Sovereign AI for SMEs: take back control of your data.

A sovereign AI is an artificial intelligence deployed on infrastructure you control end to end: your data doesn't pass through a third party's servers, you aren't locked into a subscription whose terms change overnight, and you can check what the software does. For an SME, this isn't a luxury reserved for large groups, it's a risk-management decision. This guide explains what the term really covers, why it matters especially for a small business, and how we approach it at Scarlet Wolf.

What sovereign AI is, and isn't

The word is used everywhere, often wrongly. Sovereign AI isn't a European flag on a brochure. It rests on three concrete conditions:

• You control the infrastructure. The AI runs on a server that is yours (your VPS, or a dedicated server operated for you), not on a shared platform you don't control.
• Your data doesn't leave. Your conversations and documents stay in your environment. They don't feed a provider's service, and no one else has access to them by default.
• The code is verifiable. You can read what the software does, how, and what it doesn't do. A proprietary black box never gives you that guarantee.

An honest clarification, because it often goes unsaid: sovereignty covers the application and your data, not necessarily the language model itself. You can plug in models that run locally on your own machine, or cloud models with your own keys. In the second case, the request goes out to the model provider, but the application, the history and your knowledge base stay with you. The choice is yours, depending on your confidentiality and budget constraints.

Why SMEs are the most exposed

Large groups have lawyers to negotiate SaaS contracts, security teams to watch the data flows, and budgets to absorb an incident. An SME often has none of that, while it's the one with the most to lose if customer data leaks or access to a now-central tool is cut off.

This point deserves its own discussion. In short, three risks come up.

The three risks of cloud AI

Your data can train the model. Under the terms of some platforms, what your teams type can be used to improve the global model. Your internal information then feeds a system you no longer oversee.

Legal sovereignty is uncertain. A service operated under US law stays subject to the CLOUD Act, even when hosted in Europe. Many discover this too late, and we broke it down in why "hosted in Europe" isn't enough. Compliance with the GDPR, for its part, plays out in how you use the tool, as we explain in cloud assistants and the GDPR.

Dependency creates a discontinuity risk. A price change, an acquisition, a service shutdown, and the tool your organisation depends on can disappear or double in price without notice.

The sovereign approach, deployed on your premises, neutralises these three points at the root: no reuse of your data, no foreign order with any hold, and an instance that keeps running whatever happens to its publisher.

What "sovereign" means in practice, at Scarlet Wolf

Our guarantees aren't checkboxes on a brochure, they follow from the architecture:

• Deployed on your infrastructure. The assistant installs on your server. Your data stays there.
• Model-agnostic, open source included. You choose the language model: an open model (such as Llama or Mistral) run locally via Ollama so nothing leaves, or a cloud model with your own key. You're locked into no provider.
• No forced subscription. You host the tool and bring your own keys. No per-user licence stacking up each month, no terms that change behind your back.
• Your knowledge base stays local. Your documents are indexed and searchable in your environment, not in a third-party service.
• European multilingual. The interface covers the 24 official languages of the Union, which matters for an SME present in several markets.
• Source-available code. The software is published under the BSL licence, readable and auditable. You can check what it does.
• Verifiable erasure. Deleting your data goes through a single path, with a certificate and a log, in line with the right to be forgotten.
• Encrypted secrets, secure transport. Sensitive keys and tokens are encrypted (Fernet), exchanges run over TLS.

The product that carries all this today, Gungnir, runs in production, on our side and with its first users.

Sovereign, and tailored to your business

Sovereignty doesn't mean generic AI. One SME doesn't have the same workflows as another, and a genuinely useful assistant is one that knows your context. You feed the AI with your own documents (procedures, files, customer base), which it indexes and searches in your environment to answer from your sources rather than generic knowledge. That makes it an AI personalised to your business, without those documents leaving your infrastructure. The memory side is detailed in why your AI assistant forgets everything between conversations.

Our first promise: transparency about the limits

Most AI pitches promise the tool does everything. Our first sentence to a client is the opposite: here is what the AI does well, here are its current limits, and here are the cases where we advise against using it. It's a rare stance in a market where marketing often outruns the technical reality. It's also the most solid over time: a client who knows exactly what they're buying stays a client.

The ecosystem, an honest view

Scarlet Wolf isn't a single product but three projects, at very different stages it would be dishonest to conflate:

• Gungnir is the operational product: the sovereign AI assistant, in production, model-agnostic, that installs on your premises.
• Morrigan is in research: a modular AI engine, conceived as an alternative to monolithic systems. We don't detail its architecture, by choice.
• Vor is earlier still: a research project on a persistent cognitive substrate for agents. No timeline promise at this stage, and above all no claim to consciousness in the strong sense. We describe a measurable architecture, not a machine that "thinks".

Key takeaways

• Sovereign AI rests on three conditions: infrastructure you control, data that doesn't leave, verifiable code.
• It isn't reserved for large groups: it's precisely the SME that has the most to gain from taking back control.
• Sovereignty covers the application and your data. The language model, you choose it, local or cloud with your keys.
• At Scarlet Wolf, these guarantees are architectural, and we own up to saying what the tool can't yet do.

FAQ

What is a sovereign AI, concretely?

An AI deployed on infrastructure you control, where your data stays with you and the code is verifiable. It stands against cloud AI, where your data is processed on a provider's servers, subject to its own terms and national law.

Is sovereign AI reserved for large companies?

No, it's the opposite. An SME doesn't have the lawyers or security teams of a large group to frame a cloud AI, while it has just as much to lose. A solution built to be sovereign from the start brings those guarantees within reach.

Do you need to be technical to deploy a sovereign AI?

The install is designed to be simple (one server, one command). For an SME without a technical team, deployment support is part of the offer. The goal isn't to turn you into a system administrator.

Is Gungnir open source?

It's source-available, under the BSL licence: the code is public and auditable, with a switch to an open licence planned in time. So you can check what the software does, which is the heart of the sovereignty promise.

Can you use open source models?

Yes. The assistant is model-agnostic: you can plug in open models (such as Llama or Mistral) run locally via Ollama, or cloud models with your own key. Open source models running locally are the most sovereign option, since nothing leaves your server.

Can the AI be tailored to my business and my documents?

Yes. You build a knowledge base from your files (procedures, records, documentation), which the assistant searches to answer from your own sources. That's what makes it an AI personalised to your business, without sending those documents to a third party.