NOVA PLATFORM

Confidential Computing Platform

Confidential Apps.
Verifiable by Design.

Secure compute without the complexity. Deploy confidential applications in minutes with verifiable on-chain attestation anchors.

SLSA L3 Builds ZK-Verified Attestation On-Chain Anchored x402 Payment TEE-Native KMS Encrypted Storage

Nova Proof Surface

One platform, four verifiable layers.

Nova does not stop at enclave launch. It packages build provenance, version identity, runtime attestation, and public verification into one workflow.

Build Enroll Attest Register

01

Transparent Build

Public GitHub Actions builds with Sigstore signing and SLSA Level 3 provenance.

02

Version Identity

PCR measurements and image metadata enrolled on NovaAppRegistry.

03

Live Runtime Attestation

Running instances expose Nitro attestation at /.well-known/attestation.

04

Public Verification Path

SP1 proof and on-chain instance registration complete the verification workflow.

4

AWS regions

2

deploy tiers

15+

sidecar APIs

Local dev without enclaves via odyn.sparsity.cloud:18000

📅 2026 🌐 sparsity.cloud ✉️ support@sparsity.xyz Photo: Victor Chartin / Unsplash

Executive Summary

Nova Platform at a Glance

02

Nova Platform lets teams ship Docker applications into AWS Nitro Enclaves with transparent builds, managed deployment, x402 payment support, enclave-native services, and a verifiable path from source code to running instance.

Core Value Proposition

Code and in-use data execute inside AWS Nitro Enclaves, keeping cloud operators outside the memory trust boundary
Public GitHub Actions builds, Sigstore signing, and SLSA Level 3 provenance link source code to measured enclave images
NovaAppRegistry records App → Version → Instance identity for build enrollment and public runtime verification
x402 gives API clients a wallet-backed payment rail without building a separate billing flow
Nova KMS, app wallet, encrypted S3, attestation, and Helios RPC are available as built-in enclave services
Portal, Nova API, and the Odyn mock service turn raw TEE deployment into a workflow teams can use without building enclave infrastructure first

Key Metrics

<5min

Typical deploy time after build enrollment

4

Supported AWS regions

2

Deployment tiers: Standard / Performance

15+

Built-in Odyn sidecar APIs

High-Fit Workloads

Secure AI Agents Sensitive Data Processing Confidential DeFi Verifiable Oracles Key Custody

Industry Challenges

Why Teams Still Avoid
Raw TEEs

Data Exposed at Every Layer

Traditional cloud leaves sensitive data exposed to hosts, hypervisors, insiders, and other privileged layers.

Trust Without Proof

Users are asked to trust operator promises without transparent build provenance or cryptographic runtime evidence.

Compliance Gaps

Regulated workloads increasingly need auditable controls around data handling during computation, not just at rest.

TEE Is Too Hard

Raw Nitro or SGX adoption means custom build pipelines, attestation tooling, enclave services, and specialized operations work.

Photo: Sasun Bughdaryan / Unsplash

The Nova Solution

From Source Code to
Verified Instance

Source Repo / Docker App

Public Build (GitHub Actions + Sigstore / SLSA L3)

Version Enrollment (PCRs + image URI on NovaAppRegistry)

Deploy to Nitro Enclave (Portal or x402 API, 4 regions, 2 tiers)

Runtime Attestation via /.well-known/attestation

SP1 Proof + On-Chain Instance Registration

AWS Nitro Enclaves

App → Version → Instance identity

Nova KMS + App Wallet

Helios trustless RPC

Photo: Daniel Andrade / Unsplash

Platform

Core Capabilities

05

Confidential Execution

Code and in-use data execute inside AWS Nitro Enclaves. Host OS, hypervisor, and cloud operators are outside the enclave memory boundary.

Transparent Builds

Builds run publicly in GitHub Actions with Sigstore keyless signing and SLSA Level 3 provenance, producing PCR measurements that can be enrolled on-chain.

Enclave Services

Odyn provides 15+ sidecar APIs inside the enclave for attestation, wallets, encryption, S3, Nova KMS, signing, and Helios RPC.

Verifiable Attestation

Running instances expose Nitro attestation. Nova carries that attestation into SP1 proof generation and on-chain instance registration for public verification.

Managed Deployment

Deploy through the Portal or Nova API to us-west-1, us-east-1, eu-west-1, or ap-south-1 using Standard or Performance tiers, with x402 payment support.

Technology Stack

AWS Nitro Enclaves Sigstore SLSA L3 SP1 Helios Odyn

Workflow

How Teams Ship on Nova

06

Nova turns enclave complexity into a usable product workflow: local simulation, transparent builds, managed deployment, and verification artifacts in one surface.

Portal + Nova API

Create apps, trigger builds, enroll versions, and deploy by region and tier
Choose standard or performance resources without hand-managing enclave hosts
Use x402 payment when the caller needs wallet-backed payment directly over the API
Use one API model across build, deployment, and instance lifecycle

Odyn Sidecar Services

Wallets, signing, encryption, attestation, KMS, S3, and Helios are available in-enclave
App developers call stable local APIs instead of wiring enclave primitives themselves
Persistent app wallet and encrypted storage reduce custom security plumbing

App Explorer + Registry

Public App → Version → Instance hierarchy for identity and verification
Inspect version enrollment, runtime status, and instance URLs
Surface registration artifacts for downstream users and integrators

End-to-End Workflow

1

Code Locally

Use templates, examples, or your own Docker app against the Odyn mock service.

2

Create + Register

Create the app in Nova and establish its App identity in NovaAppRegistry.

3

Build + Enroll Version

Run the public build, capture PCRs, and enroll the measured version on-chain.

4

Deploy Managed Instance

Launch in 4 regions with Standard or Performance tier, with x402 payment available on supported API flows.

5

Verify + Register Instance

Fetch live attestation, generate the SP1 proof, and register the running instance on-chain.

Why This Changes Adoption

Teams keep the same app model from local development to Nitro deployment instead of rebuilding signing, storage, wallets, and verification only when production arrives.

Workloads

Where Nova Fits Best

These are the workloads that benefit most when confidentiality and verifiability need to ship together.

Secure AI Agents

Protect prompts, model state, and wallet logic while exposing a verifiable attestation path to users and integrators.

Privacy-Preserving Computation

Handle regulated or high-sensitivity inputs without exposing raw data to infrastructure operators or service admins.

Confidential DeFi & MPC

Run MEV-sensitive strategies, operator services, and multi-party workflows with enclave-isolated keys and on-chain identity.

Verifiable Oracles

Publish price feeds, RNG, and external-data decisions with runtime attestation and a proof-backed registration path.

Secure Key Custody & App Wallets

Use Nova KMS and persistent app wallets for enclave-native signing, policy-gated key derivation, and encrypted storage.

Photo: Markus Winkler / Unsplash

Differentiation

Why Nova Beats the Alternatives

08

Feature	Traditional Cloud	Containers (K8s)	Raw SGX / Nitro	⭐ Nova Platform
Data Confidentiality (In-Use)	❌ None	❌ None	✅ Supported	✅ Hardware-level
Remote Attestation	❌ None	❌ None	⚠ DIY	✅ Managed
Verifiable Build Pipeline	❌ None	❌ None	⚠ Build yourself	✅ Public + SLSA L3
ZK Proof of Execution	❌ None	❌ None	❌ Custom	✅ SP1 path
On-Chain Verification	❌ None	❌ None	❌ Custom	✅ Registry-native
Integrated KMS	⚠ Cloud KMS	⚠ Cloud KMS	❌ Manual	✅ TEE-native
Trustless RPC	❌ None	❌ None	❌ Custom	✅ Helios
API-Native x402 Payment	⚠ DIY	⚠ DIY	⚠ DIY	✅ x402
Time to Deploy	✅ Minutes	✅ Minutes	⚠ Weeks	✅ Minutes
TEE Expertise Required	N/A	N/A	⚠ High	✅ None

Most teams can assemble parts of this stack themselves. Nova packages the full confidential-compute workflow into one platform surface. Secure by design. Verifiable by artifact.

Why Nova

Why Teams Choose Nova

Nova turns trust assumptions into artifacts: public build logs, enrolled PCRs, live attestation, and proof-backed on-chain instance records.

3-layer

App → Version → Instance registry model

4

AWS regions available today

15+

Odyn sidecar APIs inside the enclave

Nitro-Native Managed Platform

Ship Docker-compatible apps onto AWS Nitro Enclaves without building bespoke enclave infrastructure or operator tooling.

Source-to-Image Provenance

Transparent builds, Sigstore signing, and enrolled PCRs create a traceable source-to-enclave chain.

Enclave-Native Services Included

Nova KMS, app wallet, encrypted storage, attestation APIs, and Helios RPC ship as platform capabilities, not app-side glue.

Verification Workflow Built In

Expose live attestation, generate SP1 proofs, and register instances on-chain inside one repeatable workflow.

Photo: Musemind UX Agency / Unsplash

Technical Proof

Trust Model & Verification Boundary

10

Nitro Trust Model

AWS Nitro Enclaves give Nova strong launch-image identity through PCR measurements. The trust boundary is the launched enclave image, not the surrounding cloud stack.

Build & Version Binding

Nova records image URI, audit URL, GitHub run metadata, and PCR values in NovaAppRegistry so a deployed instance can be checked against an enrolled version.

Runtime Verification Options

Users can fetch live Nitro attestation from /.well-known/attestation; Nova then carries that into SP1 proof generation and on-chain verification through NitroEnclaveVerifier.

Trust Boundaries

✓ Trusted

Nitro security boundary · launched enclave image · enrolled version metadata · client or on-chain verification logic

✗ Untrusted (cannot access enclave)

Cloud provider · host OS · hypervisor · reverse proxy layers · Nova operators

Important Boundary

Nitro attestation proves launch measurements, not continuous runtime integrity by attestation alone
Nova strengthens trust with transparent builds, enrolled PCRs, and proof-backed instance registration
Threat model centers on malicious cloud operators, host compromise, insider access, and supply-chain tampering

Build, Deploy, Pay, Verify

Start with a Docker app. End with a confidential service on AWS Nitro Enclaves, with x402 payment and a verification path your users can inspect.

Visit sparsity.cloud View How It Works Contact Sparsity

🌐 sparsity.cloud ✉️ support@sparsity.xyz Portal · Nova API · App Explorer

Cover: Victor Chartin / Unsplash · Problem: Sasun Bughdaryan · Solution: Daniel Andrade · UseCases: Markus Winkler · WhyNova: Musemind UX Agency · CTA: Vishnu Kalanad