gpubox.ai

For regulated industries

Sovereign by default.

GPUBox is the answer when your buyer asks "is the inference happening in the UK, run by a UK-incorporated counterparty?" and "adequate" isn't the answer they want. UK hardware, UK contract, UK law, English courts. No reroutes, no back-doors, no silent model swaps.

Talk to usRead the DPA →

What we commit to

UK-domiciled hardware

Inference happens on physical hardware located in the United Kingdom. Not just a UK PoP; the hardware itself.

UK-incorporated counterparty

Mobile Paradigm Consultancy Ltd (trading as Frontendlabs) is registered in England & Wales. UK VAT, UK contract, English law, English courts.

No customer data used for training

Your inputs and outputs are never used to train, fine-tune, or evaluate any model we serve to another customer. Contractual default; no opt-in flips it.

Per-call audit log

Every API call is logged with tenant id, model id, request id, status, and unit count. Retained for at least 30 days; longer on request.

Signed DPA

UK GDPR Article 28 DPA available at /dpa with named-subprocessor disclosure and IDTA / SCCs in place where data flows outside the UK.

Dedicated capacity option

For regulated workloads we can reserve hardware to your tenant — your card is your card, never re-allocated mid-job. Capacity-planned, not auto-elastic.

OpenAI-compatible

Drop-in for the OpenAI API. Your existing SDKs, prompts, and tooling work unmodified. No proprietary client. No silent model swaps.

Real model names

We publish exactly which model serves your request. Qwen2.5-32B-Instruct on chat, Whisper-large-v3-turbo on audio, BGE-M3 on embeddings. No black box.

Frequently asked

Are you a data controller or a processor?

Processor. You (the customer) remain the controller for personal data your end users send through our API. We process strictly on your documented instructions per the DPA at /dpa.

Where exactly is the hardware?

United Kingdom. We do not operate a multi-region pool; one fixed UK location during the beta. Disclosed in the DPA on request.

Do you sub-process outside the UK?

Some operational subprocessors (Stripe, Resend, Cloudflare, GitHub) handle data outside the UK. We rely on UK-EU adequacy and IDTA / SCCs where required. The full list is in /dpa Schedule 2.

Do you support BYOK / customer-managed keys?

On the roadmap for enterprise contracts. Current beta uses our key management with TLS in transit and at-rest encryption on infrastructure subprocessors.

Do you have ISO 27001 / SOC 2?

Not yet — we are a private-beta startup. We will pursue formal certifications once usage justifies. In the meantime we offer transparent technical and organisational measures (DPA Schedule 1) and direct engineering access for enterprise diligence.

Can you sign our security questionnaire?

Yes. Email [email protected] with your questionnaire and we typically respond within 5 working days. SIG-Lite, CAIQ, and bespoke client formats are all fine.

What about NHS / public-sector procurement?

We can engage on G-Cloud-style frameworks once we cross the supplier-onboarding threshold; in the meantime we work with public-sector buyers through their preferred reseller route.

Bring us your questionnaire.

We respond to security and procurement questionnaires within 5 working days. Bring SIG-Lite, CAIQ, or your own format.

[email protected]See pricing →