Security and encryption in Privatemode
Privatemode is an AI inference service that provides end-to-end confidentiality and verifiability.
This page describes why you need this and how it works.
The problem
Existing AI services may leak your data.
Prompts are processed in plaintext.
Conventional AI services like OpenAI, Anthropic, or AWS Bedrock don't have technical mechanisms in place to enforce data security and privacy end-to-end. At one point, your prompts and data are inevitably processed in plaintext.
Data gets exposed to insiders and hackers.
When data is handled in plaintext, it is potentially visible to privileged operators, logging systems, and other entities on the AI services's side, as well as hackers who managed to break into the service.
Risk is too high for sensitive data.
Because of this exposure, many business and individuals are reluctant to share sensitive data with conventional AI platforms and are thus missing out on the benefits of cloud-based AI.
The solution
Privatemode protects your data end‑to‑end.
Prompts are processed in a shielded environment.
Your data is processed inside a shielded environment powered by confidential computing, a hardware-based technology that keeps data encrypted even during processing in main memory. Prompts and responses stay protected in transit, at rest, and while the model runs on them.
Data protection can be verified.
Remote attestation lets you confirm from afar that the expected code is running inside the enclave before you send any data. You get cryptographic proof of integrity, not just a provider's contractual promise.
Cloud-based AI becomes safe for sensitive data.
With this, you can finally process sensitive data with generative AI. Customer records, contracts, and health information become workable inputs rather than off-limits material.
Foundations
Privatemode runs on Contrast from Edgeless Systems
Contrast is the most advanced platform for confidential computing at scale. Contrast ensures the end-to-end confidentiality and verifiability properties of the Privatemode service.
Foundations
The three pillars of Privatemode
Pillar #1
End-to-end confidential computing
- Prompts are encrypted client-side with AES-256
- Prompts stay protected during processing
- Plaintext is never accessible
Prompts and responses are fully protected from external access. Prompts are encrypted client-side using AES-256 and decrypted only within Privatemode's confidential-computing environment, enforced by AMD SEV-SNP, Intel TDX, and Nvidia Confidential Computing. Inside that environment, data stays encrypted in use, so it never appears as plaintext in main memory.
Pillar #2
End-to-end attestation and verification
- CPUs and GPUs issue cryptographic certificates
- Certificates cover all relevant software
- Entire Privatemode service can be verified
The CPUs and GPUs enforcing Privatemode's confidential-computing environment issue cryptographic certificates for all software running inside it. With these certificates, the integrity of the entire Privatemode service can be verified before any prompt leaves your machine. Verification happens automatically through the Privatemode Proxy or the web app.
Pillar #3
Zero-access architecture
- Infrastructure provider cannot see user data
- Edgeless Systems cannot see user data
- Model providers cannot see user data
Based on confidential computing, Privatemode is architected so that user data cannot be accessed by the infrastructure provider, the service provider (Edgeless Systems), or other parties such as the vendor of the AI model.
Detailed documentation and public source code
The architecture is documented end-to-end, from the client proxy through the Contrast Coordinator and Secret Service to the AI workers, including the full attestation flow. Reproducible builds and public source code let security and engineering teams verify the design and integrate Privatemode with confidence.
FAQ
Technical Details
Frequently asked questions about Privatemode's security and compliance
Privatemode encrypts your data before it leaves your device and keeps it protected even during AI processing. On the client side, the Privatemode proxy manages remote attestation and end-to-end encryption. It encrypts all inference requests and decrypts AI responses, handling all communication with the service. Encryption keys are never shared with anyone outside of your local proxy and the isolated AI worker
Want to see Privatemode in action?
We're happy to show you around and give an overview of what's possible.