This Is HUGE
← March 17, 2026 edition

tinfoil

Trust the hardware, not the promises.

Tinfoil Thinks the Only Way to Trust AI Privacy Is to Remove Trust Entirely

By Danny Kowalski

AISecurityPrivacyCybersecurity
Visit Official Site →

The Macro: Everyone Promises Privacy, Nobody Can Prove It

I keep running into the same pitch. “Your data is safe with us.” It’s on every AI product page, buried somewhere between the feature grid and the pricing table. And every single time, the mechanism behind that promise is the same: trust us. Trust our policy. Trust our engineering team. Trust our SOC 2 badge.

The problem is that trust, as a security model, is terrible. It does not scale. It does not survive a subpoena. It does not survive a rogue employee, a misconfigured S3 bucket, or a government request served with a gag order. If your AI provider processes your data on standard cloud infrastructure, the data exists in plaintext at some point during inference. That is not a bug. That is how the architecture works.

This has been a known problem in cloud computing for years. Confidential computing, the idea that you can process data inside encrypted hardware enclaves that even the cloud provider cannot access, has been kicking around since Intel launched SGX in 2015. AMD has SEV. ARM has CCA. NVIDIA shipped confidential GPU computing. The technology exists. What has not existed, until very recently, is anyone making it usable for AI workloads without requiring a PhD to set up.

The regulatory pressure is real and getting worse. Healthcare companies need HIPAA compliance for AI interactions with patient data. Financial services have their own alphabet soup. European companies are staring down the AI Act. And the basic question all of these regulations ask is: can you prove that user data is not accessible to your vendor during processing? For most AI deployments today, the honest answer is no.

Competitors in the “private AI” space are approaching this from different angles. Some offer on-premise deployments, which solve the trust problem but create infrastructure headaches. Others promise encryption at rest and in transit, which is table stakes and does not cover the actual moment of computation. A few startups are working on homomorphic encryption for ML inference, but the performance overhead is still brutal for production use.

Tinfoil is betting on a different path entirely.

The Micro: Cryptographic Proof Instead of Corporate Promises

Tinfoil is a four-person team out of San Francisco, part of YC’s Spring 2025 batch. The founding team is almost comically overqualified for this specific problem. Jules Drean and Sacha Servan-Schreiber both hold PhDs from MIT, in secure hardware and cryptography respectively. Tanya Verma comes from Cloudflare’s security engineering team. Nate Sales rounds out the group.

What they have built is a full-stack platform that runs AI models inside hardware-secured enclaves on NVIDIA GPUs. The key word is “verifiable.” When you send data to Tinfoil, you can cryptographically verify that the code running on the server is exactly the code they published, that no one (including Tinfoil) can access your data during processing, and that nothing is retained after the computation finishes. This is not a policy document. It is a mathematical attestation from the hardware itself.

The product comes in three layers. Tinfoil Chat gives you a private conversation interface running models like DeepSeek R1, Llama 3.3, Qwen3-VL, and others. The Private Inference API is OpenAI-compatible, so developers can swap it into existing applications without rewriting anything. Tinfoil Containers let you bring your own Docker images and run arbitrary workloads inside the secure enclave. That last one is the most interesting from a platform perspective because it turns Tinfoil from an AI product into an infrastructure product.

The partner logos on the site tell a story: NVIDIA, Meta, Red Hat, Trail of Bits, Intel, Cloudflare. These are not customers (as far as I can tell) but technology partners whose infrastructure Tinfoil builds on. Trail of Bits doing the security audit is a good signal. They are one of the more respected firms in that space and do not lend their name casually.

The entire stack is open source, which matters here more than it does for most products. In a system whose whole value proposition is “you can verify what is running,” closed-source code would be a contradiction. You can read the code, check the attestation, and confirm for yourself that the enclave is running what they say it is running.

Pricing is not published. The site describes Personal, Startup, and Enterprise tiers, but you need to sign up for actual numbers. That is fairly standard for infrastructure products at this stage.

SDKs exist for Python, JavaScript, Swift, and Go. The OpenAI compatibility means if you are already building against that API shape, migration is mostly swapping a base URL and adding attestation verification. That is a smart adoption play.

The Verdict

I think Tinfoil is solving a problem that is about to get much bigger. Right now, most companies deploying AI internally are either ignoring the privacy question or solving it by running everything on-premise, which is expensive and limits what models you can use. Confidential computing gives you a third option: cloud performance with on-premise privacy guarantees.

What I would want to know at 30 days: how does latency compare to standard cloud inference? Hardware enclaves add overhead. If the privacy tax is 2x slower inference, some teams will accept it and others will not. The performance envelope matters.

At 60 days: who is actually buying? Healthcare and financial services are the obvious targets, but the sales cycles in those industries are long. The developer API might get faster traction from smaller teams who want privacy as a feature rather than a compliance checkbox.

At 90 days: does the open-source strategy create a community, or is it purely a transparency play? Infrastructure products that build real open-source communities tend to have stronger moats than those that just publish code nobody contributes to.

The founding team is about as strong as you could assemble for this exact problem. The technology is real and auditable. The market timing, with AI regulation ramping up globally, is hard to argue with. I would be surprised if this team does not find significant traction in regulated industries within the year.

Visit Official Site →
← Back to March 17, 2026 edition

More on this

Hex Security Runs Penetration Tests 24/7 So You Stop Pretending Annual Audits Are Enough

Hex Security builds AI agents that run continuous penetration tests against your apps and infrastructure, replacing the once-a-year pentest with an always-on attack simulation that finds vulnerabilities before real attackers do.

BeeSafe AI Deploys Undercover AI Agents to Waste Scammers' Time

BeeSafe deploys AI agents that engage with scammers directly, wasting their resources and uncovering the financial accounts used for fraud. Backed by YC, Obvious Ventures, and America's Seed Fund.

Veria Labs Was Built by the Top Hackers in America and Now They Are Coming for Your Pentest Budget

Annual pentests are a compliance checkbox, not a security strategy. Veria Labs replaces them with AI agents that hack your application continuously, prove exploits are real, and suggest fixes. The founders are ranked number one in US competitive hacking, which is exactly the kind of credential that makes this believable.