TRUST CENTER

Don't trust us. Check us.

Most AI APIs ask you to take their word that your prompts aren't read, logged, or fed into someone's next model. We don't. The links on this page are the artifacts you can use to check, line by line.

What holds for every call

Set privacy.mode = "mesh" and these four things are true. The section after this is what makes each one checkable.

Prompts stay sealed

Set privacy.mode = "mesh" and your prompt only decrypts inside an enclave whose code hash you can fetch and compare. The network path between you and the model — load balancers, sidecars, log shippers — sees ciphertext.

Every call has a receipt

Cost, model, route, latency, attestation hash at the time of the call — signed by the platform key, retrievable by id. Your prompt body and completion body are never in there.

Nothing is retained

Prompts and completions hit memory, get used, get freed. No log, no queue, no metric store, no training set. Operators can't pull them back even if they wanted to.

The enclave proves itself

Pull the current measurement registers (PCR0/1/2), check them against the reference values we publish with each release. If they don't match, don't send the prompt.

The artifacts

What turns the claims above from things you read into things you check.

How the enclave proves itself

The enclave measures itself at boot — bootloader, kernel, app image — and signs the result. You can fetch that signature, check it against what we say we shipped, and refuse to talk to anything that doesn't match.

PCR0 — bootloader and firmware hash.
PCR1 — kernel and init image hash.
PCR2 — application image hash. This is the one that changes when MESH ships.
Reference values are tied to the release pipeline. They move when code moves, not before.

Current attestationIn progress Signed release historyPlanned

What a receipt actually contains

A receipt is the proof a call happened. It's what you'd hand to your finance team for reconciliation, your auditor for evidence, or your support team for a dispute — and nothing of your prompt is in it.

Signed by the platform key. The public half is in the attestation document.
Fields: request id, model, token counts, USD cost, route mode, latency, and the attestation hash active when the call ran.
Not in it: prompt body, completion body, user identity beyond a fingerprint of the API key, no upstream provider response headers.
Retrievable by id. Verifiable offline with the open-source verifier.

Receipt format specIn progress Offline verifier (CLI)Planned

What we protect, what we don't

Threat models lie when they pretend everything is covered. Here is who you are protected from on this platform, who you are not, and the assumptions that have to hold for the rest of this page to be true.

Protected from: operators and engineers at MESH, the network path between you and us, the cloud control plane, and any single upstream model provider going bad.
Not protected from: a compromised device you're typing on, someone with a valid key to your own account, and side channels in the underlying hardware.
Assumptions: the attestation hardware vendor produces honest measurements, the published reference values match what's running, and the platform key hasn't leaked since the last rotation.
Key rotation policy is published and every rotation gets its own cryptographic receipt.

Threat model writeupIn progress Key rotation logPlanned

The tool that disagrees with us

If the verifier doesn't agree with what we wrote on this page, we're wrong. That's the point. It's open-source, reproducible, and we ship the SHA of every release alongside it.

Fetch the current attestation, verify the publisher signature, walk the trust chain.
Verify any receipt against the attestation that was active at call time.
Diff published reference values against the document. Report drift.
Reproducible builds. The verifier you run is the verifier we published.

mesh-verify on GitHubPlanned Verifier release notesPlanned

Where we are with frameworks

The usual list. What we have, what is in flight, what we can do for you on request.

Framework	Status	Notes
SOC 2 Type II	In progress	Audit window opens once the first quarter of production traffic is in. We'll publish the letter when it's signed.
ISO/IEC 27001	Planned	On the roadmap after SOC 2 ships.
GDPR / UK GDPR	Live	DPA and SCCs are ready — email the disclosure address.
HIPAA	Available on request	BAA available for in-scope accounts.

Who touches what

Third parties that handle metadata to keep the service running. None of them see prompt or completion content.

Provider	Purpose	Region
Stripe	Fiat payment processing	United States, European Union
Cloudflare	Edge network and DDoS protection	Global
Sentry	Error tracking. No payload content reaches them.	United States, European Union
Vercel	Marketing site hosting and SSR for non-privacy routes	Global

We give 30 days notice on any material change to this list, sent to anyone on the security feed.

Incident history

Anything that touches confidentiality, integrity, or availability of customer data lands here within ten business days of being closed.

CLEAN

Nothing reportable yet.

Found a bug? Tell us first.

If any of this is wrong, we want to know before our customers do. Send what you have to the address below.

security@meshrouter.app

What happens after you send

You hear back from a human within one business day.
Triage and severity within five.
Coordinated disclosure runs 90 days from triage. Longer if it actually needs to be.
Credit goes to the reporter on the writeup, unless you'd rather stay anonymous.

Scope

In scope: meshrouter.app, *.meshrouter.app, the open-source verifier, the attestation signing pipeline.
Out of scope: bugs in third-party model providers, DoS against shared infrastructure, social engineering of staff.