The tool that governs your infrastructure is also your most security-sensitive tool. We take that seriously.
Vernix.one is self-hosted, air-gap-capable, and designed from the ground up for organizations that operate in regulated environments. Here’s how security works — and what it means for your compliance posture.
Self-hosted means exactly that.
Vernix.one runs inside your environment. On your servers. In your data center or private cloud. No component of the Vernix.one platform calls home, sends telemetry, or syncs data to any external system.
Your infrastructure topology, architecture models, IaC code, compliance results, and change history stay entirely within your network boundary. We never see them. Neither does anyone else.
What this means in practice
- No cloud vendor has access to your infrastructure data
- No GDPR risk introduced by the tool itself
- No US-cloud exposure — ever
- Full control over network access to the Vernix.one instance
- Air-gapped deployment available for the most sensitive environments
- Data residency is wherever you deploy it
What Vernix.one checks — and what it means for each regulation.
DORA — Digital Operational Resilience Act
Active January 2025. Applies to banks, insurance companies, investment firms, payment processors, and other financial entities across the EU.
Vernix.one checks: ICT risk management controls, system redundancy, backup and recovery policies, incident response infrastructure, third-party provider exit readiness, and audit trail completeness.
Article 30 note: DORA requires that you can exit arrangements with ICT third-party providers. Vernix.one is designed for clean exit from day one — no lock-in, no proprietary data formats, no vendor dependency.
NIS2 — Network and Information Security Directive
Active 2025. Applies to operators of essential services and important entities across critical sectors including energy, transport, banking, healthcare, digital infrastructure, and public administration.
Vernix.one checks: network segmentation, access control policies, supply chain transparency, security patch status indicators, incident detection capabilities, and backup integrity.
GDPR — General Data Protection Regulation
Active since 2018, enforcement continuing to intensify. Applies to any organization processing personal data of EU residents.
Vernix.one checks: data residency (are personal data systems hosted in compliant jurisdictions), encryption at rest and in transit, access control to personal data systems, data retention policy indicators, and public exposure of personal data infrastructure.
ISO 27001 — Information Security Management
The international standard for information security management systems. Required or expected by many enterprise customers and procurement processes.
Vernix.one checks: asset inventory completeness (one of the most common ISO 27001 gaps), access control policies, network exposure, encryption configuration, and change management evidence.
PCI DSS — Payment Card Industry Data Security Standard
Required for any organization that processes, stores, or transmits payment card data.
Vernix.one checks: cardholder data environment isolation, network segmentation, encryption of card data systems, access control to payment infrastructure, and audit trail for changes to payment systems.
AI Act
Arriving 2026. Applies to providers and users of AI systems in the EU, with requirements varying by risk classification.
Vernix.one checks: AI system infrastructure logging and auditability, data governance indicators, access controls for AI system components, and deployment environment documentation.
Cyber Resilience Act
Arriving 2026. Applies to manufacturers and suppliers of products with digital elements — hardware and software.
Vernix.one checks: software bill of materials (SBOM) readiness indicators, update and patch management infrastructure, vulnerability disclosure capability, and security-by-design documentation.
How Vernix.one’s compliance engine works.
Vernix.one evaluates your infrastructure graph — the live model of everything running in your environment — against the policy rules for each regulation. Checks run continuously, not just before audit season.
Each check produces one of three results:
- Pass — the infrastructure meets the requirement
- Fail — the infrastructure does not meet the requirement, with a specific finding
- Warning — the infrastructure partially meets the requirement or requires manual verification
Results are versioned. Every compliance state your infrastructure has ever been in is recorded. When a regulator asks for evidence of a control at a specific point in time, you retrieve the version from that date — not reconstruct it from memory.
The audit trail.
Every change to your infrastructure creates a new version in Vernix.one. The audit trail records:
- What changed — specific components, configurations, relationships
- When it changed — timestamp on every version
- Compliance impact — how the change affected your compliance status
This produces a continuous, tamper-evident record of your infrastructure’s evolution. Internal governance teams and external auditors can query any point in time. Compliance reports can be generated for any historical state.
Vernix.one platform security.
Authentication and access control
Vernix.one supports role-based access control. Different users can be granted different levels of access — read-only for auditors, full access for platform administrators, scoped access for team-specific views.
Network security
Vernix.one is deployed within your network perimeter. Access to the Vernix.one interface is controlled by your existing network security policies. The platform does not require inbound connectivity from the internet.
Encryption
All data stored by Vernix.one is encrypted at rest. All communication between Vernix.one components uses TLS. The specifics of key management follow your organization’s standards — Vernix.one integrates with your existing key management infrastructure.
Air-gapped deployment
For environments that cannot have any external network connectivity, Vernix.one supports fully air-gapped deployment. All discovery, modeling, compliance checking, and reporting functions operate without internet access.
Security questions before you proceed?
We’re happy to go deeper on any aspect of Vernix.one’s security architecture. Send your questions to tech@vernix.one or book a technical review session.