Architecture

Separated surfaces for enterprise AI runtime trust.

NeoVail keeps the public website separate from the SaaS control plane, regional telemetry intake, and customer-local enforcement layer. Each surface has its own trust boundary, data responsibility, and deployment cadence.

Reference architecture

The public marketing site does not host product governance, telemetry intake, or runtime enforcement. Those responsibilities live in separate services so security, compliance, and procurement can reason about them independently.

Protocol pathPublic -> governed -> intake -> local

01

Browser request

Visitor enters the public site, views trust content, or starts a demo request.

02

Regional control

Governance policy, identity, and evidence live in the regional control plane.

03

Regional intake

Sentinel telemetry reaches the regional intake boundary for processing and retention.

04

Customer runtime

Enforcement happens where the models, agents, and MCP servers actually run.

Runtime architecture

Surfaces, boundaries, and the path between them

publicgovernedintakelocal

Public01

neovail.com and www.neovail.com

Public website

Static marketing pages, legal notices, trust pages, and demo entry points.

1

Governed02

app.neovail.com

Regional control plane

Policy administration, AI asset graph, evidence review, and customer workflow management.

2

Intake03

ingest.eu.neovail.com

Regional ingestion

Sentinel telemetry intake with customer-selected residency, handling, and retention rules.

3

Local04

Sentinel + models + agents + MCP servers

Customer environment

Local enforcement boundary where verification, policy checks, and blocking happen before actions proceed.

4

Website isolated from control planeRegional intake boundaryCustomer-local enforcement

Surface map

This is the practical split behind the product and the website. It keeps public-facing content, governed operations, and customer-local controls from collapsing into one mixed trust zone.

Public website

neovail.com and www.neovail.com serve static marketing pages, legal notices, and trust materials. No customer evidence, product state, or operational telemetry belongs here.

Regional control plane

app.neovail.com is the operator surface for AI asset inventory, policy administration, evidence review, and customer workflow management.

Regional ingestion

ingest.eu.neovail.com and other regional endpoints receive Sentinel telemetry under customer-selected residency and data-handling rules.

Customer environment

Sentinel runs next to models, agents, and MCP servers to make runtime decisions before actions are allowed to proceed.

How data moves

The path is intentionally narrow: observe locally, classify centrally, enforce locally, and export evidence when asked.

1. Observe

Sentinel observes model, agent, and MCP activity inside the customer environment where the action originates.

2. Classify

Regional control planes correlate assets, identities, policies, and runtime events to determine the applicable governance posture.

3. Enforce

Decisions are applied at the runtime boundary, gateway, or policy hook before the action can proceed.

4. Export evidence

Administrators can export records that show what happened, which policy applied, and what the outcome was.

Deployment boundaries

Public website

neovail.com and www.neovail.com host static marketing pages with no customer evidence, no database, no authentication, and no backend dependency.

SaaS control plane

app.neovail.com is the product surface for regional governance, policy administration, asset graph review, and evidence workflows.

Regional ingestion

Regional intake endpoints receive Sentinel telemetry under the deployment and residency model selected by the customer.

Customer-local enforcement

Sentinel operates in the customer environment alongside models, agents, MCP servers, and runtime systems.

Private deployment option

Future private deployment options can support stricter network, identity, and residency constraints.

Cloud and platform support

Future support is planned for AKS, Azure Arc, AWS, GCP, and other enterprise runtime environments.