OmniRun runs AI agent workloads in VM-isolated microVMs in the EU, inside your perimeter, with the egress posture you choose. Here is what we can and cannot claim — stated plainly.
Sandboxes run in Hetzner data centers in Germany. Your code and files stay in the EU -- or on your own hardware if you self-host. Data residency is a property of where the VM runs, which you control.
Every workload runs in its own Firecracker microVM with a dedicated Linux kernel -- the isolation model behind AWS Lambda. A kernel exploit in one sandbox cannot reach another; there is no shared kernel to cross.
No internet by default. internet: false is a genuine L3 air-gap. For workloads that need outbound, an opt-in SNI proxy restricts a sandbox to an allow-list of hosts -- it forwards only TLS connections whose server name matches, and drops the rest.
File upload/download URLs expire and are scoped to a single sandbox. Sandboxes are scoped to the creating user. Optional end-to-end payload encryption (AES-256-GCM with ECDH P-256) protects commands and files in transit.
One honest caveat: Anthropic runs the model, so prompts and the conversation flow through Anthropic's API in every case. Self-hosting moves the tool execution into your perimeter; it does not move inference.
VM isolation, EU residency, and egress control — on your box or ours.