GDPR HIPAA SOC 2 ISO 27001 Open Source · Apache 2.0

Private by design.
Provable by default.

Maranode runs AI models on your own servers and automatically generates the compliance evidence your auditors need — GDPR, HIPAA, SOC 2, and more. Nothing leaves. Nothing goes undocumented. Fully open source and free to use.

Get started GitHub →
$ curl -sSL https://get.maranode.com | sh
What Maranode adds on top
📋GDPR Art. 30, HIPAA, SOC 2 exports — auto-generated
🔗Tamper-evident audit chain — every action logged and chained
🔏Signed proof per answer — verifiable by your auditors
♻️GDPR erasure with a signed deletion certificate
🔒
Maranode — on your server
air-gapped · zero telemetry · encrypted · yours alone
No data leaves your infrastructure
No telemetry, no phone-home, ever
Signed cryptographic receipt per answer
Full audit trail of every API call
🔏
Signed receipts
Ed25519 proof per inference
🔒
Kernel air-gap
continuous self-attestation
📋
HMAC audit chain
legal hold, SIEM-ready
♻️
Crypto-shredding
GDPR Art. 17 deletion cert
📂
Local RAG
grounding proof, encrypted store
🛡️
TEE / TPM
hardware-bound keys
Built for regulated industries

Your compliance team has questions.
Maranode has the answers.

Designed for environments where running AI on sensitive data requires proof, not promises. If you run GDPR, HIPAA, or SOC 2 audits — this is what your auditor will ask for.

HIPAA

Healthcare

Patient data never leaves the machine. Per-department workspace isolation, AES-256-GCM encrypted RAG store, HIPAA access log exports, crypto-shred on patient data deletion requests.

GDPRISO 27001

Legal

Client matter isolation with separate encryption keys. GDPR Article 30 records auto-generated. Article 17 deletion with signed certificate. Legal hold controlled by compliance officer, not IT.

SOC 2

Finance

Air-gapped inference for trading, risk, and regulatory data. Data classification enforcement (PUBLIC / CONFIDENTIAL / RESTRICTED / PHI). Microsoft Purview, Forcepoint, Symantec DLP connectors.

ISO 27001GDPR

Government

ISO 27001 event logs, TPM 2.0 PCR-bound keys, TEE detection (Intel TDX, AMD SEV-SNP). Attestation report available to remote third-party auditors via signed API endpoint.

Air-gapped

Defense

Models approved through a gated registry before the daemon will load them. Air-gapped token transfer for offline approval. Behavioral baseline checks against known-good model vectors on every load.

SIEMDLP

Enterprise security

Splunk TA, Elastic ingest pipeline, Microsoft Sentinel KQL rules, IBM QRadar AQL — ready to deploy. Tamper-evident signed events, not best-effort logs.

What sets it apart

Capabilities no other local AI runtime has

Ollama and LM Studio are excellent tools for running models locally. They are not built for proving, to an outside auditor, what happened. These are the features that make that possible.

Only in Maranode

🔏 Proof-carrying inference

Every answer carries a signed Ed25519 receipt binding the model SHA-256, input hash, output hash, quantization, decode parameters, and a timestamp. A standalone binary maranode-verify checks any receipt offline with no daemon required. A third party can verify with Python and no Maranode binary at all. This turns "we say the answer came from this model" into a cryptographic fact.

Only in Maranode

♻️ Crypto-shredding and erasure certificate

Every workspace has its own AES-256-GCM data encryption key (DEK). Honoring a GDPR Article 17 deletion request destroys the DEK — ciphertext on disk becomes mathematically unreadable without any disk scrub. A signed deletion certificate is written into the HMAC chain and exportable as a one-page compliance document with audit sequence number, actor, HMAC, and erasure statement.

Only in Maranode

⚖️ Legal hold with two-party release

A compliance officer holds a keypair separate from IT. Placing a hold freezes an audit segment — nothing can prune or modify it. Releasing the hold requires the compliance officer's signature. IT alone cannot lift a hold. This is the difference between a feature and a control that survives a regulatory investigation.

Only in Maranode

📡 Continuous isolation attestation

The daemon re-probes its own egress posture on an interval and writes each result into the audit chain. If isolation cannot be confirmed, the runtime refuses inference and records why. So you can show an auditor a timeline proving the air-gap held for the entire audit period — not just at installation.

Only in Maranode

🧬 Behavioral model integrity

SHA-256 proves the weights on disk are unchanged. A behavioral baseline goes further: it runs signed known-answer test vectors on every model load and compares outputs. A model whose weights were subtly modified to behave differently on trigger inputs will fail the baseline check. Drift is recorded in the audit chain. The runtime can refuse to serve a drifted model.

Only in Maranode

🏛️ SIEM integration with tamper-evident events

Ships with a ready Splunk Technology Add-on, an Elastic ingest pipeline, Microsoft Sentinel KQL detection rules, and IBM QRadar AQL. The differentiator is not the connector — it is that what you feed the SIEM are signed, HMAC-chained events. Tampering is detectable before the event reaches your SIEM.

Only in Maranode

🏗️ Air-gapped model registry

A model must be submitted, reviewed, and approved before the daemon will load it. Signed approval tokens can be transferred across an air gap as files. Revoke at any time, and the event is recorded. Change-management hooks connect to external systems. No model runs without an explicit signed token.

Only in Maranode

🔐 TPM key sealing and TEE support

Workspace keys, audit HMAC keys, and admin credentials can be sealed to TPM 2.0 PCR policy — they only materialize when the machine runs the expected software state. Intel TDX and AMD SEV-SNP are detected automatically; prompts and responses can be encrypted at the API layer so the host operator cannot read them in memory.

Only in Maranode

🚨 Incident response and break-glass

Declare an incident, end active sessions, and freeze the audit log cryptographically in one command. A forensic snapshot captures runtime state. Break-glass credentials are single-use, force a mandatory audit event, and are the only path to emergency access — IT cannot bypass the log silently.

Full feature list

Everything Maranode can do today

Features marked in green are exclusive to Maranode — not available in any other local AI runtime. All features below are implemented and working in the current release unless noted.

Inference and model runtime

OpenAI-compatible API — change only base_url, existing code works
Streaming and non-streaming — SSE for tokens, or single JSON response
Embeddings endpointPOST /v1/embeddings, OpenAI shape
Content-addressed model store — SHA-256 verified on every load, deduplication, atomic writes
Pull from Hugging Face / import from file — import works fully offline for air-gapped installs
Model quantization tools — inspect quant, recommend quant from RAM, list formats
Concurrent request queue — configurable parallel slots and queue depth
Signed inference receipt per answer ↑ Only in Maranode Ed25519, binds model SHA-256, input hash, output hash, TPM PCR composite
Reproducible inference ↑ Only in Maranode bit-exact replay with deterministic kernels, replaying a past decision via audit replay

Network isolation and attestation

Kernel-level air-gap ↑ Only in Maranode iptables OUTPUT default-DROP at daemon start, not a config flag
Continuous isolation attestation ↑ Only in Maranode periodic self-probe, audit-chained results, fail-closed on drift
Isolation timeline report ↑ Only in Maranode maranode audit isolation-report — show auditor the full probe history with time bounds
Whitelist mode — allow specific hosts/ports when outbound access is needed (e.g. private HF mirror)
Self-verifiablemaranode verify network + iptables -L + tcpdump, no Maranode trust required

Audit log and compliance

HMAC-chained audit log ↑ Only in Maranode every event linked to the previous; deletion or modification breaks the chain
Signed evidence bundles ↑ Only in Maranode ZIP signed by the node key, integrity provable independent of the log
Legal hold (two-party) ↑ Only in Maranode compliance officer keypair, cryptographic freeze, IT cannot release alone
SIEM integration ↑ Only in Maranode Splunk TA, Elastic pipeline, Sentinel KQL, QRadar AQL — tamper-evident signed events
Compliance exports — GDPR Article 30, HIPAA access log, SOC 2 security events, ISO 27001
Prompts hashed, not stored — SHA-256 fingerprint only; full content is opt-in with separate retention
Retention prune + automatic enforcement — scheduled policy, chain stays consistent after prune
Audit backup and restoremaranode audit backup / restore with workspace logs

Privacy and encryption

Per-workspace AES-256-GCM encryption ↑ Only in Maranode DEK wrapped under master KEK; RAG chunks, summaries, stored content encrypted at rest
Crypto-shredding with deletion certificate ↑ Only in Maranode destroy the DEK → ciphertext unreadable without disk scrub; signed GDPR Art. 17 certificate
Data classification enforcement ↑ Only in Maranode PUBLIC / CONFIDENTIAL / RESTRICTED / PHI labels, per-workspace clearance, fail-closed on violation
DLP label sync ↑ Only in Maranode Microsoft Purview, Forcepoint, Symantec connectors
TEE API-layer encryption ↑ Only in Maranode AES-256-GCM prompts/responses so host operator cannot read them in memory

Attestation and hardware security

TPM 2.0 key sealing ↑ Only in Maranode seal workspace KEK, audit HMAC key, admin creds to PCR policy; software fallback when no TPM
TEE detection (Intel TDX, AMD SEV-SNP) ↑ Only in Maranode attested into the same audit chain; TEE guarantee becomes part of the provable record
Binary self-hash at startup ↑ Only in Maranode the audit log records which exact build was running from the first event
Attestation report ↑ Only in Maranode remote third party can pull GET /v1/attestation/report for binary hash + PCR values + chain status
Behavioral model integrity ↑ Only in Maranode signed known-answer baselines checked on model load; drift recorded; fail-closed on deviation
Air-gapped model registry ↑ Only in Maranode model must be approved before daemon loads it; token transfer works across air gap as file

RAG and document intelligence

Grounding proof ↑ Only in Maranode receipt binds each source chunk SHA-256 and cosine score; audit verify-sources detects tampered docs
Encrypted RAG store ↑ Only in Maranode chunk text and summaries encrypted under workspace DEK before hitting disk
Fully local embeddings and vector store — SQLite, exact cosine retrieval, no external DB
Cited answers with honest refusal — sources cited inline; model says "nothing relevant" instead of guessing
PDF ingest with OCR — text extraction with page numbers, table extraction to Markdown, OCR for scanned PDFs
Ephemeral attachment — extract text for one conversation, store nothing permanently
Ingest permission policy — anyone / admin-only / allowlist; permanent ingest controlled separately

Multi-tenancy, access and identity

Multi-tenant workspaces — own API key, model allowlist, rate limit, system prompt, audit segment, encryption key
Per-workspace quotas — memory, model count, inference rate, enforced at runtime
Local user accounts and session management — create, disable, enable, delete, session revocation
OIDC login — working with PKCE verifier
SAML SSO — basic, IdP XML signature verification added
Per-IP rate limiting — protects auth endpoints

Incident response

Incident declaration and audit freeze ↑ Only in Maranode cryptographic freeze — retention path cannot touch the log while an incident is open
Forensic snapshot ↑ Only in Maranode captures runtime state as an audit event; reviewable offline
Break-glass credentials ↑ Only in Maranode single-use, forces mandatory break_glass_used audit event — emergency access is always logged

Operations and deployment

Single binarymaranoded + maranode CLI; no Python, no database server, no sidecars
State is SQLite + flat files — backup is a file copy, auditable with cat
Hot config reloadSIGHUP or maranode admin config-reload, no restart needed
systemd service unit — install, enable, start in one step
Docker images — CPU, CUDA, ROCm, OpenVINO + docker-compose
Web UI — chat, model management, audit log viewer at /ui (in active development)
Hardware backends

Runs on the hardware you already have

Backend selected automatically at startup: Metal → CUDA → ROCm → Vulkan → OpenVINO → Ryzen AI → CPU. Override with device = in config or MARANODE_DEVICE.

CPU (x86_64)
CPU (aarch64)
NVIDIA CUDA
AMD ROCm
Apple Metal
Vulkan
Intel NPU (OpenVINO)partial
AMD Ryzen AI XDNApartial
Verifiable isolation

The air-gap isn't a config flag.
It's iptables.

The isolation is enforced at the kernel level and verifiable with standard Linux tools — no Maranode binary required. Use iptables -L and tcpdump directly.

The OUTPUT chain default policy is DROP from the moment the daemon starts. Even if a library deep in the stack tries to phone home, the kernel drops the packet. And unlike a config flag you can misread, you can see this state yourself.

The daemon re-probes this posture periodically and chains each result into the audit log. So "the air-gap held during the audit period" becomes a timeline you can hand to a third party, not a claim they have to trust.

# verify isolation without trusting Maranode sudo iptables -L OUTPUT Chain OUTPUT (policy DROP) target prot source destination ACCEPT all anywhere localhost   maranode verify network ✓ iptables OUTPUT chain: default DROP ✓ No outbound TCP connections detected   # run inference — silence on the wire sudo tcpdump -i any -n not port 11984   # prove the audit chain was not tampered maranode audit verify ✓ 1,284 events — chain intact, no tampering   # get the signed receipt for a past answer maranode audit prove <request_id> ✓ Ed25519 receipt — model SHA-256, input/output hash
Installation

Up and running in under a minute

Ubuntu 22.04+, Debian 12, RHEL / Rocky / Alma 9, Alpine 3.19+, Fedora 39+, Arch, macOS. Docker images available for all GPU variants.

curl -sSL https://get.maranode.com | sh Detecting OS: Ubuntu 24.04 Detecting hardware: NVIDIA CUDA 12.4 Installing maranoded and maranode CLI... ✓ Done — sudo systemctl start maranoded
brew tap maranode/maranode brew install maranode maranode serve
curl -sSL https://maranode.github.io/maranode/apt/maranode-archive-keyring.gpg \ | sudo tee /usr/share/keyrings/maranode-archive-keyring.gpg > /dev/null   echo "deb [signed-by=/usr/share/keyrings/maranode-archive-keyring.gpg] \ https://maranode.github.io/maranode/apt stable main" \ | sudo tee /etc/apt/sources.list.d/maranode.list   sudo apt update && sudo apt install maranode sudo systemctl enable --now maranoded
# Rust 1.88+, CMake 3.14+ | macOS: xcode-select --install git clone https://github.com/maranode/maranode && cd maranode make build # auto-detects Metal / CUDA / ROCm / CPU   # select backend explicitly: make build-metal # Apple Metal make build-cuda # NVIDIA make build-rocm # AMD make build-npu # Intel NPU (OpenVINO)
# any OpenAI SDK works — change one line from openai import OpenAI client = OpenAI(base_url="http://localhost:11984/v1", api_key="your-api-key") resp = client.chat.completions.create( model="llama3.2:3b", messages=[{"role": "user", "content": "Summarize GDPR Article 30 obligations"}], extra_body={"with_receipt": True} # request signed proof )   # verify the receipt offline — no daemon needed maranode-verify receipt.json --input prompt.json --output response.txt ✓ Signature valid — model SHA-256 matches, hashes match
Open source

Start running local AI today

Apache 2.0. Pre-alpha — core runtime and all features are working. Hardening and third-party audit are ongoing.

View on GitHub Install docs Architecture