pencloser.com

pencloser.com

Privacy Encloser — confidential workloads, sealed end to end.

Status: Operational v4.12.0 / FIPS-validated

Introduction

Privacy is not a feature. It is the enclosure.

Privacy Encloser is an enterprise privacy substrate that contains, controls, and certifies the data your business already trusts you to handle. We do not sell convenience over confidentiality — we deliver both, by design.

// est. 2018 — operating in 14 jurisdictions

01 — Principles

Three commitments, in writing.

Sealed by default.

Every workload begins encrypted, isolated, and inaccessible — including to us. Access is granted only by explicit, auditable policy.

Minimal observation.

We collect what is required to operate, and nothing more. Telemetry is aggregated, ephemeral, and stripped of identifiers before it leaves the enclosure.

Provable, not promised.

Independent attestation, signed audit logs, and reproducible builds. When we say a record is sealed, you can verify it — without trusting us.

02 — Architecture

A four-layer enclosure.

Each layer enforces a distinct guarantee. Compromise of one does not unseal the others.

  1. L1

    Transport Enclosure

    TLS 1.3 with pinned, rotated certificate authorities and forward secrecy on every channel.

    cipher: TLS_AES_256_GCM_SHA384

  2. L2

    Key Enclosure

    Hardware-rooted keys, sealed inside HSMs that never expose key material — not even to operators.

    backend: FIPS 140-3 / Level 3

  3. L3

    Compute Enclosure

    Confidential VMs with attested boot and memory encryption, so workloads remain private even from the host.

    attestation: SEV-SNP / TDX

  4. L4

    Policy Enclosure

    Every access is signed, recorded, and bound to a stated purpose. Logs are append-only and externally witnessed.

    log: rfc9162-compatible / merkle

03 — Assurance

Verified by independent parties.

  • SOC 2 Type II — annual
  • ISO/IEC 27001 — certified
  • ISO/IEC 27701 — privacy
  • HIPAA — covered entity ready
  • GDPR — Article 28 processor
  • FIPS 140-3 — validated modules

Latest attestation report: 2026-Q1 · SHA-256: 9f3c…b4e1

04 — Transparency

If we cannot read it, neither can a subpoena.

Government access requests are met with technical evidence: the data you placed inside the enclosure is mathematically beyond our reach. We publish a transparency report each quarter detailing every request, every response, and every outcome.

To date: 0 instances of plaintext disclosure.

Contact

Speak with our enclosure team.

For procurement, security review, or enterprise integration. We do not run a sales pipeline.

enterprise

enterprise@pencloser.com

security

security@pencloser.com

press

press@pencloser.com

PGP fingerprint: A4F1 2C9D 88B7 4E20 6F3A · 1B5E 7C44 9D02 8AAF 0CC1