We Built a Private-Document AI App to Test Platform Security. Here Is What We Could Actually Verify.

A hands-on security comparison of six AI inference platforms — DigitalOcean, Baseten, Nebius, Fireworks AI, Modal, and Together AI — built around a private-document RAG chatbot test harness. The review evaluates each platform across six dimensions: access controls, data retention defaults, network isolation, audit logging, vulnerability disclosure, and shared responsibility documentation. Key findings: Baseten has the cleanest zero-retention default; Nebius leads on formal compliance certifications (ISO 27001, SOC 2 via Deloitte); Modal offers the strongest execution-layer isolation via gVisor; Fireworks has zero-retention by default for standard inference but gates audit logs behind enterprise tiers; Together AI stores data by default and requires opt-out. DigitalOcean is highlighted as the most practically verifiable platform — self-service VPCs, a mature bug bounty program, product-level shared responsibility docs, and request-level metadata visibility — without requiring an enterprise contract. The conclusion emphasizes that verifiable security matters more than polished trust-center documentation.