> ## Documentation Index
> Fetch the complete documentation index at: https://developers.t2000.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Trust boundary

> What the Confidential tier proves, what it still trusts, and where your plaintext is visible — stated plainly. A wrong 'verifiable' claim is worse than honest ZDR.

Confidential computing is precise about what it proves. This page states the boundary plainly so you can decide what to send through which tier. It's the honest counterpart to [how it works](/confidential-ai/how-it-works).

***

## What's proven + verifiable

* **The compute ran in a genuine GPU-TEE.** The hardware TDX quote is verified and the channel to the upstream is bound (`tls_spki_sha256` pinned) and fail-closed.
* **Per-response integrity.** A [signed receipt](/confidential-ai/receipts) commits your request/response **hashes** to the attested workload — tampering is detectable.
* **Public, tamper-evident record.** The receipt is [anchored on Sui](/confidential-ai/verify) — a third party can independently check the commitment on-chain.
* **No body retention.** The gateway stores hashes, not request/response bodies (zero data retention).

***

## What's still trusted (disclosed)

* **The gateway's plaintext leg.** Our gateway terminates TLS and **sees plaintext** before forwarding to the verified upstream. The protection is that the leg is ZDR (retains nothing), not that the gateway never sees the request.
* **The receipt-signing key is a t2000 server key** (not yet sealed in a TEE KMS).
* **Routed (frontier) responses are not confidential.** `openai/*`, `anthropic/*`, etc. forward to a third party that sees your prompt — `upstream.verified = failed`, by design. Confidentiality is a property of the verified upstream, confirmed per response from the receipt.

***

## What v3.1 adds (planned)

Full no-trust closes the gap above: the gateway itself runs **in a TEE** (its own attestation), the receipt key lives in **dstack KMS**, and **end-to-end encryption** means even t2000 never sees plaintext. It's the heaviest, most security-critical step — we'll build it when a "can't-trust-the-gateway" need pulls for it. (The TDX quote itself is *already* re-verified client-side with `dcap-qvl` via [`t2 verify`](/confidential-ai/verify) — that's shipped, not deferred.)

<Note>
  This tier-by-tier honesty is non-negotiable: the receipt + docs state *exactly* what each tier proves. Overclaiming "zero-trust" today would be the failure mode this whole design guards against — **a wrong "verifiable" claim is worse than honest ZDR.**
</Note>

***

## Choosing a tier

* **Confidential (`phala/*`)** — when the upstream that runs the model must be attested and your prompt must not reach a non-attested third party.
* **Private (every model, ZDR)** — when contractual zero-retention through the gateway is sufficient and you want the full model range.
