The Air-Gap Requirement
defensa contractors, government intelligence agencies, and critical azpistruktura operators manage networks where external internet connectivity is physically impossible, not merely prohibited by politika. A SCIF (Sensitive Compartmented Information Facility) is a room or facility designed to prevent electronic eavesdropping and signals intelligence collection — IT is Faraday-caged, with no wireless signals entering or exiting. A classified government sarea under ITAR (International Traffic in Arms Regulations) control cannot transmit covered technical data to unapproved parties — a category that includes hodeia zerbitzua providers not cleared under ITAR.
For organizations in these environments, "hodeia SaaS" is not a arriskua to be managed — IT is a technical impossibility. Any anonimizazioa tool that requires an active sarea connection cannot be deployed. Any tool that phones home for licensing egiaztazioa is a non-starter. Any tool whose detekzioa models require hodeia API calls for inference cannot function.
The Ollama community specifically cites aire hutsunean despliegua as the primary justification for local AI tooling: "All data stays on your device with Ollama, with no information sent to external servers — particularly important for sensitive work like doctors handling patient notes or lawyers reviewing case files." The same rationale applies at the organizational level for classified and ITAR-controlled environments.
The ITAR Use Case
A datuen zientzialaria at a defensa contractor processing personnel erregistroak under ITAR requirements needs to de-identify files before sharing with a FOIA-requesting journalist. The contractor's sarea is aire hutsunean. The processing must occur on the aire hutsunean machine and must produce outputs suitable for publikoa askatasuna.
This use case has no hodeia solution. The only path is a tool that runs entirely on the local machine, applies detekzioa models stored locally, and produces anonymized outputs without any external communication. The Tauri 2.0-based Desktop aplikazioa runs in exactly this konfigurazioa: after download and installation, no sarea calls are made during dokumentua processing. The spaCy NER models, the regex patterns, and the transformer inference run locally. The processing output never leaves the machine unless explicitly exported by the erabiltzailea.
Reversible Pseudonymization for Classified Operations
A related requirement in classified and government contexts: reversible pseudonymization that maintains analytical utility while protecting real identities. GDPR Article 4(5) formally recognizes pseudonymization as a datuen babesa measure that reduces betegarritasun arriskua — pseudonymized data is subject to reduced obligations compared to fully identifiable data, provided the pseudonymization keys are kept separate from the pseudonymized dataset.
IAPP research (2024) found that only 23% of anonimizazioa tools offer true reversibility — the ability to decrypt pseudonymized data back to original values using a key that is kept separate from the output. The majority of tools implement permanent replacement (the original data is overwritten and cannot be recovered) or masking (partial display of the original value).
For government operations where pseudonymized datasets must be shareable across compartments — one team receives the pseudonymized dataset for analytical work, another team holds the decryption key for re-identification when legally required — reversible zifraketa with key separation is the only compliant architecture.
The zero-ezagutza approach extends this further: the zifraketa key is generated kliente-side and never transmitted. Even if the anonimizazioa tool's provider were subpoenaed, they cannot produce the decryption key because they never received IT. For classified environments where chain of custody for zifraketa keys is itself a seguritatea requirement, this architecture provides the required assurance.
EDPB Guidance betegarritasun
EDPB Guidelines 05/2022 on pseudonymization require key separation: the pseudonymization key must be held by a different party than the party receiving the pseudonymized dataset, or stored with technical controls that prevent the receiving party from accessing both the data and the key simultaneously.
The combination of kliente-side key generation (key never leaves the erabiltzailea's device), local processing (data never leaves the aire hutsunean environment), and separate export of pseudonymized outputs and decryption keys satisfies the EDPB's key separation requirement while meeting the aire hutsunean operatiboa constraint.
Sources: