Privacy you can prove · Swiss-governed

Run AI on data that can't leave.

Patient records, molecules, transactions, contracts. Keep your OpenAI code, change one URL, and the AI runs inside your own walls. Every call returns a receipt your auditors can check.

$client = OpenAI(base_url="https://your-perimeter/v1")
3
trust anchors · silicon, math, hybrid
0.00%
token recovery, sovereign tier
100%
calls returned with a receipt
inference-receipt · /explorer VERIFIED
trust domain
mathematics
tier
sovereign · MPC
request
vision.classify · 1 image
privacy guarantee
information-theoretic *
token recovery
0.00%
data egress
none · secret-shared
proof
STARK · 0x9f3a…c481
* under non-collusionopen in Explorer
01Today, and the difference

Where does your data go when you use AI?

Today, it leaves. Every prompt sent to a hosted AI lands on hardware you don't control, under rules you didn't write. zkAGI flips the direction: the model runs inside a boundary you draw, your data stays home, and you get proof instead of promises.

What happens today
  • Your prompts and files travel to servers someone else controls, in a place you'll never see.
  • "We don't train on your data" is a promise in a PDF, not something you can check.
  • Under HIPAA, GDPR or the EU AI Act, every one of those calls is a compliance event.
  • When the auditor asks what happened, the best evidence is a screenshot of a log.
What changes with zkAGI
  • The AI comes to your data. It runs on your servers, or inside a region you choose.
  • Keep the OpenAI code you already wrote. Change one URL and you're migrated.
  • You pick the protections your legal team already accepts, and they're enforced on every call.
  • Every call returns a receipt your auditor can verify without taking anyone's word.

Same code. Same models. Your data never leaves, and you can prove it.If your team can call an API, your team can run private AI. The hard parts live in our stack, not in your sprint.

02The trust configuration layer

You define the trust domain.

Some legal teams trust hardware. Some trust math. Many want both. You pick, and the platform enforces your pick on every call.

trust-domain.configenforced

# compiled per workload, never one size fits all

anchormathematics
privacyMPC · secret-sharing · FHE, compiler-picked
operatorsdisjoint · non-colluding
dealercan be your own device
latencyinteractive → batch, by strength
the receipt attests

a STARK proof of correct, private execution anyone can verify

Same API, same receipt format, whichever anchor you choose.

03Tiers of assurance

Pick your altitude.

Three strengths of protection. Pick per workload, change per call, and never pay for more guarantee than the job needs.

Tier 01 · Foothill

Standard

Fast access to a wide choice of large models, with secrets scrubbed on your device before a request ever leaves it.

  • Broad model selection, routed through Venice
  • On-device scrubbing strips PII before anything leaves
  • Zero retention, lowest cost, a receipt on every call

interactive speed · general workloads

Most chosen
Tier 02 · Ridge

Private

The compiler picks the protection that fits your anchor and workload, from masked serving to attested enclaves. The default for regulated production.

  • The serving node never sees your raw inputs
  • Hardware-isolated, chip-attested serving where you want it
  • Under 0.05% token recovery, benchmarked
  • Still interactive speed

interactive speed · regulated default

Tier 03 · Summit

Sovereign

Secure multi-party computation across operator-disjoint nodes, with FHE where the workload demands it. The strongest guarantee we offer.

  • Secret sharing, so no single operator can reconstruct your data
  • 0% effective token recovery, information-theoretic
  • Custom compilation per workload (the Altaica compiler)
  • STARK proofs of correct execution

batch · highest assurance · latency traded for proof

A note on the Sovereign guarantee, in plain terms: your data is split into pieces and sent to operators who don't know each other. No single one of them holds enough to reconstruct anything. The guarantee holds as long as they don't all conspire, the same standard assumption behind MPC anywhere. And the splitting itself (the trusted dealer role) can run on your own device, so the shares are created inside your walls before anything leaves.

04Define your perimeter

Decide where it runs.

You draw the boundary the compute lives inside: one machine in your building, one legal jurisdiction, or spread across continents.

on-prem

Your own cluster

Inference runs entirely inside your data centre or GPU cluster. Nothing leaves the building, and you still get the same receipts.

regional

One jurisdiction

Pin the compute to a single region so data stays inside one legal boundary. The simple answer to residency rules.

transcontinental

Spread across regions

Place operator-disjoint nodes in different countries, so no single site, and no single country, ever holds the whole computation.

Run it on hardware you already own, or let us provision it. Either way, the perimeter is something you set, not something we decide for you.

05The Explorer

Every call, a receipt.

Every inference writes down what protected it and proves nothing left your boundary. Your auditor checks it without asking us.

# one key, private by construction
curl https://api.zkagi.ai/v1/infer \
  -H "Authorization: Bearer $ZKAGI_KEY" \
  -d '{"task":"vision.classify","tier":"sovereign"}'

# →
{
  "result": { ... },
  "receipt": {
    "trust_domain": "mathematics",
    "tier": "sovereign-mpc",
    "guarantee": "information-theoretic",
    "egress": "none",
    "proof": "stark:0x9f3a"
  }
}

What's in a receipt

  • Trust domain: which anchor (silicon, math or hybrid) enforced it.
  • Tier: which strength of guarantee ran this call.
  • Recovery bound: the measured ceiling on reconstruction.
  • Egress: confirmation that plaintext never crossed the boundary.
  • Proof: a STARK record your auditor can open without us.
Request Explorer access

What the receipt evidences

GDPR Art. 25Data protection by design and by default
GDPR Art. 32Security of processing: proof of technical measures
HIPAA §164.312Technical safeguards: access control and integrity
EU AI Act Art. 12Record-keeping and traceability of inference
Get a sample auditor report

Mapping guidance for your compliance team, not legal advice or a certification. The audit stays yours; we help you prepare for it. See disclosures.

06What you can run

Four ways to work with data that can't leave.

The same protection wraps training, fine-tuning and federated learning. The whole model lifecycle stays inside your rules.

inference · cryptographic

Private inference

The compiler matches the technique to how sensitive the data is: masked, secret-shared, or fully homomorphic. The strongest option never decrypts your inputs at all, anywhere.

inference · hardware

Confidential-hardware inference

Models served inside attested enclaves, with NVIDIA confidential computing sealing both sides: the data going in and the model weights themselves. Near-native speed, chip-signed evidence.

training · federated

Federated learning

Train one model across hospitals, branches or borders without the data ever pooling. Each site keeps its records; only the learning moves.

training · in-perimeter

Private training & fine-tuning

Bring the model to your data, not the other way around. The weights you produce are your IP, and they never leave the perimeter either.

The compiler puts it together

Describe the workload and the constraints. The compiler weighs your needs, your hardware and your budget, assembles the stack, and hands back an OpenAI-compatible endpoint hosted inside your perimeter.

You never have to choose between MPC, enclaves or federated learning yourself. That's the compiler's job. Your engineers point the SDK they already use at a new base URL and keep working, and the privacy machinery is compiled in underneath rather than bolted on around them.

drop-in · openai-compatible
# the only change your code needs
client = OpenAI(
  base_url="https://infer.your-perimeter.ai/v1",
  api_key="zk-..."
)

# models hosted inside YOUR perimeter
client.chat.completions.create(...)
07One API · four modalities

Private inference, one key.

One integration, one receipt format, one audit story, for vision, voice, text and time-series.

Vision

Classify and extract over images and documents without the pixels ever being recoverable.

imaging · kyc docs

Voice

Transcribe and analyze calls and clinical dictation under the same guarantees, with nothing kept in the clear.

transcription · call qa

Text

Private document Q&A, summarization and extraction over contracts and records.

rag · extraction

Time-series

Transformers for markets and sensor streams. Forecast on proprietary signals without exposing them.

markets · forecasting

08How it's built

A substrate, and an ecosystem on it.

Underneath the trust domains, tiers and perimeters sits one substrate. Four layers make it real, and because they form a clean base, agents build on top instead of reinventing privacy every time.

01 / methods

The privacy toolbox

Masking, secret sharing, MPC, FHE, federated learning, attested enclaves. Each covers a different threat model and none is right for every workload, which is why the platform never leans on just one.

Read the methods
02 / compiler

The Altaica compiler

Weighs your data sensitivity, hardware and budget, picks the techniques that hold up for your case, and compiles the serving stack. You get an OpenAI-compatible endpoint.

How compilation works
03 / mesh

Altaica-Mesh

The open-source network that runs obfuscated and MPC inference across distributed nodes, scaling itself as load rises.

View the source
04 / proof

The Explorer

Every inference emits a verifiable receipt. That receipt is the compliance artifact, and your auditor can inspect it.

How receipts work
live· the ecosystem: agents running on the substrate
Ramm AI
voice · vision
Venture Vault
reasoning · tool use
Simple Agents
multimodal · agentic harness
Signals agent
time-series · markets
Beatfarm
voice · payments
PawPad
agent · secure wallets
Wandrlust
vision · wellness
Doc intelligence
vision · regulated
09Choosing an anchor

Silicon, math, or both?

There's no universally right anchor, only the one your compliance framework accepts. Here's how the three differ in practice.

Silicon
Mathematics
Hybrid
What your auditor verifies
A chip-signed attestation of the exact enclave that ran
A STARK proof anyone can check without us in the loop
Both artifacts, bound to the same call
Who has to behave
The hardware vendor and their firmware
Operators must not all collude. No single one sees your data
Either safeguard alone is enough to hold the line
If a serving node is breached
Enclave memory stays encrypted to the host
The node only ever held obfuscated or partial data
Both protections apply, independently
Latency cost
Near native, the cheapest guarantee to run
Interactive for lighter methods; batch for MPC and FHE
Set by the stronger layer you include
Typically chosen by
Teams whose auditors already accept confidential computing
Teams that can't accept any hardware vendor in the trust chain
Healthcare, banking and legal workloads with no room for error

The point isn't which column wins. Your legal team has already made this call; your infrastructure should carry it out. NVIDIA, Intel TDX, AWS Nitro and similar are trademarks of their respective owners.

Built for the industriesthat can't get this wrong.

Healthcare, pharma, banking and legal run AI here on data they could never send away.

Inference. Training. Federated.
Ecosystem interest

100+ Web2 and Web3 teams have registered interest in building on this infrastructure.

Interest registered, not all integrated yet. Logos belong to their owners.

Aethir
Ten
Autonomys
Kima
DeepBrainChain
ParallelAI
DMAIL.AI
Router
TrinityPad
Glacier Network
GPUNET
Openmesh
Spheron
MicroGPT
ClusterProtocol
SocialGrowAI
Aurora Foundation
HeLa Labs
Aethir
Ten
Autonomys
Kima
DeepBrainChain
ParallelAI
DMAIL.AI
Router
TrinityPad
Glacier Network
GPUNET
Openmesh
Spheron
MicroGPT
ClusterProtocol
SocialGrowAI
Aurora Foundation
HeLa Labs
DSC
Alterim AI
Koboto Network
Only Layer
Grafilab
Infiblue
Lighthouse
BrootherhoodDAO
Maha DAO
Synctactic
Velvet Capital
IQWiki
Dextr
V3VO
Precipitate
lilAI
coldstack
Neurochain Ai
DSC
Alterim AI
Koboto Network
Only Layer
Grafilab
Infiblue
Lighthouse
BrootherhoodDAO
Maha DAO
Synctactic
Velvet Capital
IQWiki
Dextr
V3VO
Precipitate
lilAI
coldstack
Neurochain Ai
10Governance

Swiss governance. Sovereignty by design.

zkAGI is governed by a Swiss Association, anchoring it in a jurisdiction known for data neutrality and precision. That gives your legal team a governance story they already trust, and the privacy guarantee holds wherever the compute runs. The team operates across the EU and APAC today, on a path to a dedicated Swiss AI lab.

One more thing your review committee will want in writing: zkAGI is built for peaceful, civilian use. We serve business productivity in regulated industries such as healthcare, banking and legal, and we don't take defense or other dual-use work.

SwitzerlandgovernanceEUoperationsAPAC · Singaporeoperations
11Two ways to adopt it

Self-serve, or guided.

Build on the API today, or bring in our engineers for a regulated rollout. Either way, it's the same platform.

For developers

Build on the API

Self-serve · usage-based

  • One OpenAI-compatible key, four modalities, three tiers
  • Set the tier per call, from standard to sovereign
  • A verification receipt in every response
  • Auto-scaling backend, so there's no infra to run
Read the docs
For regulated teams

Run it in production

Production onboarding · contact sales

  • The compiler configured to your trust domain and constraints
  • Anchor, tier and perimeter chosen with your compliance team
  • Models hosted inside your perimeter, behind your endpoint
  • Receipts mapped to your audit requirements
Talk to the team
12Questions, answered plainly

What buyers ask us first.

Can I use AI on HIPAA or GDPR data?

Yes, if the AI runs where the data is allowed to live. zkAGI deploys models inside your own perimeter (your servers, or a region you choose), so patient records and personal data are processed without leaving your custody. Every call returns a receipt you can hand to your compliance team. Compliance responsibility stays with you; zkAGI supplies the technical evidence and audit preparation help.

Can I keep my own model private, not just the data?

Yes. Model weights are intellectual property, and zkAGI protects them the same way it protects data. Proprietary and fine-tuned models are served inside your perimeter, sealed in attested hardware or split so no single serving node ever holds the whole model. Pharma companies and model vendors use this to protect the asset itself, not just the inputs.

Do I have to rewrite my code to switch?

No. zkAGI exposes an OpenAI-compatible API. Keep the SDK and code you already have, change the base URL to your private endpoint, and your requests run inside your own boundary. For most teams the migration is one line.

Where does my data actually go?

Nowhere you didn't approve. You draw the perimeter: a machine in your building, one legal jurisdiction, or nodes spread across regions. The model comes to the data. Depending on the protections chosen, inputs are processed inside attested hardware or transformed cryptographically before any machine sees them, and nothing crosses the boundary in the clear.

How do I prove to an auditor what the AI did?

Every inference returns a verification receipt recording which trust domain, tier and protections ran, what left the boundary (nothing, in the clear), and a proof an auditor can check independently. It replaces screenshots of logs with evidence.

What can I run privately, beyond chat?

Inference across four modalities (vision, voice, text and time-series), fine-tuning on your own corpus, federated learning across sites that can't pool data, and confidential-hardware serving with NVIDIA confidential computing. The Altaica compiler picks the protection techniques that hold up for each workload.

How much does it cost to start?

The self-serve API is usage-based: get a key and build today, no sales call. Guided production deployments, configured with your compliance team, start from $10K. Deployments are configured per engagement, and your agreement governs what is included.

Disclosures · the fine print, said plainly

Some of this is live. Some is active R&D.

We're a research lab as much as a product company. Parts of what's described on this page run in production today; others are under active research and development, and capabilities land at different times. Before you commit to anything, we'll tell you exactly which pieces are ready for your use case and which are still on the bench.

Configured with you, not off the shelf.

Deployments are assembled per customer and validated to your satisfaction before go-live. That's the point of the compiler. It also means we don't promise that every capability described here exists as a general, ready-made feature for every workload. What we deliver for you is what we agree with you, in writing.

Your audit stays your audit.

zkAGI is not an audit firm, and our inference service has not itself been audited or certified against HIPAA, GDPR or the EU AI Act. Compliance responsibility stays with you, the customer. Our job is to make that job easier: receipts, attestations and documentation built to be handed to your auditor, plus hands-on help getting ready. We assist with audit preparation; we don't conduct audits, issue certifications, or give legal advice.

Nothing on this page is legal advice or a certification claim. Specific guarantees, availability and service levels are defined in your agreement with zkAGI, and that agreement is what governs.

Audit the math

Altaica-Mesh is open source.

The method isn't a black box. The mesh that runs private and MPC inference across distributed nodes is public, so you can read it, run it, and point your own security team at the proof. Regulated buyers trust what they can inspect.

github.com/ZkAGI/Altaica-Mesh
Sovereignty, enforced

We don't tell you who to trust. We give you the tools to enforce it.

Define the trust domain your legal team has already approved. Choose the tier, draw the perimeter, and the platform enforces both and returns a receipt on every call. Technical execution and legal compliance finally say the same thing.