Proton Lumo security model

Proton Lumo security model

Local copy.

Proton’s security-model explanation distinguishes two properties that are easy to conflate: encrypted saved history and private live inference.

It says saved Lumo history uses zero-access encryption, and that Lumo operates without keeping conversation logs or training on chats. It also explicitly says that full end-to-end encryption for inference is not practical today, because the LLM needs cleartext to process a request.

Proton calls its live-request transport User-to-Lumo encryption. The user’s device encrypts a per-request AES key to a public key whose private counterpart is held by the LLM server. That protects the request across transit and internal routing, but the model execution environment can decrypt the request to infer.

This is a serious privacy improvement over ordinary chat SaaS. It does not cryptographically remove every trust assumption about the live model server or its deployed software. Lumo and Private AI trust boundaries use this distinction to avoid both unfair dismissal and overstated claims of end-to-end encrypted AI.

Sources

  1. proton.me