It ain't just a slogan. A literal claim about a piece of running software, with a mechanism behind it. If anything leaves a Safebox without your community's signature, it can't be your data — because the keys to read your data are mathematically bound to the box itself.
Every cloud-AI vendor will tell you they take your privacy seriously. Most of them are telling the truth — they have SOC 2 audits, NIST controls, and lawyers who care. But "we take it seriously" and "it's impossible for us to read your data even if we wanted to" are different sentences. One is a promise. The other is a property.
A Safebox is a sealed compute environment — a virtual machine on attested hardware — that runs your AI workloads, holds your credentials, and stores the artifacts your workflows produce. The phrase "your data never leaves the box" is meant the way a physicist means it: anything that comes out of the box was either signed by the keys held inside it, or it was data that wasn't yours to begin with. Nothing else. No backdoor for the operator. No exfiltration path through the cloud provider. No "trust us, we have policies."
The keys that decrypt your credentials are derived from a measurement of the running software, bound to specific hardware. Change the software, the keys change. Move the disk to another machine, the keys change. Try to read the disk from outside the box, the keys aren't there.
This is the only kind of privacy claim that survives the people running the system also being adversaries. Which matters more than it sounds, because at any sufficiently large company — including the cloud provider where the Safebox runs, including the team that built the Safebox itself — there is always somebody with prod access who could, in principle, look. Cryptographic binding means "in principle" isn't enough. The keys aren't there to use.
A Safebox does the thing it does because three independent mechanisms compose. Each one is well-understood in isolation; the combination is what produces a guarantee strong enough to put real money behind.
On boot, the hardware measures every layer — firmware, kernel, application — into a tamper-evident register and signs a statement: "this exact code is running, on this exact machine." That signature is verifiable by anyone who knows what the expected measurement should be.
From that signature, a 32-byte secret is derived. Same code, same hardware, same secret. Different code or different hardware, different secret. The secret is what unlocks the rest.
Inside the box, AI workflows run as small isolated tools — each one in a JavaScript sandbox with an enumerated API. The tool can read the streams it's been granted, propose actions, and call the model. It cannot reach the filesystem, the network outside its allowlist, or the credentials of any other tool.
When a tool wants to do something irreversible — send an email, charge a card, modify a shared document — it doesn't just do it. It proposes the action. The community decides whether to sign.
Every request, every model call, every approval, every artifact has an entry in a tamper-evident log. Each entry references the cryptographic identity of the workflow that produced it and the signatures of the humans who approved it. The log is for you, not for the operator.
If something goes wrong, you can replay exactly what happened. If you ever need to prove what didn't happen — for an auditor, a regulator, a court — the log is the answer.
Take any one of these three pieces out, and the guarantee collapses. Without attestation, the operator could swap the software and decrypt your credentials. Without the sandbox, a workflow could simply read the credentials directly. Without the audit, you'd have to trust the operator's word that the workflow ran the way you think it did. Together, they produce something different: a substrate where the question "could anyone read this without your signature?" has a real, mechanical answer.
The point of any security primitive is what it makes possible, not what it prevents. Once data is bound to a box that nobody else can read into, four things become available that weren't before.
Patient records, legal discovery, financial transactions, source code that's under NDA, conversations that mention compensation. The data stays in the box; the model runs against it; the answers come out signed.
A workflow is a recipe — the steps, the prompts, the tools, the policies. The recipe travels. The data the recipe operates on stays in your kitchen. A community of doctors can share a "summarize this consultation" workflow with the clinic next door; both clinics use it on their own patients.
API keys, payment processors, third-party integrations — every credential is encrypted at rest with a key the box derives from its own measurements. Even with full disk access, a third party can't decrypt them. They exist in usable form only while the box is running its approved software.
The audit trail is cryptographic. You can show an auditor not just a log entry but a signed statement that this code ran, with this input, producing this output, approved by these people. The proof doesn't depend on trusting your records — it depends on the math.
A cryptographically sealed environment is a strong primitive. It is also a primitive — meaning it's the foundation other things get built on, not a complete answer to everything. Honestly:
The box doesn't make your AI smarter than the model running inside it. If you put a workflow built on a weak prompt into a Safebox, you get the same weak workflow with better privacy. The thinking still has to be done.
The box doesn't decide who in your community is trustworthy. It only enforces what the community decides. If your governance gives one person sole power to sign any action, you've built a single point of failure inside the box. The box is happy to run that configuration. It's the community's job to choose better.
The box doesn't replace human judgment about what should be automated. It makes automation safer when you do choose to automate, by making every action accountable and every credential confined. But it has no opinion about whether a given workflow ought to exist in the first place. That's still a human decision, and a good one to make slowly.
The point isn't that you trust us. The point is that you don't have to.