Public Sector
Sovereign clouds, technically enforced.
Citizen data stays under your control.
Run citizen services, case management, public safety, and sovereign AI on any cloud — with customer-held keys, no provider access, and runtime evidence for BSI, NIS2, and accreditation.
Citizen portals
Case management
Registries
Public safety
Sovereign AI
AI
PROTECTED WORKLOADS
LIVE
Citizen Services Portal
ATTESTED
Public Safety Workspace
ATTESTED
Registry Modernization
ATTESTED
Sovereign GenAI
KEY PENDING
Keys held by: Agency
Admin plaintext paths: None
AVALAIBLE ON EVERY MAJOR CLOUD AND CHIP VENDOR
AWS
AZURE
GOOGLE CLOUD
INTEL
AMD
NVIDIA
RED HAT
SUSE
STACKIT
HOW IT WORKS
How an encrypted workload runs — from the moment it boots to the moment
it gets your data.
1. Workload starts
The workload is encrypted in memory by a hardware-isolated enclave the moment it boots.
2. Identity is proven
The workload must prove it's the right code (unchanged) before data is unlocked.
3. Keys release
Data unlocks only for that verified code inside the enclave. No human or machine can ever see it.
WHY NOW
Contractual sovereignty is not enough.
Multiple pressures are shaping public sector cloud programs. Confidential Computing answers all of them.
Citizen data exposed at runtime
Registry, benefits, tax, justice, and identity data sit unencrypted in memory while applications process them.
Accreditation evidence gap
BSI, security, and tender reviews need technical proof faster than manual control narratives can deliver.
Provider & admin access stays open
Cloud operators, support paths, and outsourced teams remain trust dependencies you cannot fully control.
Cross-agency collaboration friction
Sharing data across ministries, agencies, and partners still means copying records into another perimeter.
GDPR & NIS2 raise the bar
Privacy and cyber-resilience reviews increasingly ask who can access data, keys, and workloads in practice.
Jurisdictional exposure
Regional hosting alone doesn't prove who controls keys, runtime access, and cross-border support paths.
THE DIFFERENCE
Sovereignty you can prove, not just declare.
Same workload. Same cloud. Different access surface.
Without enclaive
With enclaive
Citizen data in memory
Decrypted
Encrypted by hardware
Cloud admin sees data
Yes
No
Managed-service admin access
Yes
No
Cross-border support paths
Possible
No
Key custody
Shared with provider
Held only by you
Accreditation evidence
Policies + narratives
Cryptographic attestation
Code changes required
----
None
USE CASES
One control pattern for every sovereign workflow.
Whatever you need to protect, verify, or prove — it runs on the same confidential foundation.
01
Protect citizen data in use
Citizen portals & case management
Protect identity, benefits, permits, filings, and case records from cloud and support operators.
Registries, archives & records
Bind registry APIs, document stores, and archive access to verified workload policy.
Public safety & defense-adjacent services
Keep situational, logistics, and operational data protected from provider-side access.
02
Safely enable new digital workflows
Inter-agency data collaboration
Analyze shared datasets across ministries and partners without pooling raw data.
Sovereign GenAI & automation
Protect prompts, documents, embeddings, and decision logs while public sector AI runs.
Sovereign cloud migration
Move sensitive applications to approved cloud while keeping technical control of keys.
03
Prove sovereignty
Procurement & tender platforms
Prove tenant separation, workload integrity, and customer-held keys for framework contracts.
BSI, NIS2 & accreditation evidence
Turn attestation, key release, and access events into evidence for security teams.
WHERE TO START
Start with the outcome you need to unlock.
You're a decision maker in public administration. Here's what you can do with Confidential Computing.
Agency leader / Program owner
Sovereign service delivery
Launch digital public services with technical controls oversight bodies, citizens, and partners can trust.
CISO
Provider-access reduction
Close privileged-access, runtime exposure, and third-party support paths around citizen data.
Procurement / Legal / DPO
Defensible vendor selection
Turn sovereignty requirements into enforceable key custody and separation-of-duties criteria.
CIO / Digital transformation
Cloud adoption with control
Move sensitive services through architecture and risk review with one reusable control pattern.
CTO / Platform / SI
Portable sovereign architecture
Deploy confidential VMs, Kubernetes, key release, and workload identity across approved infrastructure.
GRC / Audit
Continuous control evidence
Replace manual evidence with runtime proof mapped to GDPR, NIS2, BSI, tenders, and internal policies.
BOOK A WORKLOAD ASSESSMENT
Validate your first regulatory-grade workload.
Bring one PII workload, C5 question, AI use case, cloud constraint, or open privacy review.
Leave with a practical pilot path for confidential computing,
customer-held keys, and automated evidence.
DEEPEN YOUR KNOWLEDGE
Go deeper on provider exclusion, sovereignty,
and key control.
Selected whitepapers and articles for decision makers in the public sector evaluating confidential cloud,
sovereign key management, platform rollout, and audit-ready encryption controls.
Who Holds the Keys? Exploring GYOK, BYOK, and HYOK for Cloud Sovereignty
Learn how GYOK, BYOK, and HYOK redefine cloud key management and help you balance data security, control, and flexibility.
Read articleConfidential Computing transforms the public sector
Enable public sector innovation with enclaive's Confidential Computing, ensuring data security and GDPR compliance while driving digital transformation.
Read articleCloud Sovereignty in Hyperscaler Environments
How can you harness the power of hyperscalers without compromising data sovereignty and compliance?
Find out in our Solution Brief.
Read article