Logo
NeoArc Studio

Security and Deployment

Architecture documentation describes your most sensitive systems, and it should not live on someone else's server. NeoArc Studio runs entirely on the desktop with no cloud dependency, supporting fully air-gapped deployments for regulated environments.

Your Architecture Never Leaves Your Control

Architecture documentation describes the most sensitive aspects of your systems: network topology, security controls, data flows, integration points, and known vulnerabilities. This information should not be stored on someone else's server.

NeoArc Studio runs entirely on your desktop. There is no cloud account, no telemetry, no phone-home capability, and no vendor-hosted storage. Your architecture data lives in your Git repository, on your infrastructure, under your control.

Three Deployment Tiers

Different organisations have different security requirements. A startup may be comfortable with full internet connectivity. A defence contractor may require complete network isolation. NeoArc supports three deployment tiers to match your security posture.

Default-Deny Security Model

NeoArc uses a default-deny approach to network access. No feature assumes network connectivity. Features that can use the network are explicitly gated and can be disabled per deployment tier.

Secure by Design

Deployment Scenarios

Security Enables Everything Else

Local-first storage is not just a security measure. It is the architectural choice that makes the rest of the system possible.

Model-first consistency depends on a single source of truth that is never forked by cloud sync conflicts or mediated by a vendor's merge logic. When the data model, its projections, and all governance artefacts live on your filesystem and in your Git repository, consistency is structural. There is no third-party service introducing race conditions between your database schema and your API contract.

Governance-by-graph depends on the intent graph being always local and always queryable. When governance rules, risk assessments, and coverage reports are computed from a local graph, the results are deterministic. They do not depend on a cloud service being available, correctly versioned, or honestly reporting its state. The same architectural choice that protects your documentation from external access also eliminates the drift, lock-in, and vendor dependency that plague cloud-first tools.