Most AI vendors hand you a PDF checklist and call it compliance. Aspexilary hands you a dated, signed evidence report generated live from your system — one your compliance officer can drop directly into an audit binder, verified independently, no vendor assertions required.
Our approach
Regulated industries — healthcare, finance, legal, government — face a fundamental problem with cloud AI: you can never independently verify what the vendor says is happening to your data. You're taking their word for it.
Aspexilary runs on your infrastructure. Every packet, every inference call, every access attempt is observable by you. We don't ask you to trust our compliance claims — we give you the tooling to verify them yourself, live, on demand.
"Your compliance officer should be able to walk into any audit armed with evidence generated by your own systems — not a vendor's self-attestation."
Model weights, prompts, and responses never leave your environment. Zero calls to external APIs during inference — provable with packet capture.
Every inference call is logged to an append-only, hash-chained audit store. Any modification to the log is immediately detectable.
On-demand compliance reports map observed system behavior to specific HIPAA, SOC 2, and FedRAMP control IDs — dated, signed, audit-ready.
Your data never trains our models. Your inference history stays on your hardware. Compliance with data residency requirements is structural, not contractual.
Live proof session
Live packet capture during inference. Every outbound connection is visible. You'll see only localhost — zero calls to OpenAI, Azure, or any external API.
Submit a prompt, watch it appear in the hash-chained audit log within milliseconds. Attempt to modify a record — the chain immediately identifies the tampering.
Demonstrate an unauthorized role being blocked at the inference endpoint. The denied attempt is logged with timestamp, user hash, and reason code.
Prompts containing PHI patterns — SSN, DOB, credit card numbers — are flagged and logged. The PHI is never stored in plaintext; only a hash is retained.
A dated, signed compliance report is generated live from your system's actual audit data — not a pre-filled template. Covers the full reporting period you specify.
Architecture diagram, data flow documentation, and network diagrams delivered under NDA. Audit middleware source available for technical review.
Regulatory coverage
Each capability maps to specific control IDs across HIPAA Technical Safeguards, SOC 2 Trust Service Criteria, and FedRAMP. No ambiguity. No marketing language.
| Capability | HIPAA | SOC 2 | FedRAMP |
|---|---|---|---|
| On-premises, air-gapped inference | §164.312(e)(1) | C1.1 | SC-8 |
| Append-only, hash-chained audit log | §164.312(b) | CC7.2 | AU-2 AU-9 |
| Role-based access control at inference endpoint | §164.312(a)(1) | CC6.1 CC6.2 | SC-28 |
| PHI pattern detection & hash-only storage | §164.312(c)(1) | CC7.3 | SI-3 |
| Person authentication & session tracking | §164.312(d) | CC6.2 | IA-2 |
| TLS enforcement for all API surfaces | §164.312(e)(2) | C1.1 | SC-8 |
| Generated compliance evidence reports | All above | All above | AU-3 |
Sample output
This is a representative excerpt from a generated compliance report. Your actual report is produced live from your audit log and covers the exact period you specify.
We pre-stage everything with your infrastructure team the day before — typically two to three hours. The verification session runs on your hardware, watched by your compliance officer. They leave with a dated evidence report generated from your own audit log — not a vendor self-attestation.
Request a Proof Sessioninfo@aspexilary.ai · NDA available on request · Pre-call infrastructure setup included