Reference architecture

One control plane,
per border.

Each region runs a complete data plane and its own ledger behind an in-region control plane. The only worldwide component is a thin directory that holds no clinical data. Nothing crosses a border except a customer-initiated export, and the gate fails closed before it ever would.

The full picture
Sovereign route Frontier-via-gate Human tail Data path Governance / control
Exhibit 03Heimdall reference architecture, clinical edge to ledger
LAYER 0 · CLINICAL EDGE, NHS TRUST · LONDON Consultant radiologist sees results in the viewer, and nothing else no Heimdall UI · that is the point OEM enterprise imaging heimdall.run(task_class, payload) certified once → every region · names no model Payloads & declarations task_class + data_class declared by the OEM trusted, but verified at the gate · idempotency-key anycast LB · regional · mTLS 1.3 LAYER 1 · HEIMDALL CONTROL + DATA PLANE, DEPLOYED IN-REGION (UK) DATA PLANE · IN-PATH · p99 added latency < 60 ms @ 500 RPS STAGE 01 Gateway + classifier verify task & data class PHI detected at the gate STAGE 02 Policy engine residency × data class ≤1 ms · fail-closed STAGE 03 Router + registry depth ladder · cheapest compliant supply wins STAGE 04 Envelope enforcer caps · output schema queue-not-spend De-identification gate trust boundary · re-ID map held sovereign CONTROL PLANE · SIDE SYSTEMS Model registry & estate provenance · pinned versions · eval gate no eval_pass ⇒ no traffic (hard) Policy Studio rules as signable prose · two skins, one engine draft → simulate → approve → activate Ledger & metering append-only · hash-chained · one record / request feeds billing · simulation · evidence EAST-WEST · gRPC OVER mTLS SERVICE MESH policy.Decide → router.Route → envelope.Enforce → deid.Transform → ledger.Append → router.Execute supply reached only by router.Execute workers STATE · PER-REGION · ROW-LEVEL SECURITY · NO PAYLOAD PERSISTED POST-RESPONSE PostgreSQL 16control OLTP · RLS Kafkaledger log · RPO 0 ClickHouseOLAP · sim Redisidempotency Qdrantsemantic cache Vault · KMS · HSMkeys · de-ID map Object storeevidence · exports LAYER 2 · SUPPLY, CHEAPEST COMPLIANT POOL WINS (COMPLIANCE OUTWEIGHS COST) Bifrost · sovereign 3verest-owned H100 · vLLM · in-tenancy weights on owned metal · no public egress ~70% target · utilisation economics Egress proxy allowlist · mTLS DLP tap · verifies ZDR · no-train Frontier · resident in-region · pinned version string pseudonymous payload only inference_geo recorded in ledger Human tail consultant queue by policy, not failure enriches the eval bank LAYER 3 · RETURN PATH, BACK THROUGH THE GATE, NEVER AROUND IT A · Draft in the viewer 1.74s end-to-end · radiologist signs B · Re-identified at the gateway flagged pending consultant confirmation C · Consultant confirms amended case joins the eval bank THE LEDGER · HASH-CHAINED · APPEND-ONLY 09:41:07Z report.draft.ct-chest 3v-rad-32b@2.3.1 SOV-UK/LHR in 6,214 (3,090 cached) out 482 1.74s per-study 09:52:33Z priors.synthesise.onc frontier@pinned RES-UK 11 calls · in 48,910 · out 6,240 41.2s metered Both sides of every contract read these same rows. Hash chain verifiable per tenant per day · tamper alert ≤ 5 min.
No service calls supply except router.Execute workers. No path to any model exists except through the gateway. The de-identification map is the one thing that never leaves sovereign storage.
Deployment topology · regional cells

Each region is a complete, isolated cell. The border is the architecture.

A regional failure does not fail clinical traffic over a border. The control plane is regional for everything data-bearing; only a thin global directory (org catalogue, status, SSO broker) spans the world, and it never sees a payload. Cells run today in the UK, Europe, the US, Canada and Australia.

Exhibit 04Regional cell topology, no cross-region data movement
Global directory, no clinical data org / tenant catalogue · status page · release registry · SSO broker, the only worldwide component routes Studio logins only Cell · LHR (UK) complete data plane + control plane regional ledger · Bifrost GPU pool gateway · classifier · policy · router envelope · de-ID Postgres HA · Kafka · ClickHouse Vault / KMS 99.95% · N+1 · fail-closed no cross-border failover Cell · FRA (EU) Germany-anchored · identical shape isolated state · own ledger & keys EU AI Act high-risk logging posture native to the cell own GPU capacity degraded mode: queue batch, escalate interactive Cell · SYD (AU) Australian successor regime in-region processing one of five live regional cells permanent OEM sandbox tenant dev: synthetic only DR game-days quarterly RTO ≤ 1h · RPO ≤ 5min
Resist a global control plane holding clinical data. The thin global directory is the only worldwide component, by design.
Architectural principles

Sovereign by default

Data residency is the routing logic, not a toggle. Statutory rules are locked per region and 3verest-managed; overrides can never weaken a locked baseline.

Model lifecycle ≠ code release

Models are registry-driven and eval-gated, on an independent cadence. A version serves traffic only after a tenant's eval suite passes, a hard, tested constraint.

Everything as draft

No console changes; no direct mutation of live state. Policy and class changes deploy with zero code release, and roll back instantly by design.

The whole gate, in one view

One control plane, twelve subsystems.

The request enters at the gateway and leaves as a sealed ledger line. Everything between is policy, supply and proof, grouped into four planes, each subsystem carrying its own acceptance criteria.

Ingress plane

Gateway AC-GW

Single endpoint in front of every model. Terminates, authenticates and meters every request.

Decision plane

Classifier AC-CL

On-gateway PHI & task-class detection. Owned model, no external calls.

Policy engine AC-PE

Deterministic, fail-closed evaluation of jurisdiction, task and model permissions.

Router AC-RT

Resolves the cheapest compliant supply within the sovereign envelope.

Envelope AC-EN

Enforces per-task token budgets; downshifts or escalates on breach.

Supply plane

De-identification AC-DI

Strips identifiers before any payload reaches a non-sovereign model.

Model registry AC-MR

Catalogues every routable model: provenance, jurisdiction, eval history, pinned versions.

Bifrost AC-BF

Owned sovereign inference. In-region weights on 3verest GPU capacity.

Evidence plane

Ledger AC-LG

Append-only, hash-chained record of every decision and token.

Governance AC-GV

Policy Studio: plain-language policy, simulation, dual sign-off, versioning.

Billing AC-BL

Turns ledger data into per-study prices, envelopes and tenant invoices.

Evidence AC-EV

Renders ledger lines into auditor-ready evidence packs on demand.

Ingress → Decision → Supply → Evidence. The request enters once and is sealed once.

Technology stack · build vs adopt
LayerApproachRationale
Gateway data planeEnvoy + custom filters (Rust/C++), Go control servicesProven proxy core; meet the latency budget; avoid bespoke-proxy risk.
Policy evaluationEmbedded compiled policy, signed bundlesMicrosecond eval; auditability beats general-purpose engines here.
ML servingvLLM on Kubernetes GPU poolsContinuous batching; the de-facto standard for sovereign inference.
OLTPPostgreSQL 16, row-level securityBoring, correct, isolated by tenant.
LedgerKafka (tiered) + ClickHouseDurable log plus fast analytics; simulation needs OLAP.
The product itselfPolicy compiler · classifier · router · de-ID · ledger · StudioThis is the differentiated build. Everything else is commodity excellence, adopted.
Explore the platform & modules