Cordon is our private inference engine. The goal is simple to state and hard to build: no data, query, model weight, or result should cross your perimeter. We pursue that as technical constraints enforced from silicon upward, not a promise written into a policy.
The client holds all keys. The vendor cannot decrypt, observe, or read.
Containment · Verifiability · Sovereignty · Auditability
signed response
Trust is rooted in hardware and carried through the boot chain to the application. Each layer is independently verifiable, so a break in one does not quietly become a break in all of them.
by the client
Every operational key is derived from a master key you hold. The vendor never sees it, and no derived key is released without valid attestation of the exact system requesting it.
verifiable offline
Every query, response, and key operation is written to an append-only, Ed25519-signed, Merkle-chained log. It is client-verifiable offline, so you can prove what ran without trusting us to tell you.
- →Offline-verifiable, tamper-evident log
- →Covert-channel detection on every response
- →Timing normalisation to prevent side channels
properties
Containment
Inference happens inside a verifiable boundary. Nothing enters except authenticated queries, and nothing exits except signed responses.
Verifiability
The client can cryptographically check that the model running is the one provisioned, unmodified, from firmware to application.
Sovereignty
The client holds all keys. The vendor cannot decrypt weights, observe queries, read logs, or push updates without authorisation.
Auditability
Every inference and key operation is recorded in an append-only, cryptographically chained log that no party can alter.
sovereign cloud
Run the model where nothing can escape.
We are targeting compliance across FIPS 140-2 L3/L4, Common Criteria EAL4+, FedRAMP High, ITAR, and NSA CSfC. Tell us your environment and we will map Cordon to it.