LakeX Sovereign DataVault archives, governs, and AI-queries your structured and unstructured enterprise data — with military-grade security, full on-premises deployment, and zero data leaving your perimeter.
| Archive Job | Database | Tables | Status | Next Run |
|---|---|---|---|---|
| FINCORE_PROD | Oracle 19c | 142 | Completed | 02:00 daily |
| RISK_MGMT_DB | PostgreSQL | 87 | Running | — |
| DOCS_ARCHIVE | SharePoint | — | Scheduled | 06:00 daily |
Sovereign DataVault is the sovereign data intelligence layer for BFSI and regulated enterprises. It replaces siloed archival tools, legacy cold-storage systems, and ad-hoc compliance scripts with a unified platform that archives intelligently, queries with AI, and enforces governance end-to-end.
Archive from Oracle, PostgreSQL, MySQL, MSSQL, and Db2 to Apache Iceberg Parquet — with automated sort-column selection for sub-millisecond query pruning, zero cluster tuning required.
Ingest files, S3, Azure Blob, SharePoint, HDFS, email, logs, JSON/XML, Confluence, and more. NER extraction, vector embedding, and RAG-based AI querying over all your unstructured content.
PKCS#11 HSM, post-quantum hybrid encryption (ML-KEM-768 + X25519), format-preserving encryption, AWS/Azure/GCP KMS, and HashiCorp Vault Transit — all governable from a single policy engine.
Works with your entire data ecosystem
Core banking systems accumulate terabytes of transaction, loan, and customer data annually. Sovereign DataVault archives Oracle and DB2 tables to Apache Iceberg with automated sort optimization — making 10-year transaction histories queryable in sub-second time without spinning up compute clusters.
Scan Oracle schema — identify 2,400 tables across FINCORE, RISK_DB, CUSTMGMT
Auto-selects TRXN_DATE as sort column; Z-order on (BRANCH_ID, TRXN_DATE) for composites
Write to Stratum block storage; register in datagen-catalog; bounds stored in tracker
"Show NPAs over ₹50L in Q3 2023" → SQL generated → 98% files pruned → results in 180ms
Sovereign DataVault's governance engine enforces data retention policies, responds to DSAR requests in minutes, maintains legal holds, and generates tamper-evident audit reports. The built-in SIEM forwarder pushes CEF or JSON events to Splunk, QRadar, or ArcSight over TLS — with configurable backfill.
LEGAL_COMPLIANCE role submits request with subject email/NIC identifier
NER scan over structured tables + semantic vector search across unstructured documents
All matching rows, chunks, and spans surfaced with document provenance
Erase or redact in-place; full audit trail written; SIEM event forwarded
TDM Workflows provision masked copies of production archives to dev and staging environments. Foreign-key chains are resolved automatically — no dangling references. CI/CD API keys let your pipelines trigger refreshes on every merge, ensuring tests always run on current, safe data.
Select archive, target DB, masking rules, and seed SQL
Pipeline calls POST /lvs/tdm/workflows/{id}/trigger with API key
System traverses FK graph; provisions in dependency order
Masked, referentially-intact data loaded; tests run against safe copy
Ingest SharePoint libraries, HDFS, email archives, NFS shares, and Confluence spaces. Sovereign DataVault extracts text, runs NER (names, emails, phone numbers, account IDs), embeds with nomic-embed-text, and indexes in Qdrant. AI chat sessions search across all sources with RAG — answering questions, not just returning documents.
LVUS agent extracts text, runs NER, chunks and embeds into Qdrant on Stratum
"Summarize all board resolutions mentioning dividend policy since 2022"
Query embedded on Stratum → top-K chunks retrieved from Qdrant
AI server receives chunks + governance context → generates cited answer
Sovereign DataVault is designed for organisations where data security is not a feature — it's a requirement. Every encryption key is anchored to hardware. Every access is logged. And the system is already prepared for the quantum computing threat that regulators are beginning to mandate.
Key material never leaves the HSM. Works with Thales Luna, Entrust nShield, AWS CloudHSM, YubiHSM, and SoftHSM2 for dev. Every encrypt/decrypt opens a session inside the HSM and closes immediately.
ML-KEM-768 + X25519 KEM with X-Wing combiner for encryption. ML-DSA-65 + Ed25519 for signatures. Both primitives must verify — defending against a break of either one in isolation.
Encrypt PAN, Aadhaar, national IDs, phone numbers while preserving format. Encrypted values remain valid in downstream systems — no schema changes, no application rewrites.
Every administrative and data action is written to an append-only audit table with a cryptographic hash chain. SIEM events forward in real time via CEF/JSON over TLS to Splunk, QRadar, or ArcSight.
PKCS#11 v2.40+ — Thales Luna, nShield, AWS CloudHSM, YubiHSM, SoftHSM2
ML-KEM-768 + X25519 / ML-DSA-65 + Ed25519. Harvest-now-decrypt-later resistant.
3-phase DSAR: identify, redact, erase — with full audit trail and SLA tracking.
Admin, Operator, Analyst, Viewer, Audit Viewer + custom roles with granular permission trees.
TOTP (Google Authenticator), backup codes, and FIDO2/WebAuthn hardware security keys.
OAuth2 + OIDC integration with Microsoft Entra ID for enterprise SSO.
UDP, TCP, TLS syslog to Splunk, QRadar, ArcSight. Backfill and per-target cursor tracking.
Software Bill of Materials viewer, posture chips, and component attestation badges.
A clear separation of control plane (Meridian), data plane (Stratum), and query/AI plane — all deployable on-premises, with optional SaaS overlay.