BYOC deploy
Deploy a signed .kolm to your own infrastructure. kolm.ai mints the deploy manifest and records the attestation; you keep the keys and the network path. For payload-blind operation, pick a Trusted Execution Environment target.
Issue a deploy script
Signed manifest · one-time enroll token · attestation callbackRun on your cloud
Review the script. Then run it from your own CI or host.The instance will POST a measurement back to kolm.ai after first boot. Refresh the list below to see it flip to live.
Your deployments
LoadingTrust model
kolm.ai signs the deploy manifest (deploy_id + artifact_id + enroll_token + issued_at) with an HMAC anyone with the receipt secret can verify.
You run the script. It pulls the artifact, builds a Docker image (or EIF for Nitro), and starts the runtime on your hardware.
On TEE targets the image POSTs the vendor-signed measurement (Nitro PCRs, GCP attestation token, Azure CVM SNP report). On non-TEE targets, an image SHA.
TEE targets keep request payloads encrypted in memory; kolm.ai cannot see them. Non-TEE targets are private from us at the network level only.