How it works
Hardware-attested EU enclave
Inference runs on confidential-computing hardware (AMD SEV-SNP) hosted in the EU. Before a single prompt is sent, the enclave cryptographically proves its identity and integrity through remote attestation. If the hardware or software were tampered with, the connection simply refuses to open.
End-to-end encrypted prompts
Your prompts and the model's responses are encrypted all the way into the enclave's memory — encrypted in transit and in use. The infrastructure operator (including us and the hosting provider) cannot read them. Decryption happens only inside the sealed enclave.
Stays in the EU. Never trains a model.
No prompt is sent to OpenAI, Anthropic, or any US provider. Nothing is logged in clear text, nothing is retained beyond the request, and nothing is ever used to train, fine-tune, or evaluate a model.
What runs confidentially
When Confidential AI is enabled for your workspace, these features run entirely inside the enclave:
Standard vs. Confidential AI
| Standard tier | Confidential AI | |
|---|---|---|
| Where AI runs | EU + US providers (OpenAI, Anthropic) under EU SCCs | Hardware-attested EU enclave only |
| Who can read your prompts | Provider, under API terms (no training on your data) | No one — sealed and encrypted in use |
| Model training on your data | Never | Never |
| Data residency | EU storage; inference may use a US region | EU only, end to end |
| Best for | Most teams — fast, top-tier frontier models | Data-sovereignty mandates, BaFin, public sector, defense |
Built for teams that can't send data anywhere
Financial services & BaFin
DORA and supervisory expectations around data sovereignty and ICT third-party concentration risk.
Public sector & defense
Citizen or classified data that cannot leave national or EU boundaries — by policy or by law.
Healthcare & life sciences
Special-category data under Art. 9 GDPR, where every processor in the chain is scrutinised.
Critical infrastructure (NIS2)
Operators that must minimise third-country exposure across their entire toolchain.
Questions
Which models power Confidential AI?
EU-hosted open-weight models running inside the enclave, via our confidential-computing partner Edgeless Systems (Privatemode). We validate them against the same compliance tasks as our standard tier before enabling them.
What exactly runs in the enclave today?
Today: policy and document generation, the AI assistant, framework classification, citation verification, and risk/vendor analysis. Vector-search indexing currently uses our standard EU-SCC provider and is on the roadmap to move into the enclave. We'll always tell you precisely what is covered for your audit file.
How is this different from your standard setup?
On the standard tier, your data is never used to train a model, and we're moving both providers onto a zero-data-retention configuration (see our AI Processing Statement). Confidential AI removes the need to trust a contract at all: the hardware cryptographically guarantees that no one — not the provider, not us — can access your prompts.
Is it available today?
Yes — Confidential AI is available now for enterprise and regulated customers. It's enabled per workspace. Talk to us and we'll switch it on and provide the attestation and DPA documentation for your audit file.
Does it slow things down or reduce quality?
Inference runs on production GPU enclaves; for compliance generation and analysis the difference is negligible. The standard tier remains available for teams that prefer the latest frontier models.
Bring your compliance AI fully into the EU.
We'll enable Confidential AI for your workspace and hand you the attestation and DPA paperwork your auditor will ask for.
Talk to us about Confidential AI