Tinfoil

What do they actually do

Tinfoil runs open‑source and customer AI models inside hardware‑protected enclaves so the cloud provider and Tinfoil can’t read your prompts, outputs, or model weights. You can use it two ways today: an in‑browser Private Chat that executes models like Llama, DeepSeek R1, and Qwen inside confidential GPUs (demo), and a Private Inference API that’s a drop‑in, OpenAI‑compatible endpoint with SDKs for Python, Node, Go, Swift, and a CLI (product, SDK docs).

Before any sensitive data is sent, Tinfoil’s browser and SDK clients automatically verify the server is the exact published code running inside a genuine secure enclave; if attestation fails, requests are blocked (how verification works, attestation architecture). Inference runs on NVIDIA Hopper/Blackwell GPUs in confidential mode with model packages mounted immutably; Tinfoil publishes build/signature info in transparency logs so customers can check what ran (technology). The company states “zero data access, zero retention” and documents enclave limits and side‑channel mitigations so buyers can see what’s in and out of scope (homepage, side‑channel blog).

Who are their target customer(s)

• Healthcare teams building features that touch PHI (providers, digital health, life sciences).: They need to run models on patient data without exposing records to vendors or the cloud and must produce verifiable proof for auditors beyond contracts and policies (solutions, verification).
• Financial institutions and fintechs processing transactions or PII.: They want to prevent any data exposure or vendor access that could trigger fines or customer harm while still using large models for analytics and automation (solutions).
• Security/compliance/product‑risk teams at larger enterprises.: They must demonstrate the AI stack can’t read or retain sensitive inputs and need simple, auditable evidence that the deployed service is the published code running in protected hardware (verification, technology).
• Startups and product teams using proprietary data or private models (RAG over internal docs, code assistants).: They fear leaking IP or model weights on cloud GPUs and want to run/fine‑tune models privately with attestation and weight protection (site, example model launch).
• Engineers wanting a low‑friction OpenAI‑style API that enforces verification.: They need SDKs and client‑side checks that automatically block requests if the remote service can’t prove it’s operating securely—without learning enclave internals (SDK overview, inference API).

How would they acquire their first 10, 50, and 100 customers

• First 10: Run high‑touch pilots with YC alumni and regulated teams: stand up a private inference instance, provide signed attestation and an “auditor pack,” and include brief integration support to walk auditors through verification (verification, solutions).
• First 50: Productize the pilot into a paid package with fixed deliverables; do targeted outbound to compliance/security leads, run technical demos for engineers, and offer a self‑serve SDK path so teams can verify locally before committing (SDK overview, technology).
• First 100: Add channels and reduce procurement friction: list in cloud/marketplaces, partner with compliance/MSSP resellers, publish SOC2 and standard contracts, and use initial case studies to shorten cycles.

What is the rough total addressable market

Top-down context:

Near‑term, the core market maps to confidential computing, estimated around $5.46B in 2023 with some reports citing ~$9B for 2024, growing rapidly (Grand View, Precedence Research). The expansion opportunity is the share of the AI inference market (~$97.2B in 2024) that will require confidentiality as regulated and IP‑sensitive workloads move to enclaves (Grand View — AI inference, IDC).

Bottom-up calculation:

Conservatively, assume 5,000 regulated/enterprise buyers adopt 1–3 private AI workloads each at $50k–$200k per workload/year; that implies roughly $250M–$3B near‑term TAM, with upside as more inference spend requires attestation and expands toward a slice of the broader AI inference market.

Assumptions:

• Focus on regulated healthcare/finance/public‑sector and large enterprises first.
• Avg. contract size $50k–$200k per secured workload/year; 1–3 workloads/org initially.
• Adoption expands as confidential GPUs and attestation become table stakes for sensitive AI.

Who are some of their notable competitors

• Microsoft Azure Confidential Computing (Confidential VMs with NVIDIA H100/H200): Azure provides confidential VMs and now GA support for H100 confidential GPUs, enabling enclave‑backed AI workloads with attestation at the IaaS layer—often the base platform buyers use to build private inference (GA post).
• Google Cloud Confidential Computing: GCP offers Confidential VMs including accelerator‑optimized A3 instances with H100 GPUs, positioning confidential computing for AI training and inference with hardware‑level protections and attestation (product page).
• Fortanix Confidential AI: A platform to run AI workloads in TEEs with proof of execution and orchestration across the AI lifecycle; oriented to regulated use cases and IP protection for models (overview, Intel brief).
• Decentriq: Confidential‑computing data clean rooms for secure analytics and ML across parties; focuses on enclave‑backed collaboration and emerging confidential LLM use cases, often atop Azure Confidential Computing (what is confidential computing, Microsoft story).
• Mithril Security (BlindAI): Open‑source confidential AI inference project that serves models inside TEEs to keep data private from the host—an early effort in enclave‑based private inference for developers (GitHub).