Privasys
Privasys Platform

Overview

Deploy confidential applications in minutes with the Privasys Platform. Choose between WASM modules for the smallest trust boundary or containers for standard tooling.

The Privasys Platform at developer.privasys.org is the fastest way to deploy confidential applications. Sign in with GitHub, bring your application as a WASM module or a container image, and the platform handles hardware allocation, reproducible builds, attestation, and networking.

Under the hood, the platform runs on Enclave OS, our open-source confidential operating system. You do not need to build or operate Enclave OS yourself. The platform abstracts that away and gives you a self-service deployment experience.

Two deployment targets

The platform supports two deployment models, each backed by a different edition of Enclave OS:

WASM modules (small TCB)

Your application is compiled to WebAssembly and runs inside an Intel SGX enclave powered by Enclave OS Mini. The Trusted Computing Base is approximately 4 MB. The enclave computes a SHA-256 hash of your WASM binary and embeds it in every RA-TLS certificate, so clients can verify the exact code running inside.

  • Smallest possible attack surface
  • Per-application code hash in the attestation certificate
  • Reproducible builds via GitHub Actions
  • Encrypted key-value store, sealed configuration, cryptographic randomness

Containers (standard tooling)

Your existing container image runs inside a Confidential VM powered by Enclave OS Virtual on Intel TDX hardware. No code changes needed. An RA-TLS proxy terminates TLS inside the VM and embeds the TDX attestation quote in the certificate.

  • Standard Linux, standard Docker images
  • No code changes or special SDKs
  • Hardware-encrypted memory (TDX)
  • Optional encrypted storage

Choosing a target

WASMContainer
Runs onEnclave OS Mini (Intel SGX)Enclave OS Virtual (Intel TDX)
TCB size~4 MBFull VM
Code changesBuild as WASM componentNone
Attestation granularityEnclave identity + per-app code hashVM boot chain (RTMR registers)
Best forNew apps, security-critical workloadsExisting apps, quick adoption

See Trust Model for a deeper comparison of TEE technologies.

What the platform provides

Regardless of which target you choose, every deployment gets:

  1. Hardware protection with keys generated inside the TEE and memory that is inaccessible to the host.
  2. RA-TLS certificates that embed a hardware-signed attestation quote, so any client can verify the deployment over a standard HTTPS connection.
  3. Built-in verification through an interactive attestation panel in the dashboard.
  4. Reproducible builds (WASM) so the deployed binary hash is auditable against the source.

Platform Components

ComponentDescription
Developer PlatformSelf-service interface for deploying WASM modules and containers. Sign in at developer.privasys.org.
App StoreVerified catalogue of confidential applications at privasys.org/uk/apps, backed by hardware attestation.
Verification LibrariesLibraries in Python, Go, Rust, TypeScript, and C# for verifying attested connections with a single function call.
Attestation ServerA standalone service that independently verifies hardware attestation quotes from Intel and AMD platforms.
Edit on GitHub

Attested MCP

Attested Model Context Protocol for hardware-verified AI agent interactions.

Getting Started

Deploy your first confidential application on the Privasys Developer Platform in minutes.

On this page

Two deployment targets
WASM modules (small TCB)
Containers (standard tooling)
Choosing a target
What the platform provides
Platform Components