Privatemode

Privatemode (privatemode.ai) is the *rare LLM service you don't have to trust with your prompts* — it runs inference inside an attested hardware enclave so that even the operator running the servers cannot read what you send or what the model returns.

Background. Launched in 2024 by the confidential-computing team behind Edgeless Systems, Privatemode applies *Trusted Execution Environment (TEE)* hardware — CPU enclaves (AMD SEV-SNP / Intel TDX) extended to the GPU — to AI inference. The pitch is structural, not promissory: instead of asking you to believe a privacy policy, the model runs in an encrypted, measured enclave whose state is cryptographically *attested* to your client before any prompt leaves your machine. That verifiable-by-design posture is why it earns an A in /ai despite being young.

What you trust. You trust *math and silicon, not a policy*. The client verifies a remote-attestation report proving the server is running the expected, unmodified software inside a genuine TEE before establishing the encrypted channel — so a prompt is decrypted only inside the enclave, where neither the host OS, the operator, nor a subpoena-served sysadmin can observe it. The *clients are open source*, so the attestation and encryption logic can be audited rather than taken on faith. This is the opposite of the mainstream-LLM model, where your prompts are plaintext to the provider and routinely logged, trained on, and retained.

Operational specs. Access is *pay-per-token with crypto accepted*, so there's no mandatory account tied to a card or identity. Open-source client apps and an API let you route prompts through the attested enclave from your own tooling. It runs current open-weight models (the catalogue evolves), so capability is in the strong-open-model range rather than frontier-closed. The whole flow — attest, establish encrypted session, infer, return — is designed so the unencrypted prompt exists only transiently inside enclave memory.

Philosophy. Every other "private AI" claim reduces to "we promise not to look." Privatemode's thesis is that for a data stream as sensitive as your prompts — which encode intentions, drafts, code, medical and legal questions — a promise is not enough; the privacy must be *enforced by hardware and verifiable by the client*. Confidential computing moves the trust boundary from "the company's good behaviour" to "the CPU vendor's enclave guarantees plus open-source client code you can read." It's the most honest answer the LLM space currently has to "where do my prompts go."

Grade rationale. A in /ai. The grade reflects a genuinely differentiated trust model (attested TEE inference, not a policy promise), open-source clients, crypto/no-identity payment, and verifiable end-to-end encryption to the enclave. It is the standout privacy option in the category. The caveats below are about TEE assumptions and youth, not about the soundness of the approach.

Useful when. Reach for Privatemode whenever a prompt is something you would not paste into a mainstream chatbot: confidential business material, legal/medical questions, source code under NDA, anything you need to keep off a provider's logs and out of a training set. It's also the right tool when you must be able to *demonstrate* (to a client, a regulator, yourself) that the inference provider could not have read the data.

Caveats. TEE security is strong but not magic: confidential-computing enclaves have faced side-channel and attestation-chain research attacks over the years, so the guarantee is "no practical access for the operator," not "mathematically unbreakable" — your threat model should account for that. The model catalogue is open-weight, so you won't get a frontier-closed model's raw capability. As a 2024 entrant its track record is short, and you're trusting the CPU/GPU vendors' attestation roots. Finally, attestation only protects the *inference*; your own client device and network hygiene still matter. None of these undercut the A — they're the honest edges of the best privacy model available in AI today.