Superwisdom — Confidential AI
Cloud-isolated AI: Use Claude and ChatGPT with your confidential files, without ever connecting to Anthropic or OpenAI. Military-grade confidentiality with consumer-grade simplicity.
How It Works
- Establish Your Account: Contact our team to set up your Superwisdom enterprise account.
- Download from AWS Marketplace: The application deploys into a dedicated AWS account under your organization — fully isolated from every other customer.
- Configure and Go: Set up authentication, guardrails, encryption policies, and user access — all from inside your own AWS perimeter.
Security Architecture
Foundation
- AWS-Only Architecture: AWS is the only major cloud provider not in the business of selling user data or partnered with OpenAI.
Isolation Layers
- Your Own AWS Organization: Every customer deploys Superwisdom from the AWS Marketplace into their own AWS Organization with no cross-customer connections or shared resources.
- WisdomDrive File Isolation: Secure file storage within your walled garden environment.
- Walled Garden LLM Isolation: Using AWS Bedrock, isolated copies of frontier models are deployed directly within your environment. No outbound connection to any AI provider.
- Internet Isolated: Defaults to complete internet isolation as the first line of defense against data exfiltration.
Access & Privacy
- Zero Human Access: Superwisdom has no access to your deployment. Your team manages all access. Only you hold the keys.
- Ephemeral Use: Conversations exist only in volatile memory and vanish when you close your browser.
Technology — superwisdom.ai/technology
There are only 4 paths to using frontier LLMs like Claude. Superwisdom is the cloud-isolated, military-grade path.
The 8 Pillars of the Superwisdom Architecture
- AWS-Only Architecture (Foundation): AWS is the only major cloud provider not in the business of selling user data nor partnered with OpenAI.
- Deployed into Your Own AWS Organization (Isolation): Every customer deploys Superwisdom from the AWS Marketplace into their own AWS Organization with no cross-customer connections or shared resources.
- WisdomDrive File Isolation (Isolation): Confidential material never leaves your secure AWS walled garden.
- Walled Garden LLM Isolation (Isolation): Using AWS Bedrock, isolated copies of frontier models run inside your perimeter. No outbound connection to Anthropic, OpenAI, or any other AI provider. Model copies cannot communicate with their motherships.
- Internet Isolated (Isolation): Defaults to complete internet isolation as the first line of defense against data exfiltration.
- Zero Human Access (Privacy): No Superwisdom employee, support team, or super-administrator can see your data. Only you hold the keys.
- Ephemeral Use (Privacy): Conversations exist only in volatile memory and vanish when you close your browser. No database to breach, no archive to expose.
- Auditable Infrastructure (Verification): Native AWS audit tools — CloudTrail, SecurityHub, GuardDuty, Config — provide full visibility.
Encryption: Conversations protected with AES-256-GCM envelope encryption. Each conversation gets its own data encryption key, itself encrypted by AWS KMS using context that includes user ID, conversation ID, and customer name. Point-in-time recovery enabled on all databases.
Compliance targets: Superwisdom aims far higher than SOC 2 — targeting military-grade FedRAMP High and DoD IL5/IL6. We also lead the SOC Zero movement (soczero.org), a new full-cryptography standard.
Superwisdom Certified — superwisdom.ai/certified
A 30-minute self-paced specialist course for AWS-fluent consultants who want to deploy Superwisdom for subscribers.
Architecture (Module 1)
Each subscriber gets their own dedicated AWS account inside the Superwisdom AWS Organization. There is no shared application database, no shared compute, no shared encryption key. A tenant runs five capabilities, all native AWS:
- Frontend: Next.js SSR on AWS Amplify, served via CloudFront at {tenant}.superwisdom.ai.
- Backend: Containerized API on ECS Fargate behind an ALB at api.{tenant}.superwisdom.ai.
- Authentication: Cognito User Pool with optional Azure AD / Entra ID federation; OTP or password.
- Data: DynamoDB for users and conversations, S3 for attachments and documents, all encrypted with KMS.
- AI: Amazon Bedrock for inference, Bedrock Guardrails for safety, Textract for document OCR — all in the tenant's account.
- Audit: CloudTrail to a tenant audit bucket, CloudWatch logs, SNS notifications.
The only manual deployment step is delegating four NS records in the parent registrar. Everything else is automated by Pulumi IaC.
Security & Compliance Posture (Module 2)
- Blast Radius: A misconfiguration or breach in one tenant is structurally incapable of exposing another tenant's data.
- Bring Your Own Key (BYOK): Subscribers can supply a KMS key from their own AWS account. The tenant gets only Encrypt, Decrypt, and GenerateDataKey grants. Revoking the grant immediately renders all encrypted data inaccessible.
- Encryption: DynamoDB SSE with KMS plus PITR. S3 SSE-KMS with versioning. TLS via ACM on every endpoint.
- Auditability: CloudTrail to a dedicated audit bucket. Bedrock Guardrails on prompts and completions.
- Identity: Cognito with OTP or password; optional Azure AD / Entra ID federation; email allowlists via Pre-SignUp Lambda.
- No Shared Account: Superwisdom does not maintain a shared services account that holds customer data.
Positioning (Module 3)
Three differentiators: (1) Account-level isolation; (2) Native AWS Bedrock — prompts never leave AWS; (3) BYOK plus open Pulumi IaC the customer can audit. Highest-velocity buyer profiles: regulated professional services (wealth, insurance, legal, accounting); enterprises with existing AWS posture; subscribers blocked by internal counsel from ChatGPT/Copilot.
Contact
team@superwisdom.ai
https://superwisdom.ai