Your data on Eldric

Your data,
your hardware.

A short, plain-language walk-through of where your data lives on an Eldric installation, how it stays isolated from other tenants on the same cluster, how you take a copy with you when you need to, and how erasure works. Written for the person whose data it is — not the cluster operator.

Where your data lives

On the hardware your administrator runs.

Eldric runs on the hardware your organisation operates — a data centre, a department server, an edge gateway, sometimes a single workstation. Your documents, conversation history, knowledge bases and any models you fine-tune all live on that hardware. There is no Eldric cloud where your data gets uploaded; the platform is what your administrator installed.

That has a useful side effect for compliance: data residency is wherever the hardware physically sits. If your administrator installed Eldric in Frankfurt, your data is in Frankfurt. If it's installed inside the hospital network, it's inside the hospital network. The platform has no path to send it anywhere else.

Tenant isolation

Walls between teams.

An Eldric installation is multi-tenant. Each tenant — typically a department, a study, a customer of yours, or a project — gets its own walled area. The walls are enforced at the platform's request-routing layer: a query made under tenant A simply cannot reach data stored under tenant B, regardless of which user is asking. Cross-tenant access requests are refused at the gateway before they ever touch storage.

What that means in practice:

• Your documents are stored under your tenant. Searches return your documents and nobody else's.
• Your conversations are stored under your tenant. Even users with administrative roles in other tenants cannot see them.
• Your fine-tuned models belong to your tenant. They serve queries from your tenant and are not available outside it.
• Your knowledge bases are scoped per tenant. A query that names a knowledge base resolves only within your tenant's namespace.

Roles — Viewer, Developer, Admin, SuperAdmin — gate what each user can do inside a tenant. Cross-tenant boundaries are enforced separately and unconditionally.

Taking a copy with you

Portable export of your tenant.

Eldric 5.0 ships an admin-driven export that produces a single portable file containing everything that belongs to a tenant: documents, knowledge bases, conversation history, fine-tuned models, custom agents and the tenant's configuration. The file is signed end-to-end so it can't be tampered with in transit, and it carries only the named tenant's data — never any other tenant's.

Typical reasons to export:

• Moving between installations. Your organisation stands up a second Eldric cluster in a different region; you take a copy of your tenant with you, your administrator imports it, you carry on with full history.
• Project handoff. A consultant finishes the engagement and hands over the project's knowledge base, agents and conversation history to your in-house team.
• Edge seeding. Your factory needs a local Eldric on its own hardware; you export the relevant slice of the central tenant and seed the edge node with it.
• Backup & disaster recovery. Your administrator keeps periodic exports for restore.

Exports are an admin action — your tenant administrator runs them through the Admin Console. The format is portable: the same file imports into an Eldric installation of the same version or a later one.

The 5.0 export covers tenant-level operations. Cross-tenant transfers — handing your tenant to a different organisation entirely — are scope-restricted to fresh installs in 5.0; live merges of two existing tenants are a 5.1 feature.

Erasure

Right to have your data removed.

Eldric supports per-tenant and per-user erasure. Your administrator can:

• Delete a user. The user's account, conversations and personal preferences are removed. Their contributions to shared tenant resources (documents they uploaded, knowledge bases they curated) remain unless deleted separately.
• Delete a tenant. Everything that belongs to the tenant — documents, conversations, knowledge bases, models, agents, configuration — is removed from the cluster's storage. This is the path for a complete tenant exit.
• Delete specific documents. Individual documents removed from a knowledge base are dropped from the search index and the underlying storage. Re-running affected queries will not return them.

The audit ledger keeps a hash-chained record of administrative actions, including erasure operations, so compliance reviews can confirm that requested deletions actually happened. The ledger entries themselves do not contain the deleted content; they record only that the action took place, by whom, and against which subject.

For organisations subject to GDPR's right-to-erasure obligations, the per-user and per-document paths above cover individual requests; the per-tenant path covers complete withdrawals. Your administrator and your data-protection officer set the operational SLAs.

What we explicitly support

Compliance posture.

Eldric provides the technical means to support these regulatory frameworks. Compliance is a process question your organisation runs end-to-end; we're the platform that doesn't fight you on it.

Next.

For the platform's overall security posture and multi-tenant model, read how it works. For administrative documentation on exports, imports and erasure, your administrator should start at the help hub. For specific compliance questions, write to office@eldric.ai.