Built for procurement teams in regulated industries. A one-page brief on architecture, data handling, certifications, and how we map to the major compliance frameworks.
The architectural claim. Strive Private AI is a fully on-device application. Prompts, documents, AI responses, and embeddings never leave the user's machine. We have no servers that store or process Customer Data. Even at the customer's request, we cannot retrieve Customer Data — it does not exist on our infrastructure.
The user installs Strive Private AI on their device. The application loads an open-source AI model (downloaded once from a public repository to the user's device) and runs inference locally using llama.cpp. The user's prompts and any uploaded documents are processed on the device's CPU/GPU. AI responses are generated locally and stored locally in an encrypted SQLite database on the user's filesystem. No network connection is required for inference, and none is made by the application for inference purposes. The only outbound network calls made by the application are: (a) initial model download from a user-selected source (e.g. Hugging Face); (b) optional license validation; (c) optional update checks against our release server.
SOC 2 is a framework for auditing controls around customer data held by the vendor. Because we hold no Customer Data, the vast majority of SOC 2 control areas — access management, encryption at rest, backup, breach response — are scoped out by architecture. A SOC 2 audit of Strive Private AI would attest to almost nothing of substance.
For procurement teams that require evidence of our security posture, we offer:
| Framework | Our position | Why |
|---|---|---|
| UK GDPR / EU GDPR | Compliant by design | We process no Customer Data. We process limited Account Data as a controller with documented lawful bases. See Privacy Policy. |
| HIPAA (US healthcare) | Out of scope | We are not a Business Associate. PHI never reaches our infrastructure. Customers may use the Software with PHI on devices they control without a BAA. |
| UK SRA (Solicitors Regulation Authority) | Compatible | Client-confidential matters never leave the solicitor's device. No Outcome 7.5 obligations to a third-party AI provider arise. |
| ICAEW / FRC (UK accountancy) | Compatible | Client data confidentiality maintained. No reportable third-party data sharing. |
| FCA (UK financial services) | Compatible | No SYSC 8 outsourcing relationship for AI processing — the AI runs on the firm's own infrastructure. |
| SOC 2 Type II | Not held | See section 2. Scope is architecturally limited; we offer alternative evidence. |
| ISO 27001 | Not held | Roadmap item. ISO 27001 controls map well to our setup, but we have not yet pursued formal certification. |
| Cyber Essentials Plus (UK) | In progress | Target: Q3 2026. |
| EU AI Act | Compatible | We are a "general-purpose AI" distributor for inference only; we do not train, fine-tune, or operate models on customer data. Customer is the deployer for Act purposes. |
Customer Data stored locally in SQLite is encrypted with AES-256-GCM using keys derived via Argon2id from the user's machine credentials. Sensitive memory is zeroized after use.
All outbound network calls (license validation, update checks, model download) use TLS 1.3. Our website uses HSTS with a 1-year max-age.
License keys are signed with HMAC-SHA256 and validated offline. No license check requires network access at runtime.
Authentication via Clerk (SOC 2 Type II certified). Passwords stored as bcrypt or Argon2 hashes. MFA available.
The following providers process limited Account Data on our behalf. None of them have access to Customer Data — Customer Data does not pass through our infrastructure.
| Provider | Purpose | Certifications | Location |
|---|---|---|---|
| Clerk | User authentication | SOC 2 Type II, GDPR-compliant | USA (SCCs in place) |
| HubSpot | CRM, marketing emails | SOC 2 Type II, ISO 27001, GDPR-compliant | USA / EU |
| Vercel | Website hosting | SOC 2 Type II, ISO 27001 | Global edge network |
| Microsoft 365 | SOC 2 Type II, ISO 27001, ISO 27018, UK G-Cloud | UK / EU |
If we become aware of a security incident affecting Account Data, we will:
Because Customer Data is not held by us, there is no scenario in which a security incident on our infrastructure could expose Customer Data. A device-level incident affecting Customer Data on a user's machine is the user's responsibility and outside the scope of our incident response.
If you believe you have found a security vulnerability in Strive Private AI, please report it responsibly to info@strivetech-ai.com with the subject "Security vulnerability report." We commit to:
We do not yet operate a paid bug bounty programme but expect to in 2027.
Because the Software runs locally and requires no continuous connection to our infrastructure to function, our business continuity exposure is limited to:
This means the Software you install today will continue to work even if StriveTech AI Limited ceases trading. There is no "service shutdown" risk.
No. Customer Data is processed exclusively on your devices. We have no technical means to access it.
No — for Customer Data, because we don't process it. Yes — for the limited Account Data of any of your staff who register for an account. We can provide a standard DPA on request.
Customer Data: on your devices, where you put it. Account Data: with our sub-processors (see section 5), all in UK/EU or under SCCs.
An infrastructure breach on our side cannot expose Customer Data, because we don't hold it. A breach affecting Account Data is handled per section 6.
For enterprise customers, yes — we will support reasonable annual audits, security questionnaires, and on-request evidence requests. Get in touch.
No — see section 2 for why and what we offer instead.
For security and compliance questions, including audit requests, DPA requests, or vendor security questionnaires:
We aim to respond to enterprise security enquiries within 1 business day.