SANDBOX MODE — use Stripe test card 4242 4242 4242 4242 (any future expiry, any CVC)
Enactenact.is
Join Waitlist

[§ 02] SOVEREIGNTY

Engineered in Norway. Hosted under Icelandic law.

Every byte of compute, every prompt chain, every container — sealed inside the EEA.

// Sovereign Shield

Engineered in Norway.
Hosted strictly under Icelandic jurisdiction.

Every byte of compute, every prompt chain, every container — sealed inside the EEA. Iceland's data-haven status, combined with EU-equivalent regulation, gives Enact a legal moat no US hyperscaler can replicate.

  • Immunity from FISA 702

    Hosting under strict Icelandic law prevents foreign state agencies from demanding warrantless access or executing secret directives against your workloads.

  • GDPR Article 48 & NIS2 Compliance

    Native alignment with European digital sovereignty laws. Drop-in ready for finance, healthcare, and regulated software supply chains.

  • BYOAK — Bring Your Own API Key

    Plug in your own Mistral, DeepL, or any European model keys. We never markup tokens. You pay only for secure sandboxed runtime.

data_flow.svg
NORWAYengineering · buildICELANDvaults · executionEEA PERIMETERUS JURISDICTIONFISA 702 · CLOUD Act
zero egress to non-EEA control planes

// Security Specifications

Crash-proof execution. Cryptographic approvals.

Every agent step is committed to an immutable ledger before it runs. Every privileged action waits for a hardware-signed user approval. No silent retries. No invisible side-effects.

01 — Durable Execution

Temporal-style ledger, soldered to SQLite.

Steps are atomically journaled before they execute. If the host process dies — kernel panic, OOM, power loss — the next worker resumes from the exact last committed step. Zero double-spends. Zero phantom writes.

  • Write-Ahead Log fsync before exec
  • Deterministic replay on restart
  • SHA-256 chained, tamper-evident rows
vault.ledger.sqlite
WAL · fsync · chained sha-256
agent.runtime
step.exec()
crash → 0x3a4
fsync
immutable WAL
commit before exec
sha256 ⛓ prev
010x3a1plan.composecommitted
020x3a2tool.read_repocommitted
030x3a3patch.applycommitted
040x3a4shell.exec resume from 0x3a4
050x3a5test.verifyqueued
host crash @ 0x3a4 resume from 0x3a4
enact · approval
14:32
Architect agent

Requests read access to

/repo/payments/stripe.ts

scope: read · 1 file · 32 lines

Touch sensor to approve

enact.vault
rpIdenact.is
algES256 / P-256
aaguidapple · secure enclave
counter0x00f3
resultverified
action authorized

02 — WebAuthn HITL Approval

Touch ID. Face ID. YubiKey. No shared secrets.

When an agent requests filesystem, network, or secret access, the request is signed by your platform authenticator. The private key never leaves your device. A stolen session token cannot approve anything on its own.

  • FIDO2 / WebAuthn level-2 attestation
  • Per-action challenge, never replayable
  • Hardware-bound private keys (Secure Enclave / TPM)
Start EuroStack meme: Windows 98 dialog over EU flag contrasting US and EU stacks
// start.eurostack — boot the sovereign stack