About This Architecture

On-premises secure document AI and RAG architecture that keeps sensitive data local while leveraging Amazon Bedrock for generative tasks. Documents remain in MinIO object storage on-prem, flowing through document ingestion, OCR, classification, and sensitive data detection before pseudonymization and local embedding. The retrieval orchestrator applies access controls and hybrid search over a local vector database, sending only minimized pseudonymized context to Bedrock for Q&A, drafting, and reasoning—ensuring raw metadata and full documents never leave the secure boundary. This pattern demonstrates zero-trust data governance for regulated industries requiring document confidentiality while gaining AI capabilities. Fork and customize this architecture on Diagrams.so to adapt chunking strategies, embedding models, or access control policies for your compliance requirements.

People also ask

How can enterprises build a RAG system that keeps sensitive documents on-premises while using cloud AI models like Amazon Bedrock?

This architecture maintains documents and sensitive metadata in a secure on-premises boundary using MinIO and local vector databases, while applying pseudonymization before sending only minimized context to Amazon Bedrock. The retrieval orchestrator enforces access controls and hybrid search locally, ensuring raw data never leaves the secure perimeter while enabling generative AI capabilities for