Key terms

The following terms are used throughout the Opaque documentation:

Platform structure

• Organization: The top-level unit for user management in Opaque, representing one or more users. Each user belongs to exactly one organization. See also role-based access control (RBAC).
• Workspace: An isolated environment where one or more users work with shared datasets. Within a workspace, members can provision and encrypt datasets, define access policies, and perform analytics or machine-learning tasks, with Opaque ensuring data privacy.
• Job: A computational task executed within a workspace using Opaque's secure analytics engine. Jobs include Python- or SQL-based queries, machine-learning training, or inference task—all performed on encrypted datasets with results stored securely.
• Dataset: An encrypted dataset added to a workspace. All datasets in Opaque remain encrypted at rest, in transit, and in use, ensuring full privacy throughout their lifecycle. The user who provisions a dataset controls access, but datasets can be shared with workspaces based on assigned permissions. In multi-member workspaces, data-processing jobs require the approval from all members before execution; in single-member workspaces, approval is not needed.
• Synthetic data: Artificially generated data that mimics the statistical properties of real datasets or consists of random dummy data. It enables users to test AI models, refine workflows, and conduct analyses in a secure environment without exposing sensitive information, ensuring compliance with privacy regulations.
• Service: A modular functionality within Opaque that enables secure, low-latency data processing for small, on-demand inputs. Services automate sensitive data handling while ensuring compliance through cryptographic audit trails. Opaque currently offers two services: data ingestion, which securely processes data from REST APIs, and data redaction, which removes or masks personally identifiable information (PII). Additional services, including user-created services, are planned for future releases.

Access and governance

• Role-based access control (RBAC): A security model that restricts access based on user roles. In Opaque, these roles include:
  • Organization admin: Manages user roles and organization-wide settings.
  • Workspace admin: Creates workspaces, invites members, and manages workspace access.
  • Workspace member: Works within assigned workspaces, provisioning data, running jobs, and collaborating based on workspace policies.

Security and trust

• Confidential computing: A security model that protects data even while it’s being processed, using hardware-based environments called trusted execution environments (TEEs). See also trusted execution environments.
• Confidential AI: An extension of confidential computing that secures entire AI workflows—including data, models, and code—while enabling policy enforcement, collaboration, and verifiable auditability.
• Trusted execution environment (TEE): A secure, hardware-based enclave that processes encrypted data. TEEs decrypt data only inside the enclave during computation, preventing access by external entities (e.g., cloud providers, administrators, or attackers). Opaque uses TEEs to maintain data privacy throughout computation.
• Remote attestation: A cryptographic process that verifies a trusted execution environment (TEE) is genuine and running approved code. This allows users to safely share encryption keys and run jobs only in verified, secure environments.

Next steps

• Learn which browsers are supported.
• Start using the platform.