the robot works

Secure by design in a zero-trust world.

Built on proven fundamentals, specialized for robotic foundation models. Neither party has to trust the other — or us.

Zero-trust by construction.

We don’t ask anyone to trust us, and we don’t trust the cloud we run on. Each enclave is gated by hardware attestation and cryptographic checks before any data or weights are touched. Decrypted plaintext exists only inside an attested enclave, only for the duration of an operation. The hardware enforces the boundary; we don’t.

Three-enclave architecture: Model enclave, Training enclave, and Shared enclave wrapped by third-party cloud infrastructure

Three enclaves, three roles.

Model enclave.

Lab-owned. Persistent home for weights, fine-tuning stack, and checkpoints.

Training enclave.

Ephemeral. The only place where the lab’s stack and the customer’s data are simultaneously decrypted. Destroyed after the run.

Shared enclave.

Joint custody. Holds the fine-tuned model under dual-key encryption; inference requires authorization from both sides.

Guarantees.

Attested.

No enclave decrypts anything until the hardware, the enclave image, and the encrypted payloads are verified against trusted roots. A failed check aborts the operation before keys are released.

No plaintext escape.

Decrypted weights or data exist only inside the Training enclave, only for the duration of a run, and only behind attested isolation. The cloud can’t read in. We can’t either.

Dual-key inference.

The fine-tuned model is encrypted with both parties’ keys. Every inference run requires both to authorize. Neither side can run it unilaterally; neither can be locked out.

What leaves. What doesn’t.

What leaves the platform

  • Model outputs to the robot (inference results)
  • Win-rate signal to the model lab (aggregate, anonymous)
  • Eval reports to the robotics company (ranked, no model IDs)

What never leaves the platform

  • Training data
  • Model weights
  • Fine-tuning source code
  • Gradients and intermediate checkpoints
  • Customer identities under protected accounts
  • Any data that would identify a party to the other

Anonymization mechanics.

Comparisons stay anonymous in practice through several layered controls. Model identifiers are replaced with opaque tokens at eval time — no fingerprints, no architecture hints, no metadata that would let a technically sophisticated robotics company reverse-engineer which lab’s model they’re evaluating. Win-rate reports strip client identifiers before they reach the model lab: they see performance across a task category, not a named customer’s results.