Launch HN: Tinfoil YC X25: Verifiable privacy for Cloud AI

Hello HN! We are Tanya, Sacha and Nate from Tinfoil. https://tinfoil.sh . We host AI workloads and models on the cloud, while guaranteeing zero access to and retention of data. This allows us to run open-source LLMs such as Llama or Deepseek on cloud GPUs, without you having trust us – or any cloud provider – with private data.

Because AI performs better with more context, we believe that solving AI privacy will unlock even more valuable AI applications. Just as TLS on Internet enabled ecommerce to flourish, knowing that your credit cards info wouldn’t have been stolen by someone sniffing Internet packets.

Our backgrounds are in cryptography, infrastructure, and security. Nate and I (Tanya), worked on privacy technology like Tor and Nate did his PhD at MIT in privacy-preserving encryption. Jules was a PhD student at MIT in trusted hardware and confidential computation. We were not satisfied with band-aid solutions like PII (which can be undesirable in certain cases, like AI personal assistants), or “pinky promise”security through legal contracts such as DPAs. We wanted a solution that replaced the trust in security with a provable one.

Running the models locally or on premises is an option but can be costly and inconvenient. For the foreseeable future, Fully Homomorphic Encryption is not feasible for LLM inference. Secure enclaves are the next best option. They create a secure environment that can only be accessed by the software running on the host computer. This allows us to perform LLM inferences in the cloud, while being able prove that no one can access the data, not even Tinfoil, or the cloud provider. These security mechanisms are implemented on hardware, so there is a minimal performance overhead.

Although we (Tinfoil), control the host computer, we have no visibility into the data processed within the enclave. A secure enclave, at its most basic level, is a set cores that have been reserved, isolated, and locked to create a sectioned-off area. All traffic that leaves the enclave, including memory and network traffic as well as peripheral (PCIe), is encrypted. These encryptions are done using secret keys generated within the enclave at setup. These keys never leave the boundaries of the enclave. A “hardware roots of trust” built into the chip allows clients to verify security claims and that all security mechanisms have been implemented. Secure enclaves have only been available on CPUs until recently. NVIDIA confidential computing has recently added these hardware capabilities to its latest GPUs. This allows GPU-based workloads to be run in a secure enclosure. Here’s a quick overview of how it works:

1. We publish the code to run inside the secure enclave on Github as well as a hash to a transparency log named Sigstore.

Before sending data into the enclave the client retrieves a signed document which includes a hash signed by the CPU manufacturer. It then verifies with the hardware manufacturer the signature to prove that the hardware is authentic. The client then fetches a source code hash from a transparency log, (Sigstore), and compares it to the hash we received from the enclave. This allows the client to verify that the enclave runs the code we claim.

3. The client sends the data to the enclave. It is encrypted (TLS), and only decrypted within the enclave.

4. This protected environment is the only place where processing takes place. Even an attacker who controls the host computer cannot access this data. We believe that making end-toend verifiability “first class citizens” is crucial. Secure enclaves were traditionally used to remove the trust from the cloud provider and not necessarily the application provider. This is demonstrated by technologies like Azure Confidential VM, which allows ssh to be accessed by the host. Our goal is to remove trust from both ourselves, aka application providers, and the cloud provider.

Our privacy claims should be viewed with skepticism. Verifiability, that’s our answer. Hardware and cryptography allow you to verify that it is private, not just us. Here’s a guide to walk you through the verification: https://docs.tinfoil.sh/verification/attestation-architectur….

We are used by people to analyze sensitive documents, build copilots for proprietary codes, and process user data in agentic AI apps without the privacy concerns that previously prevented cloud AI adoption.

Tinfoil is excited to be shared with HN!

Try the chat ( https://tinfoil.sh/chat): It verifies attestation with an in-browser check. Free, limited messages. $20/month for unlimited messaging and additional models. https://tinfoil.sh/inference): OpenAI API compatible interface. $2 / 1M Tokens

* Take your existing Docker Image and make it end-to-end confidential by deploying it on Tinfoil. Here’s an example of how Tinfoil could be used to run a deepfake detector service that could be securely run on people’s videos: https://www.youtube.com/watch?v=_8hLmqoutyk. Note: This feature does not yet offer self-service.

* Contact us at [email protected] to discuss a different model, a custom application or to simply learn more.

Tell us what you think! We’d love to know about your experiences and new ideas in this area!