Run AI on data that can't leave.
Patient records, molecules, transactions, contracts. Keep your OpenAI code, change one URL, and the AI runs inside your own walls. Every call returns a receipt your auditors can check.
- 3
- trust anchors · silicon, math, hybrid
- 0.00%
- token recovery, sovereign tier
- 100%
- calls returned with a receipt
- trust domain
- mathematics
- tier
- sovereign · MPC
- request
- vision.classify · 1 image
- privacy guarantee
- information-theoretic *
- token recovery
- 0.00%
- data egress
- none · secret-shared
- proof
- STARK · 0x9f3a…c481
Where does your data go when you use AI?
Today, it leaves. Every prompt sent to a hosted AI lands on hardware you don't control, under rules you didn't write. zkAGI flips the direction: the model runs inside a boundary you draw, your data stays home, and you get proof instead of promises.
- Your prompts and files travel to servers someone else controls, in a place you'll never see.
- "We don't train on your data" is a promise in a PDF, not something you can check.
- Under HIPAA, GDPR or the EU AI Act, every one of those calls is a compliance event.
- When the auditor asks what happened, the best evidence is a screenshot of a log.
- The AI comes to your data. It runs on your servers, or inside a region you choose.
- Keep the OpenAI code you already wrote. Change one URL and you're migrated.
- You pick the protections your legal team already accepts, and they're enforced on every call.
- Every call returns a receipt your auditor can verify without taking anyone's word.
Same code. Same models. Your data never leaves, and you can prove it.If your team can call an API, your team can run private AI. The hard parts live in our stack, not in your sprint.
You define the trust domain.
Some legal teams trust hardware. Some trust math. Many want both. You pick, and the platform enforces your pick on every call.
# compiled per workload, never one size fits all
a STARK proof of correct, private execution anyone can verify
Same API, same receipt format, whichever anchor you choose.
Pick your altitude.
Three strengths of protection. Pick per workload, change per call, and never pay for more guarantee than the job needs.
Standard
Fast access to a wide choice of large models, with secrets scrubbed on your device before a request ever leaves it.
- Broad model selection, routed through Venice
- On-device scrubbing strips PII before anything leaves
- Zero retention, lowest cost, a receipt on every call
interactive speed · general workloads
Private
The compiler picks the protection that fits your anchor and workload, from masked serving to attested enclaves. The default for regulated production.
- The serving node never sees your raw inputs
- Hardware-isolated, chip-attested serving where you want it
- Under 0.05% token recovery, benchmarked
- Still interactive speed
interactive speed · regulated default
Sovereign
Secure multi-party computation across operator-disjoint nodes, with FHE where the workload demands it. The strongest guarantee we offer.
- Secret sharing, so no single operator can reconstruct your data
- 0% effective token recovery, information-theoretic
- Custom compilation per workload (the Altaica compiler)
- STARK proofs of correct execution
batch · highest assurance · latency traded for proof
A note on the Sovereign guarantee, in plain terms: your data is split into pieces and sent to operators who don't know each other. No single one of them holds enough to reconstruct anything. The guarantee holds as long as they don't all conspire, the same standard assumption behind MPC anywhere. And the splitting itself (the trusted dealer role) can run on your own device, so the shares are created inside your walls before anything leaves.
Decide where it runs.
You draw the boundary the compute lives inside: one machine in your building, one legal jurisdiction, or spread across continents.
Your own cluster
Inference runs entirely inside your data centre or GPU cluster. Nothing leaves the building, and you still get the same receipts.
One jurisdiction
Pin the compute to a single region so data stays inside one legal boundary. The simple answer to residency rules.
Spread across regions
Place operator-disjoint nodes in different countries, so no single site, and no single country, ever holds the whole computation.
Run it on hardware you already own, or let us provision it. Either way, the perimeter is something you set, not something we decide for you.
Every call, a receipt.
Every inference writes down what protected it and proves nothing left your boundary. Your auditor checks it without asking us.
# one key, private by construction curl https://api.zkagi.ai/v1/infer \ -H "Authorization: Bearer $ZKAGI_KEY" \ -d '{"task":"vision.classify","tier":"sovereign"}' # → { "result": { ... }, "receipt": { "trust_domain": "mathematics", "tier": "sovereign-mpc", "guarantee": "information-theoretic", "egress": "none", "proof": "stark:0x9f3a" } }
What's in a receipt
- Trust domain: which anchor (silicon, math or hybrid) enforced it.
- Tier: which strength of guarantee ran this call.
- Recovery bound: the measured ceiling on reconstruction.
- Egress: confirmation that plaintext never crossed the boundary.
- Proof: a STARK record your auditor can open without us.
What the receipt evidences
Mapping guidance for your compliance team, not legal advice or a certification. The audit stays yours; we help you prepare for it. See disclosures.
Four ways to work with data that can't leave.
The same protection wraps training, fine-tuning and federated learning. The whole model lifecycle stays inside your rules.
Private inference
The compiler matches the technique to how sensitive the data is: masked, secret-shared, or fully homomorphic. The strongest option never decrypts your inputs at all, anywhere.
Confidential-hardware inference
Models served inside attested enclaves, with NVIDIA confidential computing sealing both sides: the data going in and the model weights themselves. Near-native speed, chip-signed evidence.
Federated learning
Train one model across hospitals, branches or borders without the data ever pooling. Each site keeps its records; only the learning moves.
Private training & fine-tuning
Bring the model to your data, not the other way around. The weights you produce are your IP, and they never leave the perimeter either.
The compiler puts it together
Describe the workload and the constraints. The compiler weighs your needs, your hardware and your budget, assembles the stack, and hands back an OpenAI-compatible endpoint hosted inside your perimeter.
You never have to choose between MPC, enclaves or federated learning yourself. That's the compiler's job. Your engineers point the SDK they already use at a new base URL and keep working, and the privacy machinery is compiled in underneath rather than bolted on around them.
# the only change your code needs client = OpenAI( base_url="https://infer.your-perimeter.ai/v1", api_key="zk-..." ) # models hosted inside YOUR perimeter client.chat.completions.create(...)
Private inference, one key.
One integration, one receipt format, one audit story, for vision, voice, text and time-series.
Vision
Classify and extract over images and documents without the pixels ever being recoverable.
imaging · kyc docs
Voice
Transcribe and analyze calls and clinical dictation under the same guarantees, with nothing kept in the clear.
transcription · call qa
Text
Private document Q&A, summarization and extraction over contracts and records.
rag · extraction
Time-series
Transformers for markets and sensor streams. Forecast on proprietary signals without exposing them.
markets · forecasting
A substrate, and an ecosystem on it.
Underneath the trust domains, tiers and perimeters sits one substrate. Four layers make it real, and because they form a clean base, agents build on top instead of reinventing privacy every time.
The privacy toolbox
Masking, secret sharing, MPC, FHE, federated learning, attested enclaves. Each covers a different threat model and none is right for every workload, which is why the platform never leans on just one.
Read the methods→The Altaica compiler
Weighs your data sensitivity, hardware and budget, picks the techniques that hold up for your case, and compiles the serving stack. You get an OpenAI-compatible endpoint.
How compilation works→Altaica-Mesh
The open-source network that runs obfuscated and MPC inference across distributed nodes, scaling itself as load rises.
View the source→The Explorer
Every inference emits a verifiable receipt. That receipt is the compliance artifact, and your auditor can inspect it.
How receipts work→Silicon, math, or both?
There's no universally right anchor, only the one your compliance framework accepts. Here's how the three differ in practice.
The point isn't which column wins. Your legal team has already made this call; your infrastructure should carry it out. NVIDIA, Intel TDX, AWS Nitro and similar are trademarks of their respective owners.
Built for the industriesthat can't get this wrong.
Healthcare, pharma, banking and legal run AI here on data they could never send away.
100+ Web2 and Web3 teams have registered interest in building on this infrastructure.
Interest registered, not all integrated yet. Logos belong to their owners.








































































Swiss governance. Sovereignty by design.
zkAGI is governed by a Swiss Association, anchoring it in a jurisdiction known for data neutrality and precision. That gives your legal team a governance story they already trust, and the privacy guarantee holds wherever the compute runs. The team operates across the EU and APAC today, on a path to a dedicated Swiss AI lab.
One more thing your review committee will want in writing: zkAGI is built for peaceful, civilian use. We serve business productivity in regulated industries such as healthcare, banking and legal, and we don't take defense or other dual-use work.
Self-serve, or guided.
Build on the API today, or bring in our engineers for a regulated rollout. Either way, it's the same platform.
Build on the API
Self-serve · usage-based
- One OpenAI-compatible key, four modalities, three tiers
- Set the tier per call, from standard to sovereign
- A verification receipt in every response
- Auto-scaling backend, so there's no infra to run
Run it in production
Production onboarding · contact sales
- The compiler configured to your trust domain and constraints
- Anchor, tier and perimeter chosen with your compliance team
- Models hosted inside your perimeter, behind your endpoint
- Receipts mapped to your audit requirements
What buyers ask us first.
Can I use AI on HIPAA or GDPR data?
Yes, if the AI runs where the data is allowed to live. zkAGI deploys models inside your own perimeter (your servers, or a region you choose), so patient records and personal data are processed without leaving your custody. Every call returns a receipt you can hand to your compliance team. Compliance responsibility stays with you; zkAGI supplies the technical evidence and audit preparation help.
Can I keep my own model private, not just the data?
Yes. Model weights are intellectual property, and zkAGI protects them the same way it protects data. Proprietary and fine-tuned models are served inside your perimeter, sealed in attested hardware or split so no single serving node ever holds the whole model. Pharma companies and model vendors use this to protect the asset itself, not just the inputs.
Do I have to rewrite my code to switch?
No. zkAGI exposes an OpenAI-compatible API. Keep the SDK and code you already have, change the base URL to your private endpoint, and your requests run inside your own boundary. For most teams the migration is one line.
Where does my data actually go?
Nowhere you didn't approve. You draw the perimeter: a machine in your building, one legal jurisdiction, or nodes spread across regions. The model comes to the data. Depending on the protections chosen, inputs are processed inside attested hardware or transformed cryptographically before any machine sees them, and nothing crosses the boundary in the clear.
How do I prove to an auditor what the AI did?
Every inference returns a verification receipt recording which trust domain, tier and protections ran, what left the boundary (nothing, in the clear), and a proof an auditor can check independently. It replaces screenshots of logs with evidence.
What can I run privately, beyond chat?
Inference across four modalities (vision, voice, text and time-series), fine-tuning on your own corpus, federated learning across sites that can't pool data, and confidential-hardware serving with NVIDIA confidential computing. The Altaica compiler picks the protection techniques that hold up for each workload.
How much does it cost to start?
The self-serve API is usage-based: get a key and build today, no sales call. Guided production deployments, configured with your compliance team, start from $10K. Deployments are configured per engagement, and your agreement governs what is included.
Some of this is live. Some is active R&D.
We're a research lab as much as a product company. Parts of what's described on this page run in production today; others are under active research and development, and capabilities land at different times. Before you commit to anything, we'll tell you exactly which pieces are ready for your use case and which are still on the bench.
Configured with you, not off the shelf.
Deployments are assembled per customer and validated to your satisfaction before go-live. That's the point of the compiler. It also means we don't promise that every capability described here exists as a general, ready-made feature for every workload. What we deliver for you is what we agree with you, in writing.
Your audit stays your audit.
zkAGI is not an audit firm, and our inference service has not itself been audited or certified against HIPAA, GDPR or the EU AI Act. Compliance responsibility stays with you, the customer. Our job is to make that job easier: receipts, attestations and documentation built to be handed to your auditor, plus hands-on help getting ready. We assist with audit preparation; we don't conduct audits, issue certifications, or give legal advice.
Nothing on this page is legal advice or a certification claim. Specific guarantees, availability and service levels are defined in your agreement with zkAGI, and that agreement is what governs.
Altaica-Mesh is open source.
The method isn't a black box. The mesh that runs private and MPC inference across distributed nodes is public, so you can read it, run it, and point your own security team at the proof. Regulated buyers trust what they can inspect.
We don't tell you who to trust. We give you the tools to enforce it.
Define the trust domain your legal team has already approved. Choose the tier, draw the perimeter, and the platform enforces both and returns a receipt on every call. Technical execution and legal compliance finally say the same thing.