[CRD] · IN DEVELOPMENT
Private Inference Engine

Cordon is our private inference engine. The goal is simple to state and hard to build: no data, query, model weight, or result should cross your perimeter. We pursue that as technical constraints enforced from silicon upward, not a promise written into a policy.

7
Security layers
2⁻²⁵⁶
Tamper probability
FIPS
L3 / L4 HSM
0
Egress paths

The client holds all keys. The vendor cannot decrypt, observe, or read.

Containment · Verifiability · Sovereignty · Auditability

01Defence in depthSilicon to
signed response

Trust is rooted in hardware and carried through the boot chain to the application. Each layer is independently verifiable, so a break in one does not quietly become a break in all of them.

CRD · ARCHITECTURE
L0Hardware root of trust
L1Perimeter & ingress
L2Trusted execution environment
L3Secure model store
L4Inference engine
L5Response pipeline
L6Audit & observability
02Key hierarchyHeld only
by the client

Every operational key is derived from a master key you hold. The vendor never sees it, and no derived key is released without valid attestation of the exact system requesting it.

CRD · KEY DERIVATION
CLIENT MASTER KEY (CMK) never leaves the client HSM
K_bundle = HKDF(CMK, "BUNDLE:{bundle}:{client}")
K_shard_n = HKDF(K_bundle, "SHARD:{n}")
K_session = HKDF(CMK, "SESSION:{deploy}:{client}")
K_log = HKDF(CMK, "LOG:{deploy}:{client}")
K_admin = HKDF(CMK, "ADMIN:{deploy}:{client}")
no key is released without valid attestation.
03Audit & observabilitySigned and
verifiable offline

Every query, response, and key operation is written to an append-only, Ed25519-signed, Merkle-chained log. It is client-verifiable offline, so you can prove what ran without trusting us to tell you.

  • Offline-verifiable, tamper-evident log
  • Covert-channel detection on every response
  • Timing normalisation to prevent side channels
CRD · AUDIT CONSOLELIVE
04What we build towardFour
properties
01

Containment

Inference happens inside a verifiable boundary. Nothing enters except authenticated queries, and nothing exits except signed responses.

02

Verifiability

The client can cryptographically check that the model running is the one provisioned, unmodified, from firmware to application.

03

Sovereignty

The client holds all keys. The vendor cannot decrypt weights, observe queries, read logs, or push updates without authorisation.

04

Auditability

Every inference and key operation is recorded in an append-only, cryptographically chained log that no party can alter.

05Deployment modesIsolated to
sovereign cloud

01Dark
Zero network (no NIC)TEE mandatoryFIPS L4 HSMHighest isolation
02Island
Private LANTEE mandatoryFIPS L3 HSMCritical infrastructure
03Vault
Private + managementMulti-tenantFIPS L3 HSMRegulated enterprise
04Sovereign Cloud
Client VPCClient KMSMulti-tenantPrivate cloud

Run the model where nothing can escape.

We are targeting compliance across FIPS 140-2 L3/L4, Common Criteria EAL4+, FedRAMP High, ITAR, and NSA CSfC. Tell us your environment and we will map Cordon to it.