Tubegraph

Solving data privacy issues in AI development

12 min read

From: aidotengineer

AI is transforming various sectors, including healthcare, finance, automation, and digital marketing [00:00:11]. However, a significant barrier to its widespread adoption is the lack of trust [00:00:17]. Key concerns include running models on sensitive data without handing it over, deploying proprietary models without losing control, and collaborating in non-deterministic environments without relying solely on blind trust [00:00:18]. Confidential AI aims to solve these issues, with Super Protocol working to make it a reality [00:00:36].

The Foundation: Confidential Computing

The core technology behind confidential AI is confidential computing [00:01:10]. This addresses the often-overlooked problem that data and models are most vulnerable during processing (training, fine-tuning, or inference), not just when stored or in transit [00:01:21].

Trusted Execution Environments (TEEs)

Trusted Execution Environments (TEEs) are secure, isolated parts of a processor (like Intel TDX, AMD SEV-SMP, or Nvidia GPU TEs) that create a confidential environment where code and data are protected even during execution [00:01:37]. The chip itself provides isolation using built-in instructions [00:02:03]. Once a workload enters this environment, it’s protected in memory and is invisible to the host OS, hypervisor, or anyone with system access, including the hardware owner [00:02:10].

TEEs also generate a cryptographic attestation, which is a signed proof that the workload ran inside verified hardware using unmodified code [00:02:24]. This attestation provides strong assurances that the workload is protected by hardware and allows for statements about the workload’s true nature [00:02:40]. It confirms what’s in the TEE and that it’s a real TEE in a properly manufactured, capable chip [00:02:54]. In essence, TEEs enable sensitive computations to run securely and prove they ran as intended [00:03:14]. This allows AI models to run on sensitive data without exposing either the model or the data [00:03:24].

Real-World Problems Solved by Confidential AI

The shift to confidential AI is critical for addressing several practical problems developers face:

  • Healthcare: Building or fine-tuning medical AI models is difficult due to the inability to access or get permission to use raw medical datasets [00:03:51]. Hospitals and labs do not share raw data, and regulations often prevent bringing models to the data [00:04:06]. Confidential AI helps solve this by enabling secure processing of sensitive clinical data [00:04:41].

  • Personal AI Agents: Mass adoption of personal AI agents that manage inboxes, calendars, or documents is hindered by concerns about deep access to private, sensitive data [00:04:50]. Users worry about data sharing, developers about storage and misuse, and enterprises/regulators about legal guarantees [00:05:11]. Confidentiality is the missing piece for real-world adoption of these technologies [00:05:37].

  • Digital Marketing and Custom Analytics: Fine-tuning models on real user behavior data (tracking interactions with websites, content) often risks upsetting regulators and auditors due to privacy laws, internal security rules, and ethics [00:05:47]. This creates a significant gap between what’s technically possible and what’s allowed [00:06:14].

  • AI Model Monetization: Developers building domain-specific models (legal, medical, financial) want to monetize them without giving away the model or its weights [00:06:22]. Simultaneously, customers are unwilling to expose their sensitive data for testing or production [00:06:47]. Confidential AI allows both parties to benefit without relinquishing control [00:06:59].

  • Model Training and Provenance: Proving the provenance of a model trained or fine-tuned on sensitive data is crucial [00:07:10]. With attested execution, it becomes possible to guarantee that a model was trained where and how it was claimed, ensuring that inference outputs relate only to the original, specific datasets [00:07:37].

Traditional cloud setups fall short as they are built on trust and legal contracts rather than provable guarantees [00:07:58].

Super Protocol: A Solution for Confidential AI

Super Protocol is a confidential AI cloud and marketplace designed for secure collaboration and monetization of AI models, data, and compute [00:08:26].

Key Features

  • TE-Agnostic Infrastructure: Super Protocol runs on Intel, Nvidia, and AMD TEEs, with plans to support future TE integrations from major chipmakers [00:08:41].
  • Edge-Ready Architecture: It supports ARM confidential computing, aiming to deliver end-to-end confidential AI from personal edge devices to the cloud [00:09:01].
  • Swarm Computing Principles: It scales across distributed GPU nodes, offering no single point of failure and automatic workload redistribution [00:09:27].
  • Decentralized: Fully decentralized with no human intervention, orchestrated by smart contracts on the BNB chain [00:09:40].
  • Zero Barrier to Entry: Users don’t need TEE expertise to run or attest workloads [00:09:52].
  • Open Source Protocol: All parts of Super Protocol will be open source, functioning as a protocol (like HTTPS) that protects data while AI is processing it [00:10:03].

GPUless, Trustless, Limitless

Super Protocol enables AI workloads to be:

  • GPUless: It removes dependency on specific cloud vendors by allowing accelerated AI workloads across independent GPU nodes [00:10:31]. Users don’t need to buy or rent GPUs for extended periods [00:10:46].
  • Trustless: Thanks to TEEs and open-source architecture, no unauthorized access is technically possible by the hardware provider, Super Protocol, or any third party [00:10:59]. This makes confidential computing the foundation of trustless AI [00:11:15].
  • Limitless: It removes legal, technical, and organizational barriers imposed by traditional cloud platforms [00:11:23]. With confidential AI, users are not limited by policy, regulation, or infrastructure constraints [00:11:29]. This enables training, deployment, and monetization of AI across organizations and jurisdictions with full confidentiality and ownership, even for agentic, non-deterministic AI [00:12:18].

Impactful Case Studies

Digital Marketing (Realize and Mars)

Realize, an AI company measuring ad reactions by analyzing facial expressions, needed more biometric video data for accurate AI models [00:13:05]. Privacy laws (like GDPR and CCPA) and data ownership concerns made providers reluctant to share sensitive footage [00:13:32].

By using Super Protocol’s confidential AI cloud, AI training ran inside secure TEEs using powerful chips [00:13:45]. Every step was automated by smart contracts and verified by hardware and Super Protocol’s open-source certification, ensuring data and models remained completely secure and inaccessible even to the cloud provider, Super Protocol, or Realize [00:14:00].

As a result, providers shared four times more sensitive footage, growing the training set by 319% [00:14:24]. Accuracy jumped to 75% (on par with human-level performance), leading to a 3-5% sales increase for Mars across 30 brands in 19 markets [00:14:37]. This demonstrates that provable data privacy unlocks data, powering better models and real business impact [00:14:53].

Healthcare (BEAL and Titonix)

The Brain Electrophysiology Laboratory (BEAL) needed to submit perfect documentation for FDA approval of a new epilepsy diagnostic device [00:15:19]. This process typically takes weeks of manual audits, multiple NDAs, and risks exposing trade secrets, with even small mistakes causing 120-day delays [00:15:42]. BEAL wanted to use Titonix’s AI-powered audit tool but had concerns about keeping their data and Titonix’s model safe in traditional cloud environments [00:16:01].

Titonix used Super Protocol’s confidential AI cloud [00:16:15]. The audit ran inside secure hardware environments (TEEs) using Nvidia H100/H200 GPUs and Intel TDX CPUs [00:16:22]. Every step was automated, orchestrated by smart contracts, and backed by cryptographic proof [00:16:32]. All files and models remained encrypted, readable only inside the secure environment, and completely hidden from Super Protocol, BEAL, Titonix, or anyone else [00:16:36].

Audit time dropped from weeks to just one to two hours [00:16:53]. There was zero risk of leaks, both BEAL’s and Titonix’s IP remained fully protected, and no re-review delays occurred [00:17:00]. This proved that guaranteed confidentiality can transform even the most sensitive and high-stakes processes like FDA clearance audits [00:17:20].

How it Works in Practice (Demos)

Super Protocol offers practical tools and features for secure AI development:

Super AI Marketplace

The SuperAI marketplace is built on a confidential and decentralized architecture with no centralized components or data centers [00:18:10]. A blockchain-based ecosystem manages relationships and financial settlements between AI model/dataset providers, confidential computing hardware providers, and clients [00:18:19].

Confidential computing ensures models remain private, and authors retain full control and ownership; models can be leased but not downloaded [00:18:31]. Nobody has access to the TEE during processing, meaning models and user data are off-limits even to clients [00:18:41]. Models deployed in the TEE are accessible via a link or API [00:18:51]. The marketplace supports monetization for authors of closed-source models with various scenarios like per-hour, fixed, and revenue sharing [00:18:57].

Deployment involves selecting a model (e.g., DeepSeek) and GPU, assembling the order, and letting the system create the order on the blockchain [00:19:40]. The engine and model are downloaded into the confidential computing environment for execution [00:20:27]. Once deployed, the model is accessible via a link or API [00:20:41]. Verification tools confirm the model is deployed in a confidential environment, the connection is encrypted, and the AI engine has not been tampered with [00:21:10].

Agentic AI (N8N and Medical Data)

Super Protocol allows building secure automated AI workflows for processing sensitive medical data using N8N deployed on Super Protocol [00:21:50]. By running everything inside TEEs (inaccessible even to server admins or Super Protocol) and combining low-code automation with a decentralized infrastructure, it delivers fully confidential, compliant, and verifiable medical AI [00:22:01].

Use Case Example: A doctor uploads an X-ray image and patient personal data via a protected web form [00:22:17]. This data is passed to an automated workflow built with N8N, running inside a TEE [00:22:25]. The workflow cleans input data, invokes an AI model to analyze the X-ray, generates a structured medical report, and securely emails it to the doctor [00:22:33].

In this workflow, personal data is separated from diagnostic input, so the AI model receives only the X-ray and symptom description [00:24:15]. The result is combined with patient data for the report, which can be in text, HTML, or JSON, for integration with hospital systems or ERPs [00:24:25]. All operations, including secure storage of API keys and login details, occur within the secure confidential environment [00:25:50]. This solution can adapt to other medical imaging (CT, MRI, ECG) and lab tests quickly [00:25:57].

Scaling (Distributed Inference with VLLM)

Super Protocol enables GPUless distributed inference using VLLM across multiple GPU servers without relying on a single provider [00:26:19]. VLLM partitions a model by layers and assigns computation to different nodes, improving memory efficiency and throughput [00:26:42]. While VLLM typically runs in unprotected environments, Super Protocol secures it by running every VLLM node inside a confidential VM powered by TEE hardware, all tied together over a private overlay network [00:27:01]. Data, model weights, and intermediate activations are decrypted and processed only within each confidential environment, with all inter-node communication encrypted [00:27:12].

This setup allows a single large LLM to run across multiple GPU nodes (e.g., four H100/H200 GPUs from different owners) in a fully confidential mode [00:27:38]. The process involves building a Docker image, uploading it to decentralized storage, and launching master and worker nodes, with one node potentially hosting the model inference [00:28:14]. On-chain reports can be downloaded and verified to confirm image and model hashes match expectations, ensuring integrity [00:30:31]. Public endpoints can be tested, with parallel processing across machines leading to faster responses [00:31:02].

Moving Beyond Trust (Verifiability)

Super Protocol replaces blind trust with built-in cryptographic proofs [00:31:40]. Every run is independently and transparently verifiable down to the hardware level, meaning “trustless” signifies “verifiable by design” [00:31:49]. Each workload produces a cryptographic proof showing what ran, where, and how, without exposing the actual workload data [00:32:03].

When a workload runs, it generates a cryptographic attestation – a signed proof from the hardware itself – building on the attestation capabilities of confidential computing [00:32:20]. This attestation verifies that the model executed in a real TEE, using unmodified code, on verified hardware, inside a secure open-source runtime [00:32:35]. Users don’t have to trust the provider or platform because they can verify; if attempts are made to bypass the security, the protocol prevents the application and data from loading [00:32:51].

Multi-Party Training Example: Consider three participants: Alice’s lab and Bob’s clinic (holding sensitive data), and Carol’s research center (bringing a training engine) [00:33:30]. The goal is to train a new model for early cancer detection on Alice’s and Bob’s data without exposing either the data or Carol’s intellectual property [00:33:42]. All three inputs run inside a TEE, making them inaccessible to the cloud host, Super Protocol, or even the participants [00:33:51]. Outside the TEE, each party retains full custody of its assets [00:34:07].

Training is fully automated by the verified engine, the Super Protocol certification center, and smart contracts [00:34:17]. A Confidential Virtual Machine (CVM) handles multiple jobs and, on boot, contacts the open-source certification authority (also in confidential mode) for a remote attestation [00:34:49]. If the check passes, a certificate proves the CVM is genuine and running in an attested TEE [00:35:08]. An open-source security mechanism (trusted loader) inside the CVM is also attested and then checks every component; if any check fails, the process stops to safeguard all parties [00:35:18].

Carol uploads her engine image to encrypted storage, providing its hash and source code for verification by Alice and Bob [00:35:57]. Alice and Bob archive and upload their datasets, which are encrypted during upload [00:36:39]. They grant the CVM access, specifying the verified engine’s hash and the CVM’s ID [00:37:16]. Only the specified CVM with the private key can decrypt the data [00:37:37].

Carol places the main order to process the workload [00:37:46]. When submitted, the trusted loader checks the CVM certificate, calculates hashes for the engine, datasets, and config, and compares them with an approved list, blocking the job if anything diverges [00:37:56]. Only if every hash matches does training start inside the TEE [00:38:08]. Data and the engine are only decrypted inside the TEE, protected from participants and even the system owner [00:38:15]. Only Carol receives the encrypted output (the newly trained model and artifacts) [00:38:27]. Encryption keys never leave the TEE [00:38:35].

After the job, raw inputs are wiped, and an order report is published on-chain, providing public, tamper-proof evidence that the job ran in a certified environment with approved inputs [00:40:06]. This report includes certificates, processed inputs, and timing, with hashes matching the trusted engine and data [00:40:23]. During runtime, an app inside a CVM can sign data with its private key, which can be verified on-chain, crucial for Web3 AI workflows [00:41:21].

This demonstrates how Super Protocol simplifies complex, multi-party, trust-heavy collaboration into a push-button workflow [00:41:47].

Conclusion

Super Protocol offers a practical path forward for developers, providing a solution that is simple to use, transparent, verifiable, and secure by design [00:42:53]. By enabling GPUless, trustless, and limitless operations [00:42:59], it allows for:

  • Running models on private data without exposure [00:42:37].
  • Deploying proprietary models without losing control [00:42:40].
  • Fine-tuning without compliance risk [00:42:42].
  • Verifying execution with cryptographic proof [00:42:45].

Graph View

Backlinks