Skip to main content
RAM Forensics · Canary Protocol · Minerva Protocol

Your AI says it forgot.
We check the bytes.

Your AI processed sensitive data. It claims to have purged it. Scanalis verifies this physically : byte by byte. RAM · Memorization · Anonymization. GDPR Art.5(2) · AI Act Art.12 · DORA Art.25.

AMNESIA_CONFIRMED: Physical erasure verified
AMNESIA_FAILED: Memory residues detected
MINERVE_EXPOSED: Memorization detected
ANON_LEAK: Pseudonymization compromised
8
cryptographic canary tokens injected per session
4
RAM zones scanned byte by byte
SHA-256
sealed report, offline-verifiable by any third party
3
independent protocols: Canary · Minerva · Anonymization
Market context

The blind spot nobody audits yet

When an LLM processes personal data, it is decrypted and placed in plaintext in volatile memory. The system then declares it has purged. Nobody verifies.

Data lifecycle inside an LLM
🔐
Transit
TLS 1.3
✓ Encrypted
RAM
PLAINTEXT
⚠ Exposed
🗑️
del()
declared
? Unverified
Scanalis intervenes here, after del() to verify what physically remains
⚖️

AI Act Art. 12: August 2026

Full enforcement requires event logging for high-risk AI systems. Documentation describes processes. It does not document actual physical execution. The gap is operationally critical.

→ Scanalis documents this actual execution.

🔒

GDPR Art. 5(2): Accountability

The burden of proof lies with the data controller. Your DPA contractually guarantees purge. It does not document actual execution. The distinction is operationally critical.

→ The Scanalis report documents this actual execution.

🏦

DORA Art. 25: ICT Resilience

Financial institutions must verify the ICT resilience of their third-party providers. LLMs are now ICT providers. Their volatile memory has never been audited.

→ First forensic RAM audit for LLMs in finance.

💡

90% of AI funding applications rejected

AI project holders struggle to secure funding without technical proof of compliance execution. The Canary Report is the missing justification document.

→ Documented ROI up to x143.

Positioning

Complementary to every existing tool

No tool covers what Scanalis audits. Zero direct competitor on forensic RAM proof for LLMs in France.

ToolWhat it coversPost-purge LLM RAM
DLP for LLM
Blocks what enters before processing
Not covered ✗
Big Four / Audit
Verify declarations and policies
Not covered ✗
Penetration Testing
Finds entry points
Not covered ✗
ISO 27001 / HDS
Certifies security governance
Not covered ✗
AI Proxy / LLM DLP
Governs real-time data flows in and out
Post-session ✗
Scanalis
Proves physical purge of RAM post-session LLM
Only tool ✓
Exact scope

What Scanalis can verify, and what it cannot

Transparency about limits is the foundation of trust.

Direct scope

Self-hosted LLM (Ollama, vLLM, llama.cpp), dedicated VPC, private cloud, on-premise. Anywhere your technical team can generate a memory dump of the process.

→ Full Canary Protocol: direct forensic verdict.

Partial scope

Third-party SaaS cloud (OpenAI, Anthropic, Mistral API). Scan covers the client-side orchestration layer: middleware, RAG, application cache, vector store.

→ Minerva Protocol via API + architectural assessment.

Out of scope

The SaaS provider's server memory, the vendor's GPU buffers, their internal logs and retention mechanisms. This perimeter is explicitly documented in every report.

→ Every report documents its limits. That's a guarantee, not a gap.

Method

3 protocols. 3 verdicts. 0 declarations.

Each protocol answers a precise question. Every verdict is binary, cryptographically sealed, offline-verifiable.

MINERVA PROTOCOL
🧠
Memorization
Has the model retained training data it shouldn't know?
35 probes · 7 categories
then
ANONYMIZATION MODULE
🔍
Pseudonymization
Is your anonymization leaking into volatile memory?
Pseudo ↔ original pairs
then
CANARY PROTOCOL
🔬
RAM Persistence
Was data physically erased from memory?
8 tokens · 4 RAM zones
Canary Protocol — RAM Persistence

Has data physically disappeared from memory?

Injection of 8 cryptographic tokens via standard API. Purge triggered. RAM scanned byte by byte, application heap, Linux page cache, swap space, kernel buffers. No agent installed. No SSH access. You generate the dump. Scanalis scans.

  • ABaseline fingerprint before injection : cryptographic reference
  • B8 canary tokens injected via API : email, IBAN, health PII, company ID, biometrics...
  • CClient purge triggered : Scanalis observes without intervening
  • D4-zone scan · Aho-Corasick engine · under 90 seconds
AMNESIA_CONFIRMED AMNESIA_FAILED
For the CISO: GDPR Art.32 · AI Act Art.12 · offline-verifiable: openssl dgst -sha256
Minerva Protocol : Memorization

Does the model carry data it should not know?

35 behavioral forensic probes via standard API. Behavioral profile by GDPR category. Variance score 0–100 (biased training detection). Not to retrain, to decide, document, negotiate.

  • 1Documented GO/NO-GO before import into sensitive zone
  • 2Behavioral profile : 7 detailed GDPR categories
  • 3Behavioral integrity score : variance 0-100
MINERVE_EXPOSED MINERVE_NOT_DETECTED
Anonymization Module : New

Your pipeline pseudonymizes "John Smith" to "J*** S*****" before the LLM call. Scanalis verifies that "John Smith" does not appear anywhere in RAM after processing.

ANON_VERIFIED ANON_LEAK ANON_PARTIAL
For the DPO: GDPR Art.5(1)(c) data minimization · Art.25 Privacy by Design · proof that pseudonymization holds at the physical level
How it works

The 5-step workflow

From contract to report delivery, every step is documented, traceable, and offline-verifiable.

Choose what you want to verify
🔬
RAM Persistence
Does my LLM actually purge?
→ Canary Protocol
🧠
Memorization
Has my model retained training data?
→ Minerva Protocol
🔏
Anonymization
Is my pseudonymization leaking in RAM?
→ Anon Module
Full Audit
Memorization → Anon → Persistence
→ Recommended
You choose your need. The proof level and pricing follow. You never choose a tier number.
01
Contracting: complete legal kit
5 documents signed before any data exchange: service contract, GDPR Art. 28 DPA, technical access authorization (criminal shield Art. 323-1), bilateral 5-year NDA, certified destruction procedure.
Legal kit 5 documents
02
Receipt of memory dump generated by the client
The client generates the dump via gcore or procdump on their infrastructure. Scanalis never accesses the system directly. Non-intrusive by design, zero additional attack surface.
gcore / procdump, client-generated
03
Canary token injection and purge trigger
8 cryptographic tokens injected via the LLM's standard API. Declared purge triggered. Post-purge dump captured. No connection to client infrastructure.
Standard API · No SSH · Agentless
04
Forensic scan: 4 memory zones
Byte-by-byte analysis of application heap, Linux page cache, swap space, and kernel buffers. IPE (Exposure Probability Index) computation. Minerva extraction on 35+ probes for full audit.
Heap · Page cache · Swap · Kernel buffers
05
Sealed forensic report: delivery and destruction
PDF report per agreed scope. SHA-256 sealed (offline-verifiable with openssl). RSA-PSS 2048-bit signed. RFC3161 timestamped by independent TSA. Client data destruction certified within 15 days.
SHA-256 · RSA-PSS · RFC3161 · shred -vfz -n 3
Engagement

One mission. Your perimeter. Tailored.

Every AI system is different. Every Scanalis mission is built with you, scope, stack, criticality level, applicable regulations.

FORENSIC RAM AUDIT : LLM

Does your LLM actually forget?

Scanalis produces the forensic documentation that your AI system has physically erased data after processing. SHA-256 sealed report, offline-verifiable.

The engagement includes
  • Canary Protocol: post-session RAM scan, 4 zones, binary verdict
  • Forensic transparency score: your model's auditability / 5
  • GPU/VRAM architectural assessment: documented risks
  • RFC 3227 evidence chain: every step timestamped
  • Sealed report: SHA-256 + RSA-PSS + RFC3161
  • "Explicit verdict limits" section: page 1 of every report
  • Legal kit : 5 documents: NDA, DPA Art.28, Technical Authorization
You provide
  • Post-purge memory dump (gcore / procdump), generated by your team
  • API endpoint + temporary token
  • Designated technical contact
Describe my system →
Option · Memorization

Minerva Protocol

Before importing a model into a sensitive zone, know what it carries. 35 forensic probes, 7 GDPR categories, behavioral profile, variance score. Documented GO / NO-GO.

Verdict → MINERVE_EXPOSED / NOT_DETECTED

Option · Anonymization

Anonymized dataset certification

Before training or fine-tuning an LLM on sensitive data, forensically certify that the anonymized dataset is clean and the model has not re-memorized identifying patterns.

5 phases · Phases A→E · Forensic attestation

Option · Monitoring

Annual surveillance contract

Every model update or new deployment triggers a new audit. Forensic attestation renewal. Monthly regulatory monitoring. 48h technical hotline.

Quarterly · Structural recurrence

Pricing

Each mission is quoted based on perimeter, number of LLMs, data criticality, and activated options. Describe your system in a few lines, I'll respond within 48h with a tailored proposal.

Technical report
SHA-256 sealed PDF · Binary verdict · Hex dumps · Transparency score
✓ DPO: internal accountability file
✓ CTO/IT: technical team validation
✓ Grant applications: missing justification
Legal-grade compliance proof
SHA-256 + RSA-PSS 2048-bit + RFC3161 TSA · Offline-verifiable
✓ CISO / RSSI: proof for regulators
✓ Investors: AI due diligence
✓ Litigation: certified forensic evidence
📏
The 10-second ROI test
If the data your LLM processes represents more than a few thousand dollars in damages if extracted, the audit pays for itself. One medical record. One bank account number. One contract. A GDPR fine on health data can reach hundreds of thousands of euros. Under the AI Act, the personal liability of executives is directly engaged.
Engine security

Scanalis audits others. Its engine is held to the same standard.

Red team completed. 18 vulnerabilities identified and corrected. 65 validation checks passed. DPIA completed. The code that verifies others' amnesia proves its own rigor.

Non-intrusive by architecture
Contractual guarantee · Document 3
No agent. No SSH. No source code access. The client generates their own dump (gcore / procdump). Scanalis analyzes on a disconnected machine. This is structural, not a promise.
Internal red team · 18 fixes
Engine v3.5-RT · 65/65 checks
Full offensive audit before production: SSRF, path traversal, RSA passphrase, token via environment variable. Aho-Corasick engine (parallel multi-pattern scanning). SecureBuffer with ctypes.memset() Scanalis wipes its own memory footprint after every audit.
SHA-256 + RSA-PSS 2048-bit
Nominal signature · Encrypted key at rest
Every report is sealed and signed personally by Mathilde De Roumilly. The RSA private key is encrypted (mandatory passphrase). The SHA-256 hash is offline-verifiable by any third party with openssl in a single command.
RFC3161 · Independent TSA
Independent timestamping · Offline-verifiable
An independent third party certifies that the report existed in this exact state at this date. Cannot be backdated. Verifiable: openssl ts -verify. More robust than SHA-256 alone.
Evidence Chain · RFC 3227
Chain of custody
Every step (dump received → hash verified → canaries injected → scan executed → verdict produced → seal generated) is timestamped and cryptographically linked to the previous one. Altering one step invalidates the entire chain.
DPIA completed · GDPR Art.35
DPA Art.28 · 5 legal documents
Data Protection Impact Assessment completed on Scanalis itself. Dump destruction within 20 days (shred -vfz -n 3 · NIST SP 800-88 Rev.1). Cyber professional liability insurance Hiscox. 5 indissociable contract documents.
Field references

What those who dug deep have to say.

Not paid editors. Not contractual partners. Independent experts who asked the hard questions and received honest answers.

🔬

Cybersecurity expert · MedTech network

"What sets Scanalis apart: the verdict's limits are documented on page 1 of every report. A CISO or ANSSI auditor recognizes that posture immediately."

→ Chief AI Security Architect · May 2026

⚕️

DPO · Digital health sector

"Have you done a DPIA? A technical audit of the solution? That's exactly what our prospects will ask. The fact that you have the answers changes everything."

→ GDPR Compliance Officer · May 2026

🛡️

CEO AI security deeptech

"Our company protects models against extraction. Scanalis verifies what the model retains after processing. These are two orthogonal surfaces, the complementarity is obvious."

→ Partnership in progress · May 2026

💬

Senior cybersecurity expert · LinkedIn

"On RFC3161: a qualified eIDAS TSA will hold up better under legal challenge. Curious to see what v3.5 delivers in real conditions."

→ Public comment · Feedback integrated in v3.5

🏛️

Head of Sales · Tech agency · Cyber network

"RAM purge in sovereign LLMs is a real requirement for certain Defense actors, to be 100% certain that data won't bleed across sessions."

→ LinkedIn · 2026

🌐

Institutional cybersecurity · Brittany

"In our network, nobody covers the forensic post-purge layer for LLMs today. This isn't a competitor to what exists, it's the missing link."

→ Strategic meeting · May 2026

📊

B2B SaaS product strategy expert

"I find the topic serious and differentiated. The key challenge is pedagogy and clarifying the exact scope of the solution."

→ UX/positioning audit integrated in this version · May 2026

Regulation

What CISOs, DPOs, and CTOs must prove

Not recommendations. Laws with your name on them. Deadlines that are coming.

GDPR
Art. 5(1)(e) + Art. 5(2) + Art. 32
Storage limitation + accountability + security measures appropriate to the state of the art
AI Act
Art. 10 + Art. 12: August 2026
Data governance + actual execution logging = full enforcement imminent
DORA
Art. 25 + Art. 28
ICT resilience of third-party providers: LLMs in scope since 2024
NIS2
Art. 21
Appropriate security measures at the 2026 state of the art
HDS 2024
Health data hosting
HDS certifies the host. Not the LLM's amnesia. Scanalis fills this regulatory gap.
ANSSI
35 AI recommendations 2024
Rec. n°23: AI security audit before deployment and after major update
Frequently asked questions

What DPOs, CISOs, and CTOs ask

Scanalis's Canary Protocol injects 8 cryptographic canary tokens into the LLM via its standard API, triggers the declared purge, then scans volatile memory byte by byte across 4 zones (application heap, Linux page cache, swap space, kernel buffers). The verdict is binary: AMNESIA_CONFIRMED if physical erasure is effective, AMNESIA_FAILED if personal data residues are detected with their exact memory address and hex dump.

Four memory zones can retain residues after declared purge: the application heap (Python/Node dynamic allocations), the Linux page cache (data maintained by the kernel for I/O optimization), the swap space (RAM extension on disk during load peaks), and kernel buffers (system zones not accessible to the application but forensically readable). These residues can persist for tens of minutes after session close.

Neither. Scanalis is a technical trusted third party that produces verifiable forensic documentation. Like a testing laboratory: we produce the technical result, you interpret it with your DPO or legal counsel. The report documents the actual execution of the purge, it does not certify regulatory compliance.

No. Scanalis is non-intrusive by design. No agent installed on your servers. No SSH access. No access to source code or model weights. The memory dump is generated by your teams (gcore or procdump) and transmitted securely. Scanalis interacts only via your LLM's standard API, exactly like your own application.

No. HDS certifies the health data host. ISO 27001 certifies governance. Neither specifies forensic audit of the volatile memory of LLMs post-session, this concept did not exist when they were written. AI Act Art. 12 (August 2026) will create this obligation for actual execution proof that neither HDS nor ISO 27001 covers.

Sovereign hosting covers the physical storage location, not what the software does with data once inside. If your model is of American origin (GPT-4, Claude, Llama...), the CLOUD Act applies regardless of server location. And regardless of the model, RAM persistence post-purge is independent of geography: it's physics, not law.

No. DLPs block what enters the LLM before processing. Scanalis verifies what remains in RAM after processing. Two complementary layers. A system can have the best DLP on the market and still retain personal data residues in volatile memory post-purge, these are two distinct problems on the processing chain.

Your report belongs to you, SHA-256 sealed, any modification invalidates the hash, verifiable by any third party with openssl in 30 seconds. Your client data (memory dump, questionnaire) is destroyed within 20 calendar days via shred -vfz -n 3 (3-pass NIST SP 800-88 Rev.1), with a signed destruction attestation delivered with the report. Scanalis holds Cyber Professional Liability insurance from Hiscox SA.

Partially. For SaaS LLMs hosted by the vendor (OpenAI, Anthropic, Mistral cloud), Scanalis cannot scan the vendor's server RAM, nobody can. However, the Minerva Protocol applies via the public API to detect what the model memorized during training. And the Canary scan applies to the client-side orchestration layer middleware, local RAG, application cache, vector store. Every report explicitly documents this scope and its limits. That's a guarantee, not a gap.

ISO 27001 certifies governance. HDS certifies the host. Scanalis verifies physical execution. These certifications describe what you planned to do. Scanalis documents what actually happened in volatile memory after processing, a layer that neither ISO 27001 nor HDS specifies, because this concept didn't exist when they were written.

Scanalis doesn't do anonymization, it verifies that yours works at the physical level. Your pipeline transforms "John Smith" to "J*** S*****" before the LLM call. Scanalis verifies that "John Smith" doesn't appear in plaintext in volatile memory after processing, even if only the pseudonymized version was sent to the model. Three possible verdicts: ANON_VERIFIED (no leak), ANON_LEAK (original data in RAM), ANON_PARTIAL (leak in the pseudonymization pipeline itself, before the LLM).

Three reasons. Production LLMs are recent: 2022–2023. The regulation creating the obligation just came into force: AI Act 2024, full enforcement August 2026. And combining forensic RAM expertise with operational LLM mastery in the same place is exceptionally rare. This isn't an oversight. It's a window that just opened.

The proof your DLP cannot produce.

Three questions. Which LLM? What data? What proof level do you need internal DPO / regulator / investor? I'll respond within 48h with a tailored proposal.

3 audit slots per month · Mathilde runs every scan · Mathilde signs every report