Security
Private, secure inference by default.
Direct Inference is built so the serving path never becomes part of your product, your logs, or your attack surface. You get a dependable outcome and a clean audit trail of your own usage — without exposing which model ran, and without standing up a sprawl of provider accounts to secure.
The zero-knowledge contract
We hold the backend so your product doesn’t have to.
The response echoes the model id you sent and omits every serving internal. There is no model name to leak into a customer-facing log, no provider account for your team to rotate, and nothing about the backend for an auditor to chase. The volatile, sensitive part of the supply side stays on our side of the line.
How it stays private
Security that comes from holding less, not bolting on more.
Zero-knowledge by design
Your users — and your own logs — never need to track which model, provider, or version served a request. The serving path is ours to manage, not yours to expose.
Your data is not training data
Prompts and completions pass through only to fulfill the request. Inference is a service, not a data-collection funnel.
Encrypted in transit and at rest
Traffic is encrypted on the wire and at rest. Credentials are scoped per key and can be rotated or revoked the moment you need to.
Spend that fails closed
Hard per-key and per-account caps are enforced before a request is dispatched, so abuse, bugs, and runaway loops stop at a ceiling you set.
A smaller attack surface
One endpoint, one key, no provider accounts to fan out. Fewer secrets, fewer dashboards, and less to secure than a hand-rolled provider matrix.
Stable under churn
Because the backend is abstracted, a provider change is an operational event for us — not a security review and re-integration for you.
Audited & compliant
The controls a regulated buyer expects.
The zero-knowledge architecture means there is less to expose in the first place. On top of it, Direct Inference maintains the independent attestations and data agreements your security and procurement teams require.
SOC 2 Type II
Independently audited controls, observed over a 12-month window
ISO/IEC 27001
Certified information-security management system
HIPAA
BAA available; PHI handled under audited safeguards
GDPR
EU data-protection rights, DPA, and EU SCCs
CCPA
California privacy rights honored end to end
Trust Center
Verify our posture, pull the documents your review needs — SOC 2 Type II and ISO/IEC 27001 reports are available under NDA — and watch live uptime, all in one place.
Questions
What teams ask before they ship
What does “zero-knowledge” mean here?
It means the consumer of the API has zero knowledge of the backend. Your users and your own logs never see which model, provider, or version served a request — only the request type it was classified as. The serving path is never part of your product surface.
Do you train on my prompts or outputs?
No. Prompts and completions pass through only to fulfill the request. Inference is the product; your traffic is not a data set we mine.
How is spend protected?
Hard per-key and per-account caps are enforced in the request path, before a request is dispatched. Past your ceiling, requests fail closed — a bug, an abuse spike, or a runaway loop cannot quietly run up the bill.
What happens when a provider changes?
Because the backend is abstracted away, a provider or model change is an operational event on our side — not a security review, a key migration, or a re-integration on yours.
Ship public AI features without exposing the engine room.