sablenetwork
Documentation — all sections

Privacy contract

This is the non-negotiable part. If it's violated, Sable's whole reason to exist evaporates.

What we do

What we will never do

What's confidential today — and what isn't yet

Better you read this here than find out later, because it depends on the tier.

On standard tier (and any model that isn't confidential-capable), we decrypt the prompt at the egress frame and hand it to a third-party host to run it (OpenRouter, or OpenAI for the closed models). That host sees the prompt. Standard tier protects you from someone watching the network, and from anyone who gets into Sable's own logs or database — but it does not hide the prompt from the company running the model.

On confidential tier — live today for sable-confidential-24b — that no longer holds: the model runs inside an attested Intel TDX enclave the host can't see into. The gateway verifies the enclave's hardware quote before routing and verifies a per-response signature from the key bound into that quote afterward, both stamped into your receipt. This is the thing we used to say "Phase 2 fixes" — it's real now, for that model. What's still ahead: extending it to more models, and moving the enclave from an attested third-party backend to hardware Sable measures itself (so the trust root is our binary, not the backend's attestation report).

How to verify

The privacy-critical code lives in two short files, sable-api/src/routes/chat.rs and sable-api/src/crypto/mod.rs. We kept them small enough to read in one sitting. We're getting the gateway source ready to publish so you can check it yourself instead of taking our word for it. Two things you can already verify today: the signed receipt on every call, and — for the confidential tier — the TEE attestation carried in that receipt's attestation block (the SDK's verifyAttestation() checks it before you send), so you can confirm the enclave that ran your request, not just trust us.