Privacy contract
This is the non-negotiable part. If it's violated, Sable's whole reason to exist evaporates.
What we do
- Seal prompts on ingress. AES-256-GCM with a master key the moment the request hits the gateway. For inference calls, the plaintext window lives only between the egress shim and the upstream call — never on disk, never in logs. (The keyless /ask assistant is the one other surface that handles plaintext: it proxies your question to our upstream under the same never-logged, never-persisted rule, but it is a convenience surface, not the sealed inference path.)
- Log metadata only. Inference logs hold model id, node id, token counts, latency, and status. Nothing else.
- Hash API keys. Argon2id, with only a 20-char prefix kept in the clear for UI labeling.
- Authenticate dashboard sessions via SIWE. No email + password store to breach.
What we will never do
- Store, log, or echo prompt content.
- Store, log, or echo completion content.
- Inspect inflight requests for "policy" reasons.
- Sell or share usage metadata to anyone, ever.
What's confidential today — and what isn't yet
Better you read this here than find out later, because it depends on the tier.
On standard tier (and any model that isn't confidential-capable), we
decrypt the prompt at the egress frame and hand it to a third-party host to run
it (OpenRouter, or OpenAI for the closed models). That host sees the prompt.
Standard tier protects you from someone watching the network, and from anyone who
gets into Sable's own logs or database — but it does not hide the prompt from
the company running the model.
On confidential tier — live today for sable-confidential-24b — that
no longer holds: the model runs inside an attested Intel TDX enclave the host
can't see into. The gateway verifies the enclave's hardware quote before routing
and verifies a per-response signature from the key bound into that quote
afterward, both stamped into your receipt. This is the thing we
used to say "Phase 2 fixes" — it's real now, for that model. What's still ahead:
extending it to more models, and moving the enclave from an attested third-party
backend to hardware Sable measures itself (so the trust root is our binary,
not the backend's attestation report).
How to verify
The privacy-critical code lives in two short files, sable-api/src/routes/chat.rs
and sable-api/src/crypto/mod.rs. We kept them small enough to read in one
sitting. We're getting the gateway source ready to publish so you can check it
yourself instead of taking our word for it. Two things you can already verify
today: the signed receipt on every call, and — for the
confidential tier — the TEE attestation carried in that receipt's
attestation block (the SDK's verifyAttestation() checks it before you send),
so you can confirm the enclave that ran your request, not just trust us.