Trust the silicon, or skip the trip.

Tinfoil is the most thoughtful cloud-side privacy product on the market for AI inference. Models run inside secure enclaves on confidential-compute hardware (Intel TDX, AMD SEV, NVIDIA H100 CC), with hardware attestation that cryptographically proves the data is being processed in an enclave the operator can’t observe. The claim is falsifiable: zero data retention isn’t a policy promise, it’s a hardware property.

If you need an OpenAI-compatible API, or you need to run a 120B-parameter open model that won’t fit on a laptop, Tinfoil is a credible answer. We are not arguing against confidential compute. We’re arguing for a different primitive in the cases where you don’t need a cloud API at all.

• Tinfoil: your prompt and document leave your machine, travel to Tinfoil’s infrastructure, get processed inside a hardware-attested enclave, and the result comes back. The enclave operator (Tinfoil) can’t read the data; the silicon vendor (Intel / AMD / NVIDIA) has to be trusted to have implemented the attestation correctly.
• Muet: your prompt and document don’t leave your machine. The model runs on the Mac you opened the file on. There is no remote enclave to attest to, because there is no remote step.

Confidential compute is a strong primitive. It is not the only one. The simplest privacy story is the one where the data never went anywhere.

• You’re building an application and need an OpenAI-compatible API to call.
• You need a model larger than what fits on a laptop or workstation.
• Your workload is shared across a team and benefits from a centralised endpoint.
• You’re running automated batch inference at a volume that exceeds local hardware.
• You need a custom Docker container running model code you wrote yourself.

• The work is reading, drafting, and redlining documents on your own Mac.
• Your compliance posture rules out any data leaving the machine, even into an attested enclave.
• You need Word-native tracked changes attributed to you, not API output.
• You don’t want to maintain a sub-processor list, however short.
• You want predictable per-Mac pricing, not per-token billing.
• The audit answer your CISO will accept is “the document never left the device,” not “the document went to a place we can’t observe.”

We don’t think attested confidential compute is theatre. It’s a real cryptographic guarantee that removes the operator from the trust set. It does not remove the silicon vendor from the trust set, and the history of side-channel attacks on TEE implementations (Spectre, Foreshadow, ÆPIC, Downfall) shows the assumption surface is non-trivial.

For the kinds of work this site is about, the simpler argument is the one we run on. The document never left the Mac. There is no remote process to attest. There is no transit to encrypt. There is nothing to retain or not-retain. The privacy primitive is the absence of a cloud step.

Tinfoil’s pricing is per-token on the API and per-tier on the chat product. Cheaper for low usage, unbounded for high usage. Muet is a flat per-Mac annual licence with no per-document or per-token cost on top.