Confidential AI Infrastructure
Technical Whitepaper
Intel TDX · NVIDIA Protected PCIe · Attested Enclaves · Zero Data Retention
Executive Summary
In 2026, AI moved from experiment to production inside regulated industries — law firms, financial institutions, healthcare providers, government agencies. The tooling did not follow. The leading inference providers run prompts and outputs through infrastructure that their own operators can observe. For any organization bound by professional secrecy, GDPR Article 28, HIPAA, DORA, or NIS2, this is not a theoretical problem.
The French Bar Association has already sanctioned lawyers for using general-purpose chatbots on privileged client documents. Hospitals have been fined under GDPR for sending patient records to third-party LLM providers without adequate technical safeguards. Financial analysts are expected to justify, under DORA, how every byte of quarterly earnings data is handled.
VoltageGPU runs every workload inside Intel TDX hardware enclaves. Prompts, model weights, GPU memory, and disk are encrypted with CPU-fused keys. Attestation proves the enclave integrity before any secret is released. Even the VoltageGPU operator cannot read your data. This whitepaper describes the full architecture, the compliance mapping, and the real-world use cases that drive adoption.
What is Confidential Computing
Confidential Computing is the protection of data in use. Encryption at rest and encryption in transit are solved problems. But the moment data is loaded into memory for processing, it becomes readable to anyone with privileged access to the machine — the cloud operator, a compromised hypervisor, a malicious insider. Trusted Execution Environments (TEEs) close that gap by using CPU hardware to isolate a workload from everything else running on the host, including the hypervisor and the host OS.
The Confidential Computing Consortium, hosted by the Linux Foundation, coordinates the standards. Its members include Intel, AMD, NVIDIA, Microsoft, Google, ARM, and Huawei — the same hyperscalers that offer confidential VMs in their own clouds (Azure Confidential Computing, Google Cloud Confidential VMs). VoltageGPU uses the same hardware primitives, priced below the hyperscalers and packaged for AI workloads end-to-end.
A TEE guarantees three properties: integrity (the code running is the code you deployed), confidentiality (nobody outside the enclave can read the memory), and attestation (you can cryptographically verify both of the above before trusting the enclave with any secret).
Intel TDX Deep Dive
Intel TDX (Trust Domain Extensions) is a VM-level TEE introduced with Intel Xeon Scalable processors. A Trust Domain (TD) is a hardware-isolated VM whose memory is encrypted by the CPU using AES-256 with keys fused into the silicon at manufacturing time. Neither the hypervisor nor the host kernel can read a TD's memory.
The attestation flow works as follows: when a TD boots, Intel TDX measures the initial code and data pages into a quote, signs it with a CPU-bound key, and chains that signature back to an Intel-rooted certificate. The TD Quote is a cryptographic proof that (a) a genuine Intel TDX CPU produced it, and (b) the measured code matches the expected reference. Only after verifying the TD Quote against Intel's public key infrastructure do we release the LUKS disk decryption keys, application secrets, and model weights into the enclave.
This eliminates the trusted-operator assumption. A VoltageGPU engineer with root access to a host machine still cannot read the contents of a confidential TD. The attack surface shrinks from the full host OS plus hypervisor to the CPU itself plus a small TDX module.
Protected PCIe + NVIDIA Confidential Computing
CPU-side enclaves are only half the story for AI workloads. Once a tensor leaves the CPU for the GPU, it traverses the PCIe bus — historically in clear text. An attacker with physical access or a compromised driver could snoop that channel and reconstruct prompts or activations.
NVIDIA H100, H200, and B200 GPUs in Confidential Computing mode close that gap. Protected PCIe encrypts traffic on the CPU-to-GPU channel so the bus carries ciphertext, not plaintext. On multi-GPU configurations, NVLink-C2C extends the same protection to GPU-to-GPU communication. The GPU itself also runs in a confidential mode where its on-device memory is isolated from the host, and the GPU participates in the attestation chain so you can verify the full CPU-plus-GPU enclave before releasing any secret.
The end result: a prompt enters the enclave encrypted, lives in CPU DRAM encrypted, travels the PCIe bus encrypted, lands in GPU HBM encrypted, is processed inside the GPU's own confidential mode, and the response follows the same path in reverse. At no point is it visible to anyone outside the attested TD.
VoltageGPU Security Stack
Intel TDX Enclaves
Hardware-isolated Trust Domains on Intel Xeon Scalable CPUs. Hypervisor and host kernel are outside the trust boundary.
AES-256 Memory Encryption
DRAM encrypted with CPU-fused keys. Memory contents are ciphertext on the physical bus and DIMM.
Protected PCIe (CPU ↔ GPU)
NVIDIA Confidential Computing on H100 / H200 / B200 encrypts the CPU-to-GPU channel. NVLink-C2C covers GPU-to-GPU.
LUKS Full-Disk Encryption
Disks are LUKS-encrypted. Decryption keys are released only after successful TD Quote attestation.
Zero Data Retention
On enclave termination, memory and volumes are purged. No logs, no caches, no model-side persistence.
Hardware Attestation
On-chain TD Quote provides cryptographic proof of enclave integrity rooted in Intel's PKI.
Compliance Matrix
How Intel TDX enclaves satisfy six major regulatory frameworks.
GDPR Article 28
Requirement: Processor obligations — technical and organizational measures.
VoltageGPU: Hardware attestation proves data minimization. CPU-fused keys prevent unauthorized access, including by the operator. EU data residency (Solaize, France).
HIPAA Technical Safeguards
Requirement: § 164.312 access control, audit controls, integrity, transmission security.
VoltageGPU: PHI stays inside Intel TDX enclaves end-to-end. Attestation provides cryptographic audit proof. Zero data retention after enclave termination.
SOC 2 Type II
Requirement: Security, availability, processing integrity, confidentiality, privacy.
VoltageGPU: TDX attestation provides cryptographic evidence of integrity controls. Access to customer data is technically impossible, not just policy-gated.
DORA (EU)
Requirement: Digital Operational Resilience Act — third-party risk for financial institutions.
VoltageGPU: Hardware isolation produces verifiable operational resilience. Enclave attestation is a primary control for critical ICT third-party providers.
NIS2 Directive (EU)
Requirement: Cybersecurity directive for essential and important entities.
VoltageGPU: Hardware-level supply-chain security. Attested enclaves satisfy the technical control objectives for confidential AI workloads.
French CNIL
Requirement: CNIL guidance on cloud AI and professional secrecy.
VoltageGPU: Hardware isolation preserves professional secrecy. EU-headquartered operator (VOLTAGE EI, SIREN 943 808 824). DPA available on request.
Use Cases
Legal
Contract analysis, NDA review, due diligence, privileged documents. The Paris Bar Association has already sanctioned firms for sending client contracts to general-purpose chatbots. Intel TDX enclaves preserve professional secrecy and satisfy the French CNIL guidance on cloud AI — your client data never leaves the attested hardware boundary.
Healthcare
Patient records, medical imaging, clinical trial data. HIPAA § 164.312 technical safeguards — access control, audit controls, integrity, transmission security — are all satisfied at the hardware layer. PHI stays inside the enclave end-to-end, with zero retention after processing.
Finance
KYC, fraud detection, quarterly earnings drafts, trading signals. DORA and MiFID II require verifiable operational resilience for third-party ICT providers. Hardware attestation is the strongest form of evidence a financial institution can present to a supervisor.
Government
Classified document processing, regulatory drafting, security clearance workflows. Hardware-verified isolation means the cloud operator cannot access the workload, which is often a precondition for processing anything above unclassified.
TEE Models Catalog
20 Trusted Execution Environment models, all running inside Intel TDX enclaves.
Comparison Table
| Capability | VoltageGPU | Azure Confidential | Google Cloud CVM | Harvey AI |
|---|---|---|---|---|
| Intel TDX attestation | Yes | Yes | Yes | No |
| NVIDIA Protected PCIe | H100 / H200 / B200 | H100 only | H100 only | No |
| Price — H200 confidential / hr | $3.60 | Not offered | Not offered | — |
| Price — H100 confidential / hr | $3.30 | ~$14.00 | ~$13.50 | — |
| Deploy time | < 60 seconds | Minutes | Minutes | N/A (SaaS) |
| API compatibility | OpenAI-compatible | Azure OpenAI | Vertex AI | Proprietary |
| EU data residency | France (Solaize) | Yes (regional) | Yes (regional) | US |
| Compliance package | GDPR, HIPAA, DORA, NIS2, CNIL | GDPR, HIPAA | GDPR, HIPAA | SOC 2 |
Get Started
Every new account receives $5 in free credit, enough to run real workloads inside Intel TDX enclaves for several hours of confidential inference or to deploy a confidential GPU instance for testing. No credit card required.
Regulated industries — law firms, accounting firms, financial institutions, healthcare providers — can apply for the 30-day Confidential AI pilot program. Dedicated onboarding, direct access to the security team, and a DPA aligned with your regulatory posture.
Try Confidential AI Infrastructure
Intel TDX enclaves, attested hardware, zero data retention.