TRUST CENTER

The real-time overlay platform that unifies public safety, built for agencies that own their mission—and their data.

Revelio holds itself to a different posture: every tenant's data is segregated by Aurora cluster, S3 bucket, OpenSearch index, and KMS customer master key inside the AWS GovCloud (US) boundary; all generative AI runs on Amazon Bedrock inside that same boundary with per-prompt audit logs an agency can pull on demand; predictive models train only on data classes an agency has explicitly opted in to share, under federated learning with differential privacy and a published model card for every surface; and a prohibited-class list — person-of-interest content, investigative material, patient data, juvenile records, PCII — is never available for cross-tenant training without separate ethics-review-board approval. CJIS attestation, SOC 2 Type II, StateRAMP, HIPAA BAA, and FirstNet are on a sequenced and publicly tracked roadmap below. The mission this protects is simple: equip first responders with the data they need to come home safely without ever becoming the reason data is used against the public they serve.

WHERE REVELIO IS

Sequenced, dated, and verifiable.

HOW IT'S BUILT

AWS GovCloud (US). Per-tenant by default. Frontier AI inside the boundary.

RTIO runs on AWS GovCloud (US), primary us-gov-west-1, disaster recovery us-gov-east-1. Compute is pooled on a single multi-tenant EKS cluster with per-tenant namespaces, NetworkPolicies, and OPA/Cedar policy enforcement at every service hop. Data is per-tenant: each agency receives its own Aurora PostgreSQL cluster, S3 bucket, OpenSearch index, and KMS customer master key. Generative AI runs on Amazon Bedrock GovCloud — Claude Sonnet as the primary model — with prompts, completions, and citations logged per-tenant to WORM S3. Predictive AI runs on SageMaker with optional federated training across consented tenants. No tenant data ever leaves the GovCloud boundary.

Reference architecture (request via packet)

CROSS-TENANT AI TRAINING

Default off. Per-data-class opt-in. Published.

Permitted classes (opt-in only, default off)

- Fire-behavior outcomes (rate of spread, suppression effectiveness, time-to-control) - ETA estimation (unit-to-incident time, traffic-aware routing) - Resource-recommendation outcomes (units dispatched vs. units needed) - Hazmat / mass-casualty resource scaling - Traffic-congestion patterns (de-identified, aggregated to a 5-minute grid)

Prohibited classes (never used for cross-tenant training without separate ethics-review approval)

- Person-of-interest, suspect, victim, witness, or arrestee data - Investigative content (case files, statements, evidence chain-of-custody) - Patient or medical data (EMS ePCR, hospital handoffs, mental-health calls) - Juvenile, sealed-record, or expunged-record data - Anything tagged PCII (Protected Critical Infrastructure Information)

Governance

Per-tenant, per-data-class opt-in is captured in the MSA and surfaced in the admin UI. Default state is opt-out for every class. An agency may withdraw consent at any time; Revelio commits to retraining without that agency's contribution within 90 days. Federated training jobs run inside each tenant's boundary. Gradients are aggregated through a privacy-preserving aggregator before they reach the global model. Differential privacy: ε = 4.0 default per tenant per training round; cumulative annual ceiling ε = 8.0. An external ethics-review board (academic, agency, civil-liberties seats) reviews the permitted-class list every six months and publishes a summary of decisions.

AI PROVENANCE

One card per AI surface. Versioned. Reviewed.

Every AI surface ships with a public model card describing data classes used, opt-in scope, training cadence, performance metrics on held-out data, known limitations, intended use, and an out-of-scope list. Versioned. Reviewed externally every six months.

Surfaces (model card links go here as they publish): - Incident Summary - Fire-Behavior Prediction - ETA Estimation - Resource Recommendation - Ask Revelio (conversational interface)

AGENCY DATA, AGENCY LOG

Pull the audit trail on demand.

Every prompt, completion, and citation is logged per-tenant to a WORM S3 bucket. Each agency can pull its own audit log on demand, in machine-readable form, with cryptographic integrity proofs. The audit API is documented in the procurement packet.

WHO TOUCHES AGENCY DATA

A short, named list.

RESILIENCE

Quarterly drills. Published reports.

Active-passive disaster recovery between us-gov-west-1 (primary) and us-gov-east-1 (DR). Quarterly failover drill with published report. RTO and RPO targets documented in the procurement packet.

Public safety systems can't break. We perform full failover drills between US-East and US-West GovCloud regions every 90 days. Our RTIO uptime target is 99.995%, and we publish our disaster recovery RTO/RPO targets in every procurement packet.

WHO REVELIO IS

US persons. Fingerprint cleared. Logged sessions.

All Revelio operators are US persons, fingerprint cleared, and access production through privileged-access workstations with session recording. Privileged access requires multi-party approval and is logged to the same WORM S3 store as customer audit data.

RESEARCHERS

Coordinated disclosure.

Security researchers should email security@reveliotech.ai with the issue. The PGP key fingerprint is published here. Revelio acknowledges within one business day and commits to a status update every seven days until resolution.

Need more?

The procurement packet contains the full reference architecture, SOC 2 letter (when issued), AWS GovCloud BAA, FedRAMP package references, sub-processor list, DR drill report, BAA / DPA templates, and the model card index.