Designing for the air gap

Some of our earliest users run networks that have never touched the internet and never will — defence ranges, industrial sites, labs handling things that must not leak. Serving them forced a discipline that, it turns out, makes the platform better for everyone.

The rule: assume nothing about connectivity

Every feature has to work on a network where "just download it" is not a sentence. That means the installer carries everything it needs; updates arrive as files you bring, verified by checksum; licensing works without activation servers; and there is no telemetry — not "anonymised", not "opt-out". None.

What the discipline buys connected users

• No surprise dependencies. A platform that can't assume the internet can't quietly grow a dependency on someone else's cloud service staying up.
• Privacy by construction. You can't leak what you never collect.
• Honest documentation. When users can't search a forum, the docs have to actually answer the question. That bar helps everyone.

Operating disconnected, concretely

Updates are staged onto the update hub — a directory of files you can mirror with a USB drive — and rolled out node by node by the lifecycle manager. Monitoring is built in and stores its own history. Backups, replication and recovery plans all run inside your own perimeter. The security guide covers the rest of the high-assurance posture: enforced MFA, custom roles, audit trails that forward to your SIEM.

If your environment is connected, all of this is still true — it just feels like a platform that respects you.