01healthcare · live
Cardio-renal cohort
4 hospitals · EU + US + CH
“Multi-jurisdiction cohort study with on-chain co-approval. The aggregate is signed; the rows are not.”
1.6M records
zero rows leave silos · DP-aggregate out
Private AI Data · Compute-to-Data
Compute travels. Data stays.
Sealed at source. Multi-sig on-chain. Only the agreed aggregate leaves the CVM, signed.
data topology · 5 sealed sources
data has gravity · compute travels
EU-West · sealed
Hospital A
820k EHR
EU-North · sealed
Hospital B
410k imaging
US-East · sealed
Bank C
12M tx
APAC · sealed
Research D
56k samples
CH · sealed
Lab E
230k assays
analysis CVM
TDX + H100
cohort risk model
cpu
gpu
mem
multi-sig owner · 5 / 5
DstackApp.sol · 0x73c2…be09
signed output
dp-aggregate
ε = 1.5 · ✓ verified
receipt
sig chains TDX root + on-chain DstackApp
sealed at source
attested compute
signed aggregate out
multi-party studies on dstack
Cross-silo cohorts running today.
Each consortium pins a single compose-hash; KMS only releases per- dataset keys when every owner has signed off through the multi-sig DstackApp owner.
show cohorts withcriteria 1≥ 3 ownersandcriteria 2multi-jurisdictionandcriteria 3HIPAA / GDPR-grade
name
owners
records
criteria 1
criteria 2
criteria 3
status
Cardio-renal cohort study
healthcare research
4
1.6M
match
match
match
live
Cross-bank fraud signals
financial · AML
6
78M
match
match
partial
live
Rare-disease genomics
genomics · research
3
54k
match
match
match
live
Supply-chain risk benchmark
B2B intelligence
8
12M
match
match
miss
forming
ICU readmission cohort
clinical operations
5
320k
match
match
match
forming
Insurance claim adjudication
insurance · ops
2
4M
miss
miss
partial
forming
Match / partial / miss reflect on-chain state of each consortium's DstackApp multi-sig vs the criteria.
How it works
Walk a compute-to-data run end to end.
Toggle dstack off to see the central pipeline regain row-level access.
Compute-to-Data on dstack
Sealed data stays at source · the model travels · multi-owner approval gates every key release
active edgeinactivenew in step
step 1 of 5 · scroll-aware1
Step 1 / 5Sealing at Source
Each owner runs a local sealing CLI: HKDF(kms_root_pubkey, analysis_app_id, analysis_compose_hash, owner_id). Encrypts the dataset, publishes ciphertext. Owners never ship plaintext or keys. Change the recipe → key no longer matches.
With dstack: Stolen ciphertext is useless. The wrap key only re-derives inside an attested CVM whose compose-hash matches.
Run multi-party studies anywhere your data lives.
CLI · sealing
Each owner runs the local sealing script (HKDF-derived wrap-key bound to the analysis compose-hash). Plaintext never leaves the silo; only ciphertext + a recipe-bound envelope is published.
CLI
$ python seal-dataset.py \--owner hospital-A \--in cohort-A.parquet→ HKDF wrap-key derived→ ./sealed/cohort-A.tar5.8M rows · 1.2 GB
OWNER UI
compose-hash0xa42…d1f
Hospital A0x91d…0c4
Hospital B0x4ef…7a2
Hospital Cawaiting
2 / 4 quorumawaiting
Approval console
Owners review the public compose-hash, then sign the multi-sig that owns DstackApp. Threshold-of-N before any key is released.
REST + Sign-RPC
Submit the analysis compose, fetch the signed aggregate. Every response carries a Sign-RPC envelope chained to TDX root + on-chain DstackApp.
API
POST/v1/runs
{ compose, owners }GET/v1/runs/{id}
200 · sig + payloadverifies on-chainSDK
from phala.dstack
a = unwrap("A/cohort.tar")b = unwrap("B/cohort.tar")m = train(pd.concat([a, b]))phala.emit_signed(m.summary())# DP · ε = 1.5Python in the CVM
Inside the analysis CVM, unwrap_dataset() asks dstack-guest-agent for per-owner keys. Joins, embeddings, and model passes — all in TDX-encrypted memory.
sealed dataset · cohort-A.tar
1.6M rows
ownerhospital-Aanalysis-app-id0x4f6a…91c0analysis-compose-hash0xa42b…d1f3wrap-keyHKDF(kms, app, compose, owner)algoAES-256-GCM
SealedHIPAAGDPRnever-exits-silorecipe-bound
Sealed at source, key derived only on quote-match
Each owner's wrap key is HKDF(kms_root, app_id, compose_hash, owner_id). Change the recipe and the key changes — old ciphertext is permanently locked out. The wrap key itself only re-derives inside an attested CVM whose compose-hash matches.
DstackApp.sol · 0x73c2…be09
multi-sigHospital Asigned0x91d…0c4
Hospital Bsigned0x4ef…7a2
Hospital Csigned0xab1…d56
Hospital Dpending—
3 / 4 quorumkey release · waiting
Quorum-gated unwrap, on-chain
DstackApp.sol holds the compose-hash. KMS only releases per-owner keys when every required owner has signed off through the multi-sig. Any single owner can revoke globally with one on-chain transaction — no coordination needed.
in production today · 3 live consortia
Compute-to-data, in production.
Cohorts where one breach used to mean everyone’s breach. Now: sealed at source, approved on-chain, signed aggregate out.
02financial · live
Cross-bank fraud signals
6 banks · US + UK + SG + DE
“Joint AML model trained without any bank seeing another bank’s ledger. The model file IS the receipt.”
78M transactions
k-of-n quorum · Sign-RPC envelope
03B2B · forming
Supply-chain risk benchmark
8 vendors · US + EU + APAC
“Federated benchmark whose output type is locked to the registered compose. No back-channel exfiltration.”
12M records
output type bound to compose-hash
HIPAA-grade
sealed clinical cohorts
GDPR / UK GDPR
data residency preserved
PCI / FFIEC
cross-bank joins on-chain gated
SOC 2 Type II
attested run history
AI solution paths
Use private models where AI touches secrets.
The private model endpoint is the first entry point. The same privacy primitive extends to agents, data workflows, and training.
LLM API
Private AI inference
Serve OpenAI-compatible model calls where prompts, outputs, and customer context need encrypted-in-use protection.
DeepSeek V3.1
128K
$0.27/M input
Qwen3 Coder
256K
$0.40/M input
Llama 3.3 70B
128K
$0.15/M input
GPT OSS 120B
128K
$0.10/M input
Claude Sonnet 4.5
200K
$3.00/M input
Gemini 2.5 Pro
1M
$1.25/M input
Agents
Private AI agents
Run agents with keys, tools, memory, and actions inside a verified runtime instead of a visible automation cloud.
Training
Private model training
Adapt models on proprietary data while keeping datasets, gradients, checkpoints, and evaluation traces inside the boundary.
private training run
Observe without exposing weights.
01
dataset
sealed
02
fine-tune
running
03
eval
private
04
checkpoint
verified
loss curve
proof attached
attestation.json
Run compute-to-data
Compute travels. Data stays.
Sealed datasets at source. Multi-sig approval on-chain. Only the agreed aggregate leaves the CVM, signed.
- 01Owner-side sealing CLI
- 02Multi-sig DstackApp gate
- 03Combined CPU + GPU TEE
- 04Sign-RPC aggregate output
- 05Any owner revokes globally
