← Back to Documentation

🛡 Security & Container Isolation

How Simulacrum protects your project data on distributed compute nodes.

Overview

Every job on Simulacrum runs in a hardened Docker container with strict isolation. Containers run with --cap-drop=ALL, --no-new-privileges, memory limits, and PID limits, providing strong isolation between the workload and the host system.

After every job completes (or fails), all project data, intermediate files, and render output are securely wiped from the operator's node.

How It Works

  1. You submit a job.
  2. The orchestrator selects an eligible node with Docker configured.
  3. Your project is downloaded to a temporary directory on the node.
  4. The job runs inside a hardened Docker container with GPU passthrough.
  5. Completed frames/results are uploaded to secure cloud storage.
  6. All project data is securely wiped from the node.

Key guarantee: Your project files run in an isolated sandbox. After the job, all data is securely wiped from the operator's system.

Pricing

All jobs run at a flat rate of $0.75/GPU-hour with hardened container isolation, ClamAV scanning, and Proof of Compute verification included.

Security Layers

Container Hardening

Every container runs with --cap-drop=ALL, --no-new-privileges, strict memory limits, and PID limits. Even if a client's code contains a vulnerability, it cannot escalate privileges or escape the container.

ClamAV Scanning

Every uploaded project is scanned for malware and zip bombs before dispatch.

Proof of Compute

The orchestrator periodically verifies that nodes are performing real work using perceptual hashing (rendering) and GPU utilization checks (training).

Secure Wipe

All project data, scene files, and intermediate artifacts are wiped after every job.

US-Only Sovereign Compute

All compute nodes are verified as US-based via IP geolocation and Cloudflare.

Container Security

All jobs automatically run in hardened Docker containers — no configuration needed. The security flags (--cap-drop=ALL, --no-new-privileges, memory limits, PID limits) are applied to every job by default.

Container hardening works with all job types: single renders, parameter sweeps, BYOS (Bring Your Own Scene) UE5 projects, and Docker Only jobs.

FAQ

What happens if the job fails?

All project data is securely wiped regardless of whether the job succeeds or fails. You are not charged for jobs that fail before rendering begins.

Is container hardening applied to all jobs?

Yes. Every job automatically runs in a hardened Docker container with --cap-drop=ALL, --no-new-privileges, memory limits, and PID limits. No opt-in is required.

Does container hardening affect render quality?

No. The rendering process is identical. The security flags have negligible impact on GPU-heavy workloads.