Commercial APIs
Permitted workloads, allowlisted per policy.
Deployment & Sovereignty
Katara was built in the EU, for teams whose regulators, customers, and legal counsel care where data lives, which laws reach it, and which models touch it. Choose the boundary. The governance layer is the same everywhere.
Katara keeps the same access control, retrieval permissions, model traffic policy, tool registry, and audit trail in every tier. The only variable is who owns the metal and where the workload is allowed to live.
For most software, hosting is an ops detail. For AI over regulated data, it's a legal surface: GDPR transfer rules, sector data-residency requirements, and non-EU legal reach over foreign-owned cloud providers all turn “where does this run?” into a question your DPO has to answer in writing. Most AI infrastructure vendors are US companies on US hyperscalers, and their answer is a standard contractual clause. Ours is a deployment tier.
| US | EU Data Residency | EU Sovereign | |
|---|---|---|---|
| Multi-tenant, Katara-managed | ✓ Available | ✓ Available | → Q3 |
| Single-tenant, Katara-managed | ✓ Available | ✓ Available | → Q3 |
| Single-tenant, client-managed (on-prem) | → Q4 | → Q4 | → Q4 |
Data residency solves half the problem. If every request still exits to a US model API, your inference layer — prompts, retrieved context, outputs — crosses the boundary your deployment tier was chosen to protect. The Katara AI Gateway is provider-neutral by design: route to commercial APIs where policy allows, and to open-weight models (Mistral, Llama-class, or your own fine-tunes) running inside your boundary where it doesn't. Policy decides per workload; the audit trail records the choice either way.
Permitted workloads, allowlisted per policy.
Models running inside your boundary when policy disallows external inference.
Self-owned model endpoints with the same governance and audit treatment.
The platform records the routing decision so you can explain why each class of workload goes where.
Chunk-level retrieval permissions · policy-checked model traffic · governed tool registry · tamper-evident audit log · exportable evidence for regulatory examination — identical across all three tiers. The only variable is who owns the metal.
No, and we won’t call it that. EU-region hosting on a US-owned provider gives you data residency; it does not remove non-EU legal reach over the provider. That distinction is exactly why the Sovereign EU tier exists. If a vendor uses “sovereign” to describe a hyperscaler region, ask them this question.
We’re finalizing the reference architecture with our early-access partners and will publish the provider and sub-processor list before general availability.
Yes — any OpenAI-compatible endpoint, including self-hosted open-weight models, can sit behind the Gateway with the same policy and audit treatment.
Katara AI is built and operated from Barcelona, Spain.
Share your residency, sovereignty, or deployment constraints and the workflow you need to govern. We'll come back with the tier, the architecture, and the evidence trail it produces.