Confidential computing for sensitive AI workloads
Run hardware-attested inference on NVIDIA GPUs. Cryptographic proof your data and model stay protected, including in memory, where standard encryption stops.
Why confidential computing?
| Data state | Status on standard infrastructure |
|---|---|
| At rest (disk, storage) | ✓ Encrypted |
| In transit (network, API) | ✓ Encrypted |
| In use (memory, during compute) | — The gap |
Modern infrastructure encrypts data at rest and in transit. But the moment a GPU runs a model, data is decrypted in memory to be used. For most workloads, that's fine.
For regulated data, proprietary models, or products where privacy is part of the value proposition, "trust the provider" is no longer a defensible control. Auditors, regulators, and customers want cryptographic evidence, not contractual promises.
Confidential computing closes the last row
And does it on a verified boot chain, so you can trust the protection is real
-
CPU chain — AMD SEV-SNP
Memory encrypted and integrity-protected by the AMD Secure Processor. Keys fused into silicon, unreadable by any software. Signed virtual TPM, bootloader, and kernel produce verifiable boot measurements.
-
GPU chain — NVIDIA confidential computing
Each GPU carries a unique cryptographic identity fused at manufacture. GPU memory is encrypted. Model weights and activations are decrypted only inside the GPU die. Firmware is signed and attested.
-
One converged attestation
Before any workload runs, you receive a single signed report covering both chains. Verify against AMD and NVIDIA root certificates using standard tooling. We don't see the result - trust is cryptographic, not contractual.
How confidential computing works
The Trusted Execution Environment (TEE) that protects your models and data
What this unlocks
-
Move regulated workloads off on-prem hardware
Workloads that previously had to run on-prem for compliance reasons: sensitive inference, fine-tuning on regulated data, model serving with PII can now run on Verda with cryptographic controls.
-
From "we trust our vendor" to "we don't have to"
Traditional controls tell your auditor Verda follows the right processes. Confidential computing gives them something different: cryptographic proof verifiable on every workload.
-
Ship privacy-first AI products
Build consumer and enterprise AI products where "your data stays private, cryptographically" is part of the product.
Built for use cases where security isn't optional
- Finance
Fraud, risk, and KYC models on regulated PII
Deploy the model on attested Verda CC instances. Your security team verifies the attestation on every job. PII never exists in cleartext outside the GPU die.
DORA | GDPR
- Consumer facing AI
Products where "we can't see your data" is the feature
Run inference on attested Verda GPUs. Expose the attestation as part of your product - a signed proof that no one at your company, or at Verda, can read what users send.
Attestation as a product feature
- Health research
Medical imaging and clinical AI on data that can't leave a protected boundary
Process the data on attested Verda instances inside the EU. Patient data is decrypted only inside the GPU, under a chain of trust your compliance team can independently verify.
GDPR | EU Health data space
Success story: Case study: ExpressVPN
ExpressVPN needed a solution to enable sensitive AI workloads to run securely for industry-first secure LLM product without compromising on performance or ability to scale.
They partnered with Verda to develop and test a Confidential Computing to build a scalable secure enclave on then the latest Blackwell architecture.
Software: Collaborated on enabling and optimizing Confidential Compute on latest NVIDIA hardware
Hardware: Enabled ExpressVPN to access NVIDIA B200 accelerator, as well as other accelerators using Blackwell and Hopper architecture with effective scaling
Industry first at scale
Immediate access to latest hardware
Hands-on support and collaboration
Pricing
Contract type: Pay as you go
| B300 SXM6 | Coming soon |
|---|---|
| B200 SXM6 | Coming soon |
| RTX PRO 6000 | $1.93 per GPU/hr |
For access to B300 and B200, contact us
FAQ
No. The encryption keys for memory and GPU state sit inside the AMD Secure Processor and the NVIDIA GPU secure element. No software — ours, yours, or an attacker's — can extract them.
Per-instance encryption keys live in silicon. Cold-boot attacks, RAM extraction, and bus probing recover ciphertext, not plaintext.
Yes. Attestation reports are signed by AMD and NVIDIA roots of trust and verifiable with standard libraries. Full methodology and expected measurements are in our docs.
Confidential computing is available today on NVIDIA RTX Pro 6000. Multi-GPU support on Blackwell (B200, B300) is coming soon.
Multi-node training under CC is on our roadmap. It's a hard problem that the industry is still solving, and we're investing to be among the first to deliver it in production.