Xanadu// sovereign AI

SOVEREIGN AI · POST-HEPPNER · IN BETA

The private AI
that has nothing
to hand over.

Frontier-class inference, on hardware you can verify, in a jurisdiction that won't disclose. Open-source tooling today. Confidential Swiss inference in private beta.

See what's live → Talk to us

It already happened.

The legal trigger is fresh, named, and specific. Two rulings, weeks apart.

U.S. v. Heppner S.D.N.Y.
Judge Rakoff
Feb 17, 2026
Claude chats ruled not privileged. A federal court held conversations with Claude were not protected by attorney–client privilege or work-product, primarily because Anthropic's policy reserves the right to disclose to government and to train on inputs. ~31 Claude-generated documents went to prosecutors.
NYT v. OpenAI S.D.N.Y.
Judge Stein
Jan 5, 2026
20 million ChatGPT logs ordered produced. Including conversations with nothing to do with the underlying case. "Voluntary submission to a service" defeated the privacy objection — which is exactly why architectural data-absence, not vendor policy, is the protection.

Anything your lawyer, your clinician, your accountant, or your journalist's source types into a mainstream AI is now a discoverable record sitting on a US company's servers, reachable by subpoena. The incumbents structurally cannot fix that — a US-jurisdiction provider under the CLOUD Act cannot credibly promise "we can't be compelled."

What we ship.

Two products under one roof. The open-source tooling is live. The hosted confidential inference is in design-partner beta.

● LIVE · OPEN SOURCE · MIT

Xanadu / Dispatcher

MCP-native sub-agent dispatcher. Cost caps, append-only ledger, provenance trailers, multi-tenant billing.

Drop into any MCP-capable orchestrator — Claude Code, Cline, Cursor's agent mode. Hard budget caps refuse runs before they spawn. Every dispatch appends one structured row with raw cost, markup, and a dispatch_id trailered into the agent's commits.

Bring your own provider keys via X-Anthropic-Key or X-OpenRouter-Key headers. When the confidential backend goes live, swap the same header pattern to route through a Swiss enclave instead of the public API.

Read the docs View on GitHub Live at xanadu.run/mcp
◐ PRIVATE BETA · 2026 H2

Xanadu / Cloud

Hosted confidential inference. Switzerland. Attested GPU enclaves. The operator never holds your cleartext.

Frontier open-weight models (Kimi K2.6 leading) on owned Blackwell-class hardware in Switzerland and Iceland. Your prompt is encrypted on your device, decrypted only inside an enclave you can cryptographically verify, computed, re-encrypted, plaintext destroyed. Nothing is logged. Nothing persists.

Article 271 of the Swiss Criminal Code makes complying with foreign subpoenas on Swiss soil a personal crime; constitutional privacy under Article 13; no CLOUD Act. Reproducible enclave builds and remote attestation let customers prove what code touched their data — the Mullvad and Proton transparency model, applied to AI.

Apply as design partner First customers: regulated firms, Kovel-tier law firms.

What we promise — and what we don't.

Our buyers are lawyers and security-literate operators. Overclaiming gets exposed; under-claiming earns trust. Candor is the product.

WE PROMISE

  • Data-absence: nothing at rest to seize or produce.
  • Hardware isolation with customer-verifiable attestation.
  • Jurisdictional friction against foreign compulsion.
  • A published threat model that states exactly where the guarantees end.

WE DON'T CLAIM

  • That it's mathematically impossible for us to comply — a state with physical hardware access is a real adversary.
  • Zero-knowledge proofs of frontier inference (not yet feasible at scale).
  • That Swiss domicile alone is a shield — only data-absence is.

The same posture appears in our published threat model and in every design-partner conversation. We list our limits where you can read them.

Why this is defensible.

Incumbents structurally cannot follow. A US-jurisdiction provider under the CLOUD Act cannot credibly offer "we can't be compelled." The moat is jurisdictional and architectural — not a feature OpenAI or Anthropic can ship.

Open weights just caught the frontier. Kimi K2.6 at 1T parameters matches or beats Claude Opus on coding, agents, and retrieval — SWE-Bench Pro, DeepSearchQA, SWE-Bench Verified. Frontier quality is no longer locked behind a frontier API.

The window is now. GPU confidential computing hit general availability with ~4–8% overhead. Heppner is fresh. Discovery precedent is tightening. Whoever moves first owns the category before the incumbents ship a "zero-retention enterprise tier" that makes the fear table stakes.