On-premises secure document AI and RAG architecture that keeps sensitive data local while leveraging Amazon Bedrock for generative tasks. Documents remain in MinIO object storage on-prem, flowing through document ingestion, OCR, classification, and sensitive data detection before pseudonymization and local embedding. The retrieval orchestrator applies access controls and hybrid search over a local vector database, sending only minimized pseudonymized context to Bedrock for Q&A, drafting, and reasoning—ensuring raw metadata and full documents never leave the secure boundary. This pattern demonstrates zero-trust data governance for regulated industries requiring document confidentiality while gaining AI capabilities. Fork and customize this architecture on Diagrams.so to adapt chunking strategies, embedding models, or access control policies for your compliance requirements.