What model runs in the enclave?
An open-weight frontier model whose weights are content-addressed and pinned at attestation time. Current target is a 1T-parameter open-weight model on Blackwell-class confidential hardware. Customers can verify the running weights match the published hash at session establishment.
How can you bill us if you can't see what we did?
Metering happens via cryptographic accumulators inside the enclave. Prompt and output token counts are signed and emitted as billing telemetry. The prompts themselves never leave. The ledger row contains usage, cost, and dispatch ids. Nothing else.
Are we subject to Icelandic or Swiss law as a customer?
No. You are a customer of a Swiss legal entity that operates infrastructure in Iceland. Your contractual relationship and dispute jurisdiction are spelled out in the master services agreement (drafted under Swiss law). Your data never leaves the enclave, regardless of the customer's domicile.
What happens if you go out of business?
The dispatcher source will be MIT and published in 2026. Customers of the confidential cloud receive a contractual right-to-bench-image so the running enclave configuration can be re-stood-up by a successor party of the customer's choosing on equivalent hardware.
What if you're personally subpoenaed by a US court?
We are personally exposed to that risk. The Swiss Stiftung is being structured (incorporation in progress) to absorb it without compromising customer data. Article 271 of the Swiss Criminal Code will make unauthorized assistance with foreign discovery a personal crime against the directors once the entity is registered. That's the structural lever. If the directors are compelled to comply abroad, the architectural design (§3 of the paper) means there's nothing produceable on the Swiss side anyway.
Does the operator see metadata even if not contents?
Yes. Billing telemetry includes token counts and dispatch timestamps. The threat-model page enumerates exactly what metadata is retained and for how long.