Home / Docs / Operations / security

VPN, ACLs, isolation guarantees

Access model, network layout, and data governance.

Private access model

Tailscale provides encrypted mesh networking
No services are exposed publicly
All access occurs via Tailnet IPs or MagicDNS

Recommended network layout

Proxmox host joined to Tailnet
Each VM joined independently
Optional ACLs for marketing vs admin users

flowchart LR
    User[User] --> Tailscale[Tailscale]
    Tailscale --> VM[VMs]
    VM --> |no public internet| Internet[Internet]

Data governance & usage policy

Allowed content

Internal marketing copy
Public-facing documentation
Publicly available PDFs and manuals

Prohibited content

Customer PII
Credentials, secrets, API keys
NDA-protected third-party material

Retention

Training datasets retained internally
LoRA adapters versioned and archived
Raw OCR inputs may be purged after ingestion