · on customer data
Customer data · read-through
ATSWorkday · Greenhouse · iCIMS
HRISWorkday HCM · UKG · ADP
CRMSalesforce · Dynamics
Audit & telemetry
Decision tracesigned · append-only
SIEM exportSplunk · Datadog · custom
Secrets / KMScustomer-held keys
Egress = 0network policy enforced · denied by default
Outside boundary · attempted traffic is dropped
openai.com anthropic.com api.nodes.inc vendor inference public model registry candidate telemetry PII exfil
External API calls
0
Per inference. Per day. Per deployment. Verified by egress policy.
Bytes egressed
0B
No candidate, employee, or production data leaves the boundary.
Inference p50
74ms
In-cluster gpu. Customer VPC. No round-trip to a vendor cloud.
Weights owned by
Customer
Delivered into your weights store. Encrypted with your KMS keys.
Tenants on your cluster
1
Single-tenant by design. No noisy neighbor. No cross-tenant index.
Nodes-operated infra
None
Nodes ships software. Nodes does not run your inference.
Model supply chain

No third-party AI in the chain.

Nodes ships a fine-tuned open-source foundation model and calibrates it inside your boundary on your four-year production trace. There is no call out to a hosted LLM provider at training time, at inference time, or in the audit stream.

model.provenance · carrier-hire-2025.11
Open foundation.
Customer-calibrated.
Customer-owned.

Every weight under every inference is the weight the customer owns. Retrains happen in-cluster, on rolling 18-month production. Weight artifacts never leave the VPC.

FoundationOpen-source baseapache-2.0 · inspectable · pinned digestverified
Fine-tuneYour 4-yr production10,765 agents · p75+ validated cohortin-vpc
CalibrationPer role · per location28 dimensions · quarterly refitin-vpc
InferenceIn-cluster gpup50 74ms · 0 external callsin-vpc
WeightsKMS-encrypted artifactcustomer-held keys · never exportedcustomer-owned
What is not in the chain
The supply-chain questions counsel always asks — all answered "no."
  • OpenAI, Anthropic, Google, or any hosted LLM providernot a subprocessor · not called at train or inference time
  • Third-party embedding APIsembeddings produced in-cluster · no round-trip
  • Nodes-operated inference endpointsNodes ships the binary · the customer runs it
  • Training data shipped back to Nodesno telemetry with PII · aggregate ops only · opt-in
  • Closed-weight foundation modelswe do not pull weights you cannot inspect
Data posture

Every asset. Where it lives. Who can read it.

The ledger your counsel will screenshot. Each row is enforced by network policy, IAM, or KMS — not just documented. Retention is customer-configurable; defaults shown.

Asset
Where it lives
Who can read it
Encryption
Default retention
Model weightscarrier-hire-2025.11
customer vpc · weights stores3 + object-lock or equivalent
nodes service roleread · no export
aes-256 · customer kms
indefinite · customer-controlled
Candidate & employee PIInames, contact, resume, assessment
customer ats / hrisread-through · never copied out
customer IAM · nodes read-scope
aes-256 · at-rest & tls 1.3
inherits source system
Decision tracessigned · reproducible
customer vpc · trace storeappend-only · sig-hashed
customer IAM · nodes read
aes-256 · customer kms
7 years · adjustable
Embedding indexproduced in-cluster
customer vpc · vector store
nodes service role
aes-256 · customer kms
rebuilt quarterly
Inference trafficrequest + scored response
in-cluster onlynever mirrored out
customer ats write-back
tls 1.3 · mTLS between services
ephemeral · trace only
Audit streamevery admin + scoring event
customer siem sinksplunk / datadog / custom
customer security team
tls 1.3 · hmac-signed
customer siem policy
Operational telemetryaggregate · no PII
opt-in · redacted exportopt-in · scrubbed · pii-free
nodes SRE · aggregate only
tls 1.3 · per-field scrub
30 days
Compliance & controls

The attestations your reviewer already has a checklist for.

Controls are implemented in the deployment, not bolted on in policy. Every certification below is backed by the same single-tenant-VPC architecture — the architecture is the control.

01 · attestation
SOC 2 Type II
Annual report covering security, availability, confidentiality. Delivered under NDA on Day 01 of architecture review.
availableannualNDA
02 · attestation
Penetration testing
Third-party pen tests on every major release. Reports delivered under NDA. Remediation windows aligned to CVSS severity and contractually committed.
annual + releaseNDA
03 · regulation
GDPR · CCPA · DPA templates
Controller / processor DPA templates with no external subprocessors. Data subject request flows land in your HRIS, not ours.
no subprocessorsDSAR-ready
04 · identity
SSO · SCIM · SAML
Okta, Azure AD, Ping, Google Workspace. Group-mapped RBAC. SCIM provisioning ties admin access to your HRIS state.
oktaazure adping
05 · keys
Customer-held KMS
Bring your own keys. AWS KMS, Azure Key Vault, GCP KMS, HashiCorp Vault. Revoke keys; inference stops. That is the point.
BYOKrevoke-to-kill
06 · audit
SIEM-native audit stream
Every scoring, admin, and retrain event hashed and streamed to your SIEM. Signed decision traces reproducible seven years out.
splunkdatadogsigned
Deploys where you already run.
Single-tenant vpc
terraform module · helm chart
BYOK · mTLS · SSO / SCIM
Air-gapped variant on request
CloudAWS · incl. GovCloud
CloudAzure · incl. Gov
CloudGCP · Assured Workloads
IaCTerraform module · pinned
IaCHelm chart · versioned
IaCPulumi · on request
IdentityOkta · Azure AD · Ping · Google
NetworkVPC peering · PrivateLink · TGW
SecretsAWS KMS · Azure KV · GCP KMS · Vault
ObservabilityDatadog · Splunk · New Relic
AuditSIEM export · custom sinks
RegionUS · EU · APAC · in-country
terraform · nodes_vpc_deployment module v2026.4 · pinned 
# One module. Your account. Your KMS. Your subnets.
module "nodes" {
  source  = "nodes-inc/nodes/aws"
  version = "2026.4"

  # deployment boundary
  vpc_id           = var.vpc_id
  private_subnets  = var.private_subnets
  allow_egress     = false                 # enforced · default-deny

  # customer-held keys
  kms_key_arn      = aws_kms_key.nodes.arn
  weights_bucket   = aws_s3_bucket.weights.id
  object_lock      = "compliance"

  # identity + audit
  sso_provider     = "okta"
  siem_sink        = var.splunk_hec_endpoint
  audit_stream     = true

  # model
  model_artifact   = "carrier-hire-2025.11"
  retrain_cadence  = "quarterly"
  inference_gpu    = "g5.2xlarge"
}
CISO FAQ

The seven questions every security reviewer has asked.

Answered once, here, with the spec IDs your counsel will want to cite. For anything not covered, the architecture review (Day 01) is a working session with our security engineer — not a sales call.

01 Does any candidate or employee data ever leave our VPC? +

No. The deployment enforces a default-deny egress policy at the subnet level. Candidate and employee PII is read through from your ATS and HRIS and never copied out of your cloud account. Inference request bodies, scored responses, and decision traces all stay in-cluster. The only opt-in traffic that ever leaves is aggregate operational telemetry with every PII field scrubbed server-side before it's emitted — and that opt-in can be turned off in Terraform.

Referenceref · boundary_manifest · v2026.4
ref · terraform allow_egress=false
ref · spec · net-policy-01
02 Who has access to our model weights? +

You do. The weights artifact is delivered into a bucket you own, encrypted with a KMS key you hold. The Nodes service role has read access, scoped to the cluster; the artifact cannot be exported. Revoke the KMS key and inference stops — which is what every customer tests on Day 07 of deployment.

Referenceref · spec · kms-01
ref · spec · weights-01
03 Is OpenAI or Anthropic in the supply chain? +

No. Nodes fine-tunes an open-source foundation model with a pinned digest; there is no call out to a hosted LLM provider at training, fine-tune, or inference time. The DPA lists zero external subprocessors for model operations. This is the question that stalls most vendor reviews; here, it's answered by the deployment topology, not by policy.

Referenceref · model.provenance · carrier-hire-2025.11
ref · DPA · subprocessor schedule
04 How are model retrains handled on a per-customer basis? +

In-cluster, on your data, on a quarterly cadence, producing a new signed weights artifact that lives only in your VPC. Retrain jobs run under the Nodes service role with scoped IAM. Nodes does not pull your data back to retrain a shared model — there is no shared model. Your weights are yours.

Referenceref · spec · retrain-01
ref · prov_chain · fine-tune stage
05 What happens to our deployment if Nodes is acquired or shuts down? +

The deployment keeps running. The weights are in your bucket under your KMS key. The inference binary is in your cluster. The Terraform module and Helm chart are pinned in your CI. A source-escrow clause in the master agreement gives you the right to rebuild the binary from source after a triggering event. "Lights-on without Nodes" is a stated design goal.

Referenceref · MSA · source escrow
ref · spec · lights-on-01
06 How do GDPR / CCPA data subject requests flow? +

To your HRIS or ATS, never to Nodes. Because candidate and employee records live in your source-of-truth systems and are read through into Nodes only at scoring time, a delete or export request fulfilled in your HRIS is automatically reflected in Nodes on the next read. Decision traces bound to deleted subjects are tombstoned on the same schedule.

Referenceref · spec · dsar-01
ref · DPA · controller/processor
07 Can you support air-gapped or GovCloud deployments? +

Yes. The Terraform module runs in AWS GovCloud, Azure Government, and GCP Assured Workloads out of the box. For air-gapped environments we ship weights, binaries, and the Helm chart as signed offline artifacts; retrains are triggered by a scheduled job inside the air-gapped cluster, with no return path. Talk to the architecture review team for the offline delivery process.

Referenceref · spec · govcloud-01
ref · spec · airgap-01
Architecture review

One hour with our security engineer. Not a sales call.

We walk through the deployment diagram against your cloud account topology, share the SOC 2 report, and leave you with a DPA template and a Terraform plan your team can review offline. Most reviewers come out with enough to open an internal architecture ticket the same day.

Book the review Download security brief (PDF)
01
Architecture walkthrough against your cloud topology60 min · security engineer · your VPC diagram
02
SOC 2 Type II report under NDAdelivered in the same session
03
DPA template + subprocessor scheduleno external subprocessors · ready for counsel
04
Terraform module walkthroughpinned · reviewable in your CI
05
Reference-customer call (optional)Fortune 500 carrier · 17-day approval