What is VoltageGPU Confidential Chat?

A ChatGPT-style interface running inside Intel TDX hardware enclaves. Prompts and responses are encrypted in CPU memory at runtime and never leave the sealed Trust Domain. VoltageGPU cannot read user data, cannot log it, cannot train on it.

Do I need an account to try it?

No. Anonymous visitors get 3 free messages on Qwen3-32B-TEE without any signup, no credit card required. After the free trial, signup unlocks 50 free messages per month, Plus $20/mo unlocks 2000 messages with Qwen3-235B 262K context.

How is it different from ChatGPT Plus?

Same $20/mo price point but sealed in Intel TDX hardware. OpenAI trains on user data by default. VoltageGPU Plus cannot technically read user data — memory is encrypted with CPU-fused keys and even the hypervisor is outside the trust boundary. EU company (France, SIREN 943 808 824), native GDPR Article 28 DPA available.

Which TEE models are available?

3 models sealed in Intel TDX: Qwen3-32B-TEE (40K context, fast), Qwen3-235B-A22B-Instruct-2507-TEE (262K context, flagship, Plus/Pro), DeepSeek-R1-0528-TEE (163K context, reasoning model, Enterprise).

Can I use it for regulated work (legal, medical, finance)?

Yes. Beyond the generic chat, 8 specialized agents are available: Contract Analyst, Financial Analyst, Medical Records, Compliance Officer, Due Diligence, Cybersecurity, HR, Tax. GDPR Article 28, HIPAA, DORA, NIS2 ready. DPA available on request.

Yes — api.voltagegpu.com/v1 is OpenAI-compatible, pay-per-token starting at $0.15/M input tokens on Qwen3-32B-TEE. Drop-in replacement for the OpenAI SDK (change base_url).

Why run an MCP server inside Intel TDX?

MCP traffic is more sensitive than chat: tool calls expose database schemas, file paths, internal API keys, customer identifiers and audit logs. Running the server inside Intel TDX makes the host hypervisor and the cloud operator cryptographically incapable of reading that traffic.

Which MCP clients are supported?

Any MCP-compliant client: Claude Desktop, Cursor, Continue, Cline, Zed, Sourcegraph Cody, custom CrewAI / LangChain MCP wrappers. The server exposes a standard MCP transport (stdio bridge or HTTPS streaming) terminated inside the TDX enclave.

How is pricing structured?

Tool-call and resource-read traffic is metered per token at the same rate as standard inference: Qwen3-32B-TEE at $0.50 / 1M input, Qwen3-235B-TEE at $1.20 / 1M, DeepSeek-R1-TEE at $1.80 / 1M. No additional MCP hosting fee.

Confidential MCP Server — Model Context Protocol Sealed in Intel TDX

Provider-blind tool calling, resource reads, and prompt templates for regulated industries

VoltageGPU hosts confidential MCP servers inside Intel TDX hardware enclaves. The Model Context Protocol carries far more sensitive payloads than ordinary chat: tool inputs and outputs include database schemas, file paths, internal API URIs, customer identifiers, signed audit events. Running the MCP server inside TDX keeps that traffic encrypted in CPU memory at runtime — the hypervisor cannot inspect it, and VoltageGPU operators cannot extract it.

Why confidential MCP became necessary in 2026

Comply launched its compliance MCP in April 2026, putting regulated tool calls on the agent path
Legal, financial and healthcare teams need on-prem-equivalent guarantees for tool traffic
EU AI Act Article 5 prohibits certain forms of profiling — tool inputs must remain under EU control
DORA Article 5 mandates ICT risk controls covering external service providers

Supported clients and transports

Claude Desktop, Cursor, Continue, Cline, Zed, Sourcegraph Cody
Custom CrewAI / LangChain / LlamaIndex MCP wrappers
HTTPS streaming transport with TLS 1.3 termination inside the enclave
stdio-over-WebSocket bridge for desktop clients

Use cases

Compliance MCP: query control-mappings (NIS2, DORA, ISO 27001) without leaking control IDs
Legal MCP: search internal precedents, draft clauses, retrieve matter notes confidentially
Audit MCP: stream signed audit events into the agent loop without exposing raw events
Finance MCP: pull deal models and counterparty data into reasoning chains

Pricing

Same per-token pricing as standard confidential inference. Qwen3-32B-TEE input at $0.50 / 1M, Qwen3-235B-TEE at $1.20 / 1M, DeepSeek-R1-TEE at $1.80 / 1M. No additional MCP hosting fee. No retention, no training on tool traffic.

Related resources

Confidential MCP Server

Sealed in Intel TDX

MODEL CONTEXT PROTOCOL · CONFIDENTIAL HOSTING

Confidential MCP Server —
Sealed in Intel TDX.

Run Model Context Protocol servers inside hardware enclaves. Tools, resources, prompts — provider-blind.

MCP traffic carries database schemas, internal file paths, customer identifiers and audit events. Run it where neither the hypervisor nor the cloud operator can read it.

What is MCP?

Model Context Protocol is an open standard for connecting LLM clients to external tools, resources, and prompt templates. Released in late 2024 and broadly adopted through 2025-2026, MCP became the de-facto agent integration spec across IDEs (Cursor, Continue, Zed), AI desktops (Claude Desktop, Cline) and orchestration frameworks (CrewAI, LangChain, LlamaIndex).

An MCP server exposes three primitives: tools (callable functions with typed inputs / outputs), resources (read-only references such as files or database rows), and prompts (parametric prompt templates). The full spec lives at modelcontextprotocol.io.

Why confidential MCP matters

Tool calls leak more than chat

Inputs include schemas, file paths, secrets-in-context. Outputs include records, audit events, identifiers.

Comply launched MCP in April 2026

Compliance teams now wire MCP into the agent loop. The 2026 standard demands TEE-grade isolation for that traffic.

Regulated industries need TEE

Legal, financial and healthcare workloads cannot send tool traffic to US-hosted MCP servers under DORA / RGPD / HIPAA.

Setup walkthrough

Point your MCP client at the VoltageGPU streaming endpoint. The server runs sealed inside Intel TDX and authenticates via your VoltageGPU API key.

Claude Desktop · claude_desktop_config.json

JSON

// claude_desktop_config.json
{
  "mcpServers": {
    "voltage-confidential": {
      "transport": "https",
      "url": "https://api.voltagegpu.com/v1/mcp",
      "headers": {
        "Authorization": "Bearer vg-..."
      }
    }
  }
}

Python · MCP client over confidential streaming HTTP

PYTHON

# Python MCP client over confidential transport
from mcp import ClientSession
from mcp.client.streamable_http import streamablehttp_client

async with streamablehttp_client(
    "https://api.voltagegpu.com/v1/mcp",
    headers={"Authorization": "Bearer vg-..."},
) as (read, write, _):
    async with ClientSession(read, write) as session:
        await session.initialize()

        tools = await session.list_tools()
        result = await session.call_tool(
            "search_precedents",
            {"matter_id": "M-2026-0419", "query": "auto-renewal cap"},
        )
        print(result.content)

For Cursor, Continue, Zed and other MCP-aware tools, follow the same pattern: HTTPS streaming transport, base URL https://api.voltagegpu.com/v1/mcp, bearer token from your API keys page.

Use cases

Compliance MCP

Query NIS2, DORA, ISO 27001 control mappings inside the enclave. Control IDs and findings never leave EU jurisdiction.

NIS2DORAISO 27001

Legal MCP

Tool calls into internal precedents, matter notes, and clause libraries stay sealed. The agent reasons over confidential context without exposing it.

LegalMatter notes

Audit MCP

Stream signed audit events into reasoning loops while keeping raw events provider-blind. Suitable for SOC 2, ISAE 3000.

AuditSOC 2

Confidentiality model

TLS 1.3 terminates inside the enclave

MCP traffic is never decrypted in untrusted memory. The TDX trust domain holds the TLS session keys.

AES-256 memory encryption at runtime

Tool inputs, resource reads and prompt templates remain encrypted in CPU memory. The hypervisor cannot inspect RAM.

ECDSA attestation per session

Each MCP session is bound to a signed attestation report identifying the TDX module and code measurement.

Zero retention

Tool inputs and outputs are not logged or stored. Native RGPD Article 28 DPA available without negotiation.

Pricing

MCP traffic is metered at the same per-token rate as standard confidential inference. No additional MCP hosting fee. No retention. No training on tool traffic.

Qwen3-32B-TEE

in $0.50 / 1Mout $1.50 / 1M

Qwen3-235B-A22B-Instruct-2507-TEE

in $1.20 / 1Mout $3.50 / 1M

DeepSeek-R1-0528-TEE

in $1.80 / 1Mout $5.40 / 1M

Volume contracts available beyond 100M tokens / mo.

EXPLORE FURTHER

Bring Your Own Agent

Parent pillar

Sovereign agentic AI

Architectural overview