// Sovereign AI · v2.1
Platform Architecture
3-server topology with local LLM inference, vector memory, and an audited relational database. All traffic between nodes flows through an encrypted WireGuard tunnel. No data ever leaves the jurisdiction — with an encrypted disaster-recovery copy replicated offsite to Helsinki.
Sovereign AI · infrastructure 3-server topology · sovereign LLM
RAG · vector memory · WORM audit
Sovereign · GDPR · NIS2
// Flow legend
HTTPS · external traffic
Front → GPU · WireGuard
GPU ↔ Data · vectors & LLM
Data internal · backup & audit
RAG · top-k retrieval
Offsite DR → Helsinki · rsync
FRONT · Interface
Hetzner AX102 · Ryzen 9 7950X3D · 128 GB ECC
GPU · AI Cognition
Hetzner GEX130 · RTX 6000 Ada · 48 GB VRAM
DATA · Sovereign Memory
Hetzner AX162 · EPYC 9454P · 1 TB ECC · NVMe + 44 TB cold
OFFSITE · Disaster Recovery
Hetzner Storage Box BX21 · 5 TB · Helsinki HEL1 · Finland (geo-separated)
Internet
external traffic · web · mobile · API clients
Edge Gateway
Nginx · TLS 1.3 · Let's Encrypt · WAF · rate-limit · :443
Next.js · App
SSR · React 18
Main authenticated frontend.
Astro · Portal
static + ISR
Public portal · open data.
FastAPI
microservices · Py 3.12
app-api · portal-api · persona · cognition · bridge.
OCR worker
Tesseract + LLM
OCR of incoming documents.
Enricher
24/7 daemon
Registries · public sources · scraping.
Nginx
reverse proxy
TLS termination · routing · mTLS.
:8001
vLLM · Qwen 3-8B
AWQ 4-bit · 32k ctx
Sovereign LLM · Apache 2.0 · multilingual.
:9879
BGE-M3
1024-dim multilingual
Embeddings for RAG and semantic search.
:8765
LoRA fine-tune
rank 16 · α 32
Domain adapters · fine-tuning on own Q&A pairs.
:8099-101
Reranker pool
bge-reranker-large
3 instances · top-50 → top-5.
Agent Swarm CC1–CC7
parallel agents
OCR triage · enrichment · controls · self-learning.
Bridge API
FastAPI · cognition
Self-learning
Q&A → adapter
:5432 · :6432
PostgreSQL 18 · PgBouncer
9 schemas · WORM provenance · PITR · RLS multi-tenant
domain
entities
regulatory
knowledge
content
ai_state
persona
provenance
public
:6333
Qdrant
vector database
Collections: knowledge · regulatory · domain · entities.
1024-dim · cosine sim.
:7687
Neo4j
graph · Cypher
Entity hierarchies
forensic relationship detection.
:6379
Redis
cache · queue
Sessions · rate-limit · jobs.
:9000
MinIO · S3-compat
object storage
Documents · images · PDF · scanned materials.
Provenance triggers
WORM · field_history
Every change: who · when · before/after · source ref.
44 TB cold backup · 3-2-1
local cold · PITR WAL · Qdrant snap · Neo4j dump · → Helsinki offsite
RPO ≤ 24h · RTO ≤ 4h · annual disaster-recovery drill.
ssh :23
Storage Box · Helsinki
Hetzner BX21 · 5 TB · encrypted offsite · 20 snapshots
Geo-separated DR copy from all 3 servers: PG dump · Qdrant · Neo4j · Redis · MinIO · LoRA adapters · code · configs. 3-2-1 offsite — survives full datacenter loss.
⟦ WireGuard VPN · encrypted mesh ⟧ ⟦ WireGuard VPN · :5432 · :6333 · :7687 · :6379 · :9000 ⟧ ⟦ encrypted rsync · SSH :23 → Helsinki ⟧ HTTPS · :443 TLS 1.3

// Network & security

WireGuard VPN between all three servers, TLS 1.3 for external traffic. External access exclusively through Front. Encrypted offsite disaster-recovery replication to a geo-separated Storage Box in Helsinki (Finland) — true 3-2-1.

// Legal framework & compliance

The platform is built in accordance with Croatian and EU regulatory frameworks:

Public Procurement Act OG 120/16 GDPR EU 2016/679 Right to Access Information Act OG 25/13 NIS2 EU 2022/2555 Local & Regional Self-Government Financing Act OG 127/17 GDPR Implementation Act OG 42/18

// Sovereign principles

  1. Data never leaves EU jurisdiction.
  2. Open-source model (Apache 2.0) — no vendor lock-in.
  3. Every AI response is auditable and reconstructible.
  4. The client controls what the model learns and what it discards.