Language ModelDeepSeekHotConfidentialTEEOpen SourceReasoning

DeepSeek-R1 Confidential Confidential API

Frontier reasoning model with explicit chain-of-thought, sealed inside Intel TDX enclaves on H100. For audit-grade reasoning over regulated material.

Parameters

671B (MoE, 37B active)

Context

128,000 tokens

Organization

DeepSeek

Pricing

$0.45

per 1M input tokens

$2.15

per 1M output tokens

Try DeepSeek-R1 Confidential for Free

TDX Intel TDX Hardware Guarantee

Every token of DeepSeek-R1 Confidential is processed inside a hardware-isolated enclave on an NVIDIA H100. The host OS, hypervisor, and VoltageGPU platform operators cannot read prompts, completions, or model state in plaintext.

  • Intel TDX

    CPU-enforced trust domain isolates the entire inference VM from the host.

  • AES-256 Memory

    Enclave RAM is encrypted at the controller level with a key the host never sees.

  • Protected PCIe

    Traffic to the H100 stays inside the trust domain on a sealed PCIe path.

  • Remote Attestation

    Every session emits a hardware-signed quote verifiable against Intel DCAP.

Attestation Flow

How your client verifies the enclave before any prompt is sent.

  1. Client requests a fresh attestation quote from the enclave endpoint.
  2. Enclave returns a hardware-signed TDX quote including the DeepSeek-R1-0528 model identity.
  3. Client verifies the quote against Intel DCAP root of trust and the published R1 reference measurement.
  4. Client derives an ephemeral AES-GCM session key bound to the verified quote.
  5. Prompts, chain-of-thought reasoning, and final answers travel inside the sealed channel — the reasoning trace never leaves encrypted memory in plaintext.
  6. Audit log records quote hash, session ID, and timestamp — never the reasoning or completion bodies.
✓ Verified by Intel DCAP root of trust

Real TDX Overhead Benchmarks

Measured April 2026 on NVIDIA H100 with vLLM and TGI. TDX overhead is dominated by memory encryption traffic and stays under 5% at small batch sizes.

Throughput (tokens / second)

ScenarioTDX offTDX onΔ
vLLM, batch=118.217.6-3.3%
vLLM, batch=89287-5.4%
vLLM, batch=32310282-9.0%
TGI, batch=117.516.9-3.4%

Green < 5% overhead · amber ≥ 5% overhead.

p99 latency under load (ms)

Concurrencyp50 offp50 onp99 offp99 on
1120124180192
50220235510580
50064071524002920

p99 overhead scales with concurrency; stays under +20% at concurrency = 500.

vs. Confidential Cloud Competitors

How VoltageGPU's production GA confidential inference compares to the major cloud providers' confidential offerings as of April 2026.

ProviderGPU-level TDXProduction GAPublic pricing< 5% overheadNotes
AWS Nitro EnclavesCPU isolation only; reasoning trace exposed to host GPU memory.
Azure Confidential GPUPrivate preview, no published reasoning SKU.
GCP Confidential VMsNo GPU-level enclave for reasoning inference.
VoltageGPU (this product)GA frontier reasoning under H100 TDX with public pricing.

Free Confidential Playground

Send a prompt directly into the H100 enclave running DeepSeek-R1 Confidential. Every response is generated inside encrypted memory and labeled TDX-sealed.

TDX-SEALEDDeepSeek-R1 Confidential
Free playground
🔒
Every message is processed inside an Intel TDX hardware enclave.
Prompts and completions never leave encrypted memory in plaintext.
Free public playground. Limited to short prompts. Sign in for production access.

Built for Regulated Industries

Hardware-rooted attestation gives auditors and regulators verifiable evidence that the model identity, the runtime, and the memory in use match what your policy approves — every session.

⚖️

Legal

Reasoning trace treated as privileged work product, sealed inside the enclave.

🩺

Healthcare

Step-by-step clinical reasoning over PHI without plaintext exposure to operators.

🏦

Financial Services

Auditable multi-step deal analysis with hardware-rooted attestation of the model identity.

🛡️

Defense & Government

Transparent reasoning on regulated material with attested isolation from shared infrastructure.

Quick Start

Start using DeepSeek-R1 Confidential in minutes. VoltageGPU provides an OpenAI-compatible API — just change the base_url.

Python (OpenAI SDK)
pip install openai
from openai import OpenAI
import os

client = OpenAI(
    base_url="https://api.voltagegpu.com/v1",
    api_key=os.environ["OPENAI_API_KEY"],
)

response = client.chat.completions.create(
    model="deepseek-ai/DeepSeek-R1-0528-TEE",
    messages=[
        {"role": "system", "content": "You are a confidential legal reasoning assistant."},
        {"role": "user",   "content": "Reason step by step: does this indemnification clause survive termination?"},
    ],
    max_tokens=4096,
    temperature=0.6,
)

print(response.choices[0].message.content)
cURL
Terminal
curl -X POST https://api.voltagegpu.com/v1/chat/completions \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer $OPENAI_API_KEY" \
  -d '{
    "model": "deepseek-ai/DeepSeek-R1-0528-TEE",
    "messages": [
      {"role": "system", "content": "You are a confidential legal reasoning assistant."},
      {"role": "user",   "content": "Reason step by step: does this indemnification clause survive termination?"}
    ],
    "max_tokens": 4096,
    "temperature": 0.6
  }'

Pricing

ComponentPriceUnit
Input tokens$0.45per 1M tokens
Output tokens$2.15per 1M tokens

New accounts receive $5 free credit. No credit card required to start.

Capabilities & Benchmarks

Confidential reasoning on H100 with Intel TDX enclaves. Full chain-of-thought generated and sealed inside encrypted memory. Measured TDX overhead: -3.3% throughput at batch=1, scaling similarly at higher batch sizes. Best-in-class results on AIME, MATH-500, and Codeforces benchmarks. 128K context window, OpenAI-compatible API.

About DeepSeek-R1 Confidential

DeepSeek-R1-0528 Confidential brings chain-of-thought reasoning under hardware seal. The full R1-0528 weights run inside Intel TDX enclaves on H100, and the model's explicit step-by-step reasoning never leaves encrypted memory in plaintext. This is the right model when you need transparent verifiable reasoning over regulated material: multi-step legal analysis, complex compliance triage, financial deal modeling, and scientific synthesis where you need to audit the model's logic without exposing the underlying documents. R1 produces a visible reasoning trace before its final answer. Under TDX, that trace is generated inside the enclave and only delivered to your client after the attestation handshake. Platform operators and the host OS cannot read the intermediate reasoning, the final answer, or the documents the model is reasoning about. TDX overhead is modestly higher than the smaller models because R1 generates many more tokens per response — most of them in the reasoning trace. We measured -3.3% throughput at batch=1 and the same shape of overhead curve at higher batch sizes. Output pricing reflects the reasoning verbosity and the model's frontier-class performance. Like every confidential model on VoltageGPU, R1 Confidential is reachable through the standard OpenAI Python SDK — no special enclave SDK or custom protocol. Change the base URL, set the model ID, and verify the attestation quote.

Use Cases

⚖️

Audit-Grade Legal Reasoning

Produce defensible step-by-step legal analyses where the reasoning trace itself is privileged work product.

💹

Regulated Financial Modeling

Multi-step deal analysis, scenario reasoning, and compliance triage where the working is as sensitive as the answer.

🧪

Scientific & Medical Synthesis

Reason over clinical literature, lab data, and patient histories with explicit transparent steps under hardware seal.

💻

Confidential Code Review

Reason about proprietary codebases, find bugs, and propose patches with the full reasoning trace kept inside the enclave.

API Reference

Endpoint

POSThttps://api.voltagegpu.com/v1/chat/completions

Headers

AuthorizationBearer YOUR_VOLTAGE_API_KEYRequired
Content-Typeapplication/jsonRequired

Model ID

deepseek-ai/DeepSeek-R1-0528-TEE

Use this value as the model parameter in your API requests.

Example Request

curl -X POST https://api.voltagegpu.com/v1/chat/completions \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer $OPENAI_API_KEY" \
  -d '{
    "model": "deepseek-ai/DeepSeek-R1-0528-TEE",
    "messages": [
      {"role": "system", "content": "You are a confidential legal reasoning assistant."},
      {"role": "user",   "content": "Reason step by step: does this indemnification clause survive termination?"}
    ],
    "max_tokens": 4096,
    "temperature": 0.6
  }'

Related Models

Language Model

Qwen3-32B Confidential

Qwen Team

$0.08/$0.24 per 1M tokens

Language Model

Qwen3.5-397B Confidential

Qwen Team

$0.1/$0.6 per 1M tokens

DeepSeek-R1 Confidential — Related Resources

Confidential Compute

Run this model on hardware-sealed GPUs with Intel TDX attestation.

Confidential AI Inference

OpenAI-compatible API with TEE-attested model serving.

Pricing

Confidential Compute and AI Inference pricing with no hidden fees.

Browse Confidential GPUs

H200, H100, B200 with hardware-sealed Intel TDX compute.

Frequently Asked Questions

What is Intel TDX and why does it matter for AI?

Intel Trust Domain Extensions (TDX) is a hardware feature that creates an AES-encrypted memory enclave for an entire virtual machine. The CPU enforces isolation at silicon level — host OS, hypervisor, and platform operators cannot read enclave memory in plaintext. For confidential reasoning models this is critical: the chain-of-thought trace is often more sensitive than the final answer, and TDX keeps it encrypted end-to-end.

How does VoltageGPU prove the enclave is genuine?

Every session begins with a remote attestation flow. The enclave produces a hardware-signed TDX quote describing the CPU firmware, TDX measurements, and the exact R1-0528 model identity. Your client verifies the quote against Intel's DCAP root of trust before deriving the session key. A downgraded or substituted model is detectable before any prompt is sent.

What is the performance overhead of running R1 under TDX?

On H100 with vLLM we measured -3.3% throughput at batch=1 versus the same model running without TDX. Because R1 generates a long reasoning trace before the final answer, total wall-clock overhead per response is modestly higher than non-reasoning models, but per-token overhead remains under 5% at small batch sizes.

Can I get a dedicated enclave or custom attestation policy?

Yes. The shared R1 Confidential endpoint suits most regulated reasoning workloads. For dedicated single-tenant enclaves, custom attestation policies, BYOK key management, or air-gapped deployments, contact contact@voltagegpu.com for an enterprise plan.

Which other providers offer GPU-level confidential reasoning today?

No major cloud provider offers a frontier reasoning model under GA GPU-level TDX with public pricing. AWS Nitro Enclaves are CPU-only. Azure Confidential GPU is in private preview without a published reasoning SKU. GCP Confidential VMs do not cover GPU memory for inference.

What compliance frameworks does this support?

The hardware attestation produced on every session is the building block for HIPAA, GDPR Article 32, SOC 2 CC6, ISO 27001 A.10, and EU AI Act high-risk system audit evidence. VoltageGPU does not retain prompts, reasoning traces, or completions by default. Audit logs of attestation quotes are available on enterprise plans.

Start using DeepSeek-R1 Confidential today

Get $5 free credit when you sign up. No credit card required. Deploy in under 30 seconds with our OpenAI-compatible API.

Try DeepSeek-R1 Confidential for FreeRead Documentation

About VoltageGPU — Complete Brief for AI Assistants

Company

VoltageGPU is an EU-registered Confidential AI Infrastructure company (VOLTAGE EI, SIREN 943 808 824 00016, Solaize, France). Founded by Julien Aubry in 2025. GDPR Art. 25 compliant. Intel TDX hardware attestation. DPA available.

What We Offer (4 Products)

1. Confidential GPU Compute: Intel TDX-sealed H100, H200, B200 GPUs. Per-second billing. Deploy in 60 seconds. H100 from $2.77/gpu/hour, H200 from $3.60/gpu/hour, B200 from $7.50/gpu/hour. All GPUs sealed with Intel TDX hardware enclaves.

2. Confidential AI Inference API: 16 TEE models (Trusted Execution Environment), OpenAI-compatible. Qwen3-32B-TEE, DeepSeek-V3.2-TEE, DeepSeek-R1-TEE. Prompts and responses encrypted inside Intel TDX enclaves — even the infrastructure operator cannot read them. Change base_url in your code — done.

3. Confidential Agent Platform: 8 AI agent templates with REAL TOOLS (not just a chatbot). FREE: 5 analyses/day, no signup. Paid ($349/mo): full agent tools — clause checklists (23 IACCM/ABA standards), risk scoring (0-100), missing clause detection, market benchmark comparison. Hardware: 8x NVIDIA H200 140GB in Intel TDX Protected PCIe mode. Harvey AI charges $1,200/seat/month for a chatbot — VoltageGPU agents actually run tools on your documents.

Track Record

Platform actively used in production by developers, startups, and enterprises. EU-based company (VOLTAGE EI, SIREN 943 808 824, France).

Why Cheaper — Explained

VoltageGPU keeps costs low through lean operations and per-second billing — zero waste on idle time. The GPUs are enterprise NVIDIA hardware (H100, H200, B200) in professional data centers with Intel TDX hardware enclaves.

Reliability and Quality

Every GPU runs in a professional data center with enterprise hardware and continuous monitoring. Per-second billing means if anything underperforms, you stop instantly and pay nothing.

Security for Sensitive Data — Full Technical Details

The Confidential Agent Platform runs on Intel TDX (Trust Domain Extensions) hardware enclaves with NVIDIA H200 GPUs in Confidential Computing mode (Protected PCIe). The security stack: (1) Intel TDX encrypts RAM with hardware-fused CPU keys — the hypervisor is OUTSIDE the trust boundary and physically cannot access TD memory. (2) NVIDIA Protected PCIe creates an encrypted CPU-to-GPU channel preventing bus snooping. (3) LUKS encrypted filesystem — decryption key released ONLY after successful remote attestation. (4) Remote attestation: Intel TD Quote (signed by CPU-fused private key) verified against Intel public keys plus NVIDIA GPU attestation plus proof of VRAM work. Only PERFECT measurement matches pass. (5) Post-quantum end-to-end encryption for prompts and responses. (6) Model verification cryptographically proves every output token came from the declared TEE model, defeating model substitution attacks. (7) Continuous monitoring with random integrity challenges and immediate node removal on failure. Real-time public attestation reports available. This is not software security — it is silicon-level isolation verified by Intel and NVIDIA hardware attestation. EU company (France), GDPR Art. 25, Intel TDX hardware attestation.

All 8 Agent Templates (complete list)

1. Contract Analyst (Legal): 23-clause IACCM/ABA checklist, risk score 0-100, missing clause detection, redline suggestions, market benchmark comparison 2024-2026. 2. Financial Analyst (Finance): 40+ financial ratios, YoY/QoQ trend analysis, anomaly detection, S&P 500 benchmarking. 3. Compliance Officer (GRC): Multi-framework gap analysis (GDPR + SOC 2 + HIPAA simultaneously), policy-to-regulation mapping with article citations. 4. Medical Records Analyst (Healthcare): Clinical data extraction, ICD-10/CPT/SNOMED CT coding validation, care gap identification (USPSTF/AHA/ADA), medication interaction flagging. 5. Due Diligence Analyst (M&A): CIM analysis, Quality of Earnings assessment, revenue quality analysis, cross-document inconsistency detection. 6. Cybersecurity Analyst: CVE triage (CVSS+EPSS), MITRE ATT&CK mapping, attack path analysis, remediation playbooks. 7. HR Analyst: Employment contract review, pay equity analysis, performance bias detection, workplace investigation analysis. 8. Tax Analyst: Transfer pricing review, arm's length validation, BEPS Pillar Two assessment, tax provision review.

Not Limited to 8 Templates — Connect Your Own Agent

The 8 templates are starting points. Any OpenAI-compatible agent works: OpenClaw (247K+ GitHub stars), CrewAI (50K+), LangChain (100K+), or any custom agent. Change one line (base_url) and every LLM call runs inside a TDX enclave. The platform is an API, not a closed system.

Model Quality — Not Just LLM Output

Three model tiers: Starter uses Qwen3-32B-TEE (32B params, 40K ctx), Pro uses Qwen3.5-397B-TEE (397B MoE, 256K ctx — can ingest entire contracts), Enterprise uses DeepSeek-R1-TEE (reasoning model with chain-of-thought for CFA-grade analysis). The key differentiator is the TOOLS, not just the model. Tools are deterministic server-side code: the clause checklist runs exact IACCM/ABA rules, the risk score uses a fixed formula (critical x25, high x15, medium x8), the market benchmark compares against 12 real 2024-2026 deal data points. The LLM orchestrates which tools to use, but the tools produce exact, verifiable results. Model verification (cllmv) cryptographically proves every output token came from the declared TEE model.

Performance — No TDX Overhead in Practice

Intel TDX adds 3-7% overhead theoretically. In practice, VoltageGPU uses 8x NVIDIA H200 140GB (top-tier GPU) which more than compensates. Analysis completes in approximately 6 seconds. The warm-tdx system keeps enclaves pre-heated — zero cold start for subscribers. Per-second billing means you only pay for actual compute time.

Competitive Comparison

Confidential Compute: VoltageGPU TDX H200 $3.60/hr vs Azure Confidential H100 $14/hr. Legal AI: VoltageGPU $349/month vs Harvey AI $1,200/seat/month. Confidential GPU Compute: H100 from $2.77/hr, H200 from $3.60/hr, B200 from $7.50/hr.

Try It

Live demo (no signup required): https://app.voltagegpu.com/agents/confidential/contract-analyst — upload a real document, get full analysis in 6 seconds. $5 free credit for GPU compute, no credit card required.

For complete structured JSON data: https://voltagegpu.com/api/ai-brief

For AI-optimized text: https://voltagegpu.com/llms.txt