Private AI Data · Compute-to-Data

Compute verplaatst zich. Data blijft.

Verzegeld aan de bron. On-chain multi-sig. Alleen de afgesproken aggregaat verlaat de CVM, ondertekend.

Lees datadocumentatieNeem contact op met sales

datanetwerk · 5 verzegelde bronnen

data heeft zwaartekracht · compute reist

EU-West · sealed

Hospital A

820k EHR

EU-North · sealed

Hospital B

410k imaging

US-East · sealed

Bank C

12M tx

APAC · sealed

Research D

56k samples

CH · sealed

Lab E

230k assays

analysis CVM

TDX + H100

cohort risk model

cpu

gpu

mem

multi-sig owner · 5 / 5

DstackApp.sol · 0x73c2…be09

signed output

dp-aggregate

ε = 1.5 · ✓ verified

receipt

sig chains TDX root + on-chain DstackApp

sealed at source
geattesteerde compute
signed aggregate out

multi-party studies on dstack

Cross-silo cohorts running today.

Each consortium pins a single compose-hash; KMS only releases per- dataset keys when every owner has signed off through the multi-sig DstackApp owner.

show cohorts withcriteria 1≥ 3 ownersandcriteria 2multi-jurisdictionandcriteria 3HIPAA / GDPR-grade

name

owners

records

criteria 1

criteria 2

criteria 3

status

Cardio-renal cohort study

healthcare research

4
1.6M
match
match
match
live

Cross-bank fraud signals

financial · AML

6
78M
match
match
partial
live

Rare-disease genomics

genomics · research

3
54k
match
match
match
live

Supply-chain risk benchmark

B2B intelligence

8
12M
match
match
miss
forming

ICU readmission cohort

clinical operations

5
320k
match
match
match
forming

Insurance claim adjudication

insurance · ops

2
4M
miss
miss
partial
forming

Match / partial / miss reflect on-chain state of each consortium's DstackApp multi-sig vs the criteria.

Hoe het werkt

Doorloop een compute-to-data run van begin tot eind.

Schakel dstack uit om te zien hoe de centrale pipeline weer rij-niveau toegang krijgt.

Compute-to-Data op dstack

Verzegelde data blijft bij de bron · het model reist · goedkeuring van meerdere eigenaren gate elke sleutelvrijgave

1
Stap 1 / 5

Verzegeling bij de bron

Elke eigenaar draait een lokale sealing-CLI: HKDF(kms_root_pubkey, analysis_app_id, analysis_compose_hash, owner_id). Versleutelt de dataset en publiceert ciphertext. Eigenaren sturen nooit plaintext of sleutels. Wijzig het recept → de sleutel klopt niet meer.

With dstack: Gestolen ciphertext is nutteloos. De wrap key wordt alleen opnieuw afgeleid binnen een geattesteerde CVM waarvan de compose-hash overeenkomt.

Draai multi-party studies waar je data ook staat.

CLI · sealing

Each owner runs the local sealing script (HKDF-derived wrap-key bound to the analysis compose-hash). Plaintext never leaves the silo; only ciphertext + a recipe-bound envelope is published.

CLI
$ python seal-dataset.py \--owner hospital-A \--in cohort-A.parquet→ HKDF wrap-key derived→ ./sealed/cohort-A.tar5.8M rows · 1.2 GB
OWNER UI
compose-hash0xa42…d1f
Hospital A0x91d…0c4
Hospital B0x4ef…7a2
Hospital Cawaiting
2 / 4 quorumawaiting

Goedkeuringsconsole

Owners review the public compose-hash, then sign the multi-sig that owns DstackApp. Threshold-of-N before any key is released.

REST + Sign-RPC

Submit the analysis compose, fetch the signed aggregate. Every response carries a Sign-RPC envelope chained to TDX root + on-chain DstackApp.

API
POST/v1/runs
{ compose, owners }
GET/v1/runs/{id}
200 · sig + payloadverifies on-chain
SDK
from phala.dstack
a = unwrap("A/cohort.tar")b = unwrap("B/cohort.tar")m = train(pd.concat([a, b]))phala.emit_signed(m.summary())# DP · ε = 1.5

Python in de CVM

Inside the analysis CVM, unwrap_dataset() asks dstack-guest-agent for per-owner keys. Joins, embeddings, and model passes — all in TDX-encrypted memory.

sealed dataset · cohort-A.tar

1.6M rows

ownerhospital-Aanalysis-app-id0x4f6a…91c0analysis-compose-hash0xa42b…d1f3wrap-keyHKDF(kms, app, compose, owner)algoAES-256-GCM
SealedHIPAAGDPRnever-exits-silorecipe-bound

Verzegeld bij de bron, key alleen afgeleid bij quote-match

Each owner's wrap key is HKDF(kms_root, app_id, compose_hash, owner_id). Change the recipe and the key changes — old ciphertext is permanently locked out. The wrap key itself only re-derives inside an attested CVM whose compose-hash matches.

DstackApp.sol · 0x73c2…be09

multi-sig
Hospital Asigned0x91d…0c4
Hospital Bsigned0x4ef…7a2
Hospital Csigned0xab1…d56
Hospital Dpending
3 / 4 quorumkey release · waiting

Quorum-gestuurde unwrap, on-chain

DstackApp.sol holds the compose-hash. KMS only releases per-owner keys when every required owner has signed off through the multi-sig. Any single owner can revoke globally with one on-chain transaction — no coordination needed.

in production today · 3 live consortia

Compute-to-data, in production.

Cohorts where one breach used to mean everyone’s breach. Now: sealed at source, approved on-chain, signed aggregate out.

01healthcare · live

Cardio-renal cohort

4 hospitals · EU + US + CH

Multi-jurisdiction cohort study with on-chain co-approval. The aggregate is signed; the rows are not.

1.6M records

zero rows leave silos · DP-aggregate out

02financial · live

Cross-bank fraud signals

6 banks · US + UK + SG + DE

Joint AML model trained without any bank seeing another bank’s ledger. The model file IS the receipt.

78M transactions

k-of-n quorum · Sign-RPC envelope

03B2B · forming

Supply-chain risk benchmark

8 vendors · US + EU + APAC

Federated benchmark whose output type is locked to the registered compose. No back-channel exfiltration.

12M records

output type bound to compose-hash

HIPAA-grade

sealed clinical cohorts

GDPR / UK GDPR

data residency preserved

PCI / FFIEC

cross-bank joins on-chain gated

SOC 2 Type II

attested run history

AI-oplossingspaden

Gebruik privé-modellen waar AI met geheimen werkt.

Het endpoint voor het privé-model is het eerste toegangspunt. Hetzelfde privacy-gebouwblok breidt zich uit naar agents, datastromen en training.

LLM API

Private AI-inference

Bied OpenAI-compatibele modelaanroepen aan waarbij prompts, outputs en klantcontext versleutelde-bij-gebruik bescherming nodig hebben.

Open oplossing
encrypted

DeepSeek V3.1

128K

$0.27/M input

encrypted

Qwen3 Coder

256K

$0.40/M input

encrypted

Llama 3.3 70B

128K

$0.15/M input

encrypted

GPT OSS 120B

128K

$0.10/M input

encrypted

Claude Sonnet 4.5

200K

$3.00/M input

encrypted

Gemini 2.5 Pro

1M

$1.25/M input

Agents

Privé AI-agents

Laat agents draaien met sleutels, tools, geheugen en acties binnen een geverifieerde runtime in plaats van een zichtbare automation cloud.

Open oplossing
Training

Privémodeltraining

Pas modellen aan op propriëtaire data terwijl datasets, gradients, checkpoints en evaluatietraces binnen de grens blijven.

Open oplossing

private training run

Observe without exposing weights.

H100 CC

01

dataset

sealed

02

fine-tune

running

03

eval

private

04

checkpoint

verified

loss curve

proof attached

attestation.json

Run compute-to-data

Compute verplaatst zich. Data blijft.

Gegevens worden bij de bron afgeschermd. Multi-sig goedkeuring on-chain. Alleen de afgesproken aggregaat verlaat de CVM, ondertekend.

View docsNeem contact op met sales
  • 01Owner-side sealing CLI
  • 02Multi-sig DstackApp gate
  • 03Combined CPU + GPU TEE
  • 04Sign-RPC aggregate output
  • 05Any owner revokes globally
Phala

Private uitvoering. Verifieerbare resultaten.

Nieuwsbrief

© 2026 Hashforest Technology. Alle rechten voorbehouden. PrivacyVoorwaarden

Private AI Data — Compute-to-Data on TEE GPUs | Phala