Skip to content

What is OPAQUE

OPAQUE is a confidential AI platform for running agentic workflows and analytics jobs on sensitive data without exposing it. Whether you’re building RAG-style services, analyzing data sets, or training models, your work happens inside protected workspaces designed to preserve privacy, enforce policy, and and meet compliance requirements. OPAQUE also generates logs and reports (and, where applicable, attestation evidence) so you can review what ran and support audits.

This page introduces the core concepts behind OPAQUE, including platform organization, workload types, core building blocks, and governance.

How OPAQUE is organized

OPAQUE uses workspaces as the primary organizational unit. A workspace is where you build workloads, control access, apply policies, and review the logs and reports generated when workloads run.

Access to workspaces and resources is managed through role-based access control (RBAC). Your role determines what you can view and do—for example, whether you can manage a workspace and its integrations or build, run, and review workloads. This helps ensure that only authorized users can operate on sensitive resources and that activity is auditable. (For more details on RABC, see Roles and permissions.)

Opaque supports two workspace types. They’re designed for different needs, and most teams will primarily use one or the other depending on their use case.

Agentic AI workspaces

Agentic AI workspaces are designed for building agentic workflows: long-running, callable services that combine models, retrieval, and structured logic. You build a workflow, launch it, and then trigger it through the OPAQUE SDK or API whenever you want it to handle a request.

Agentic workflows are built from nodes—the individual steps that define what the workflow does. In the workflow builder, you arrange and connect nodes to define how requests flow from input to output. Nodes represent capabilities such as calling an LLM, retrieving context through a data connector, applying logic or transformations, or running utilities like redaction.

To bring in external context or call external services, workflows can use data connectors and integrations. Data connectors define approved access to retrieval sources and other external systems. Integrations provide preconfigured versions of nodes—packaging service configuration so teams can reuse the same setup consistently across workflows in a shared workspace.

Agentic AI workspaces are also governed by workspace policies and guardrails, which constrain what workflows can access and how they behave during execution. OPAQUE records logs and reports so you can review activity and support audits.

Use an agentic AI workspace when you’re building interactive or application-facing services—especially RAG-style use cases where a workflow retrieves relevant context and uses a model to produce a response, often with additional post-processing steps (such as redaction).

Analytics and ML workspaces

Analytics and ML workspaces are designed for working with protected datasets. You can use them to explore data, build models, and run policy-governed computations without exposing raw data.

When data is brought into an analytics and ML workspace, OPAQUE encrypts it immediately and keeps it protected throughout its lifecycle, including during processing. OPAQUE also generates a synthetic version of the dataset: a non-sensitive copy that preserves the same schema and statistical properties, but contains no real personally identifiable information (PII). This lets you prototype queries and debug logic safely before running against protected data.

To process data, you create jobs—batch scripts that run to completion over encrypted datasets. Jobs can be written in Python (PySpark) or PySpark SQL and are typically developed and tested using synthetic data. When your job is ready, it can be submitted to run on encrypted production data under workspace policies and access controls, with logs and reports available for review and auditing.

Use an analytics and ML workspace when your work is primarily batch-oriented and you want jobs to run on a schedule or as discrete executions.

What makes OPAQUE confidential

OPAQUE uses confidential computing to protect data in use. Workloads run inside trusted execution environments (TEEs)—isolated compute regions where memory is encrypted and not accessible to cloud providers, administrators, or other workloads.

Before sensitive data or secrets are released to a workload, OPAQUE performs attestation to verify the execution environment is in a trusted state and that the runtime hasn’t been tampered with. Secrets are released only to environments that successfully pass this verification.

After execution, OPAQUE provides evidence you can review—such as audit logs and, where applicable, attestation records—so you can verify what ran and support compliance and audits without relying on blind trust in infrastructure operators.

Governance you can verify

OPAQUE’s governance model is designed to make behavior controllable during execution and reviewable after execution.

  • Policy controls (and guardrails for agentic workflows) constrain how workloads behave. Depending on your setup, policies can control which data sources a workload may access, which tools or models it may call, what must be redacted or filtered, and what network or API access is permitted. These controls are enforced at runtime.
  • Verifiable logs and reports provide an audit trail of what occurred. Executions generate audit logs, and (where applicable) attestation evidence showing the workload ran in a trusted environment. This supports compliance, investigations, and internal governance without requiring blind trust in infrastructure operators.

From design to operation

Whether you’re building an agentic workflow or a batch job, Opaque follows the same high-level lifecycle from creation to execution:

  1. Build and configure a workload in a workspace.
  2. Review and approve changes (where required).
  3. Launch an agentic workflow or run an analytics job.
  4. Inspect results, logs, and attestation evidence.

Getting started

Once you understand how OPAQUE is organized, the next step is to start building inside a workspace. From here, most users follow one of two paths:

  • Agentic workflows – for building and operating long-running, callable AI services such as RAG-style applications.
  • Analytics workflows – for running batch analytics, data transformations, or ML workloads over protected datasets.

Each path walks you through setup, core concepts, and execution, with logs and reports available to review what ran and support audits.