inis.run runs untrusted and AI-generated code, each execution in its own hardware-isolated VM, on infrastructure built and run in the EU. This page is for the people who have to approve that — your security team, or your customer’s. Every claim below states what exists today; anything still being built says so.
Working through a questionnaire? Send it to team@inis.run — we answer directly, in writing.
Not a container. Every run gets a dedicated VM with its own kernel and its own memory — one customer’s execution never shares a kernel with another’s. VMs are single-use: destroyed after the work, never reissued. For the code you trust least, a session can also drop in-guest administrative privileges.
Proof — A written isolation model your team can review — in progress. Until it’s published, we walk security teams through it directly.
Session lifecycle — created, executed, paused, destroyed — is recorded today. We are building the per-execution log on top: every outbound network attempt, allowed and denied, with destination and originating session; hash-chained so tampering is detectable; exportable so you can hand it to an auditor or your customer’s security team.
Proof — Sample export — in progress.
Networking is deny-by-default when you say so: allowlist the exact domains the workload needs, and change the policy on a live session through the API. Enforcement happens on the host, outside the VM — the code inside can’t switch it off.
POST /v1/sessions
{
"egress": {
"mode": "deny",
"allow": ["api.openai.com"]
}
}Proof — In the API today — egress policy is part of session creation, above, and readable back at any time.
inis.run is operated by an EU company on hardware physically located in the EU. There is no US parent entity — and none of the extraterritorial legal reach that comes with one. Your data is processed in the EU and stays there.
Proof — Corporate entity details on request. DPA and subprocessor list — in progress.
Sessions have explicit lifetimes — an idle timeout, a maximum lifetime, a retention window for paused sessions — and a destroy call that deletes the session’s disk and memory state. Every destroy, including automatic expiry, now emits a deletion receipt in the tamper-evident execution log naming what was actually destroyed, when, and why — fetchable per session. Checkpoints you keep are retained on their own separate lifecycle until you (or their own retention window) delete them; receipts for that path are in progress.
Proof — Deletion receipt — session destroy today; checkpoints and templates in progress.
If a customer’s security review is stalling your deal because you run AI-generated or user-submitted code against their data — that is the problem this product exists for. On certifications: SOC 2 is in progress. Nothing on this page claims a certificate we don’t hold.
Proof — team@inis.run — send the questionnaire.
The fastest way to evaluate the isolation story is to run something in it. Found a vulnerability instead? See our disclosure policy.
Get an API key