inis.run

Security & data residency

How inis.run isolates code execution, controls network egress, and handles data residency.

For a product built to run code you can't trust, the most important question is: how is it contained?

Isolation & security

Each run is its own machine

Every session on inis.run gets a dedicated hardware-isolated environment — a clean slate, not a shared container. There is no way for code running in one session to read memory, files, or network traffic from another session. The boundary is enforced in hardware, not software.

When a session ends, its memory and disk are destroyed. Nothing persists unless you explicitly save it as a checkpoint or template.

Network egress is controlled

Outbound network access from inside a session is controlled via a per-session allowlist. By default, egress is restricted. Attempts to reach destinations outside the allowed list are blocked at the network layer — not by the guest OS, which your code controls.

This means untrusted code running inside a session cannot use inis.run as a launchpad for outbound attacks or exfiltrate data to arbitrary destinations.

Single-tenant by default

Sessions run single-tenant on dedicated bare-metal hardware. Your workloads do not share a hypervisor, kernel, or CPU scheduling domain with other tenants. There is no noisy-neighbour effect and no shared infrastructure layer that could become a cross-tenant attack surface.

We do not inspect your code or data

inis.run does not store, log, or inspect the code you run or the data processed inside your sessions. We collect only the operational metadata needed to bill you and keep the service running: session duration, resource allocation size, and API request rates. See our Privacy Policy for the full picture.

Abuse & misuse

inis.run is infrastructure for legitimate code execution. We do not permit its use for generating malware, launching attacks, distributing illegal content, or circumventing other platforms' security controls.

If you encounter misuse — of our API, our preview URL infrastructure, or anything running on our platform — report it to abuse@inis.run. We investigate every report and act on confirmed violations promptly, up to and including immediate account termination and cooperation with law enforcement where required.

For security vulnerabilities in inis.run itself, see our Security Policy.

Data residency & EU ownership

EU company, EU infrastructure

inis.run is an Irish company. Our infrastructure runs on bare-metal hardware hosted in the EU. Both the hosting entity and our own company entity are genuinely EU-owned — there is no US parent company in the data path.

Your code and data do not leave the EU. Databases, operational logs, and backup storage all reside on our own hardware within the EU. We do not route traffic through or replicate data to US-based cloud services.

Why ownership matters — the CLOUD Act

The US CLOUD Act allows US authorities to compel a US-owned company to hand over data stored anywhere in the world — including data held on servers physically located in the EU. Choosing a US-owned cloud provider for EU data does not protect you from this, regardless of where their data centres are.

Because inis.run is EU-owned with no US parent, we are not subject to CLOUD Act compulsion. A valid EU legal process is required to access any data we hold.

The regulatory landscape

Two EU frameworks are in force and directly relevant to how inis.run operates:

  • The EU Data Act — in force since September 2023, applying progressively through 2025. Establishes rules on access to and use of data generated by connected products and related services. inis.run's architecture — where we do not retain or reuse your execution data — is consistent with the Data Act's intent.
  • NIS2 Directive — the Network and Information Security directive, in force across EU member states. Sets baseline cybersecurity obligations for operators of essential and important entities. As infrastructure supporting AI workloads, we take the spirit of NIS2 seriously: incident response, access control, and supply chain security are part of how we run the service.

The Cloud Act for Autonomy and Data Access (CADA) is a European Commission proposal from June 2026 aimed at strengthening data sovereignty for EU cloud users and limiting the reach of third-country compelled access. It is not yet in force — it is at the legislative proposal stage — but it points in the direction EU regulation is heading. inis.run's ownership structure already aligns with what CADA would require.

What we don't claim

We do not claim to be a compliance product. inis.run is execution infrastructure. Whether it meets your specific compliance requirements — GDPR processor obligations, sector-specific rules, internal data governance policies — is your call to make. We give you the facts; you decide whether they fit.

If you need specifics for a procurement or legal review, write to hello@inis.run.


General questions: hello@inis.run — abuse reports: abuse@inis.run — security vulnerabilities: security@inis.run

On this page