CustosSovereign AI // South Africa
Production AI your regulator can't object to.
South African medical schemes, banks, and insurers are running AI on infrastructure that routes personal data through foreign jurisdictions. Custos designs the architecture that keeps it sovereign, POPIA-compliant, and defensible.
The distinction most pilots miss
Data residency keeps the bytes in SA. It does not put them beyond the reach of foreign law. Sovereignty is who can compel access, not where the disk sits.
Medical Aid
Member health data is special personal information. Every LLM pilot touches it during inference, not just storage.
Banking
AML and credit-decision AI sits across POPIA, FIC, and SARB cloud rules at once. The architecture has to satisfy all three.
Insurance
Underwriting and claims AI must be explainable to a regulator and fair to a customer. That is an architecture problem before it is a model problem.
Compliance is an architecture decision, not a policy document.
Most "AI governance" stops at a written policy. The exposure lives in the data flow: where personal information actually moves when a model runs. Custos works at that layer.
Map the data flow
Classify every point personal information moves through an AI workload: storage, embeddings, prompt history, inference state. Most teams have mapped storage and nothing else.
Find the regulatory boundary
Mark where POPIA Section 72, Section 26, SARB Directive 3, or SAM obligations are triggered. This is the line your architecture has to defend.
Design the sovereign path
Choose the deployment that holds: on-prem GPU, Cassava AI Factory, or hybrid retrieval with controlled generation. Documented so legal and the regulator can read it.
For CIOs, CROs, and Heads of Data
"Where does our AI data actually live?" If the answer isn't clean, that's the conversation.
25 minutes. No pitch. A working session on your AI workloads and where the regulatory exposure sits.
Start the conversation