Multi-region, privacy-first infrastructure. Designed to be deleted.
The CIRIS infrastructure is meant to be temporary. Every part of it is built knowing it will be retired once the peer-to-peer network meant to replace it is ready. That is the plan, not an accident. We avoid anything that ties CIRIS to one company, or that assumes a central hub has to exist forever.
This is the hosted path: the two rented regions below keep CIRIS free for everyone today. Run a small model on your own device and you skip them entirely. The substrate that replaces them is CEWP.
The US site and the EU site reach the internet two different ways, so no single failure can take both down.
Keeps CIRIS running without ads and without selling your data.
Passes requests to the AI model. Your conversations are never stored.
The database. Both regions keep matching copies, and either one can be written to.
CIRIS runs on ordinary Android phones, answering in about 15 to 20 seconds, with the whole app under 100 MB.
Being honest is cheap. Keeping a lie going is expensive. An honest agent can point back at what it already said. A lying agent has to keep every past record lined up, and that gets harder over time.
Both regions handle real traffic at the same time, so neither is a single point of failure. Each has its own web address. If one region goes down, people can switch to the other right away, with no waiting.
One US company (Vultr) and one German company (Hetzner), under two different countries' laws. No single company can take CIRIS down, and because nothing is locked to either one, we can switch if their prices or policies change.
US traffic goes through Cloudflare, which absorbs attacks and speeds things up. EU traffic connects straight to Hetzner. Splitting it this way means no single failure can take both down: if Cloudflare has trouble, the EU site still works.
For money data, like credit balances and payments, a person makes the call to switch regions, not an automatic script. This avoids the case where both regions think they are in charge at once. When money is involved, careful beats clever.
The infrastructure follows the safety policy: “Fix it if we can. Pause only if we cannot.”
Stops the whole service across both regions. The database is kept safe. A clear written reason is required.
Pauses one region while the other keeps serving. Used for a problem that only affects one place.
Trust artifacts are public AGPL-3.0 in the CIRISBridge repository: SECURITY.md, OPERATIONS.md, and 26 named Ansible runbooks (incident-response, intrusion-response, cert-rotate, backup-verify, e2e-smoke-test, image-update, disk-cleanup, billing-rollback, add-region, and others). The repository itself is also public: CIRISAI/CIRISBridge.
Every CIRIS component uses the GNU Affero General Public License v3.0. This isn't just "open source". It's network copyleft. If anyone modifies CIRIS and offers it as a service, they must release their modifications under the same license.
Every component of CIRIS infrastructure is open source under AGPL-3.0. You can audit our claims, reproduce our setup, or fork it, and if you serve it to others, you share your improvements.
"This infrastructure exists to be deleted. That is the whole point."
CIRIS: Accountability Infrastructure for Autonomous AI
© 2025-2026 Eric Moore and CIRIS L3C | AGPL-3.0 License