Tenancy model
Kristal Farms is designed to host compute without owning the tenant’s data and without turning the site operator into a surveillance authority.
The tenancy model is simple:
The host provides utilities up to the pad. The tenant controls everything inside.
This is called the black-box tenancy model.
The boundary (what “black-box” means)
A compute pad is treated as an opaque container:
- The tenant installs and controls their hardware, operating system, software, models, and data.
- The host operates the site infrastructure (power, cooling interfaces, heat export loop, fiber connectivity, physical security).
The host does not access tenant data, logs, model weights, or internal telemetry.
The host does not inspect network payloads.
What the host provides (the pad interfaces)
Each pad is delivered with a small set of standardized interfaces:
- Power handoff (metered, capacity-defined)
- Cooling / heat exchange interface (non-contact heat transfer boundary)
- Heat export integration (so waste heat can be reused)
- Dual fiber uplinks (A/B connectivity)
- Physical site services (yard access rules, security perimeter, safety systems)
These interfaces make the site modular: pads can be installed, removed, replaced, or upgraded without rebuilding the entire facility.
What the tenant controls
Inside the pad, the tenant controls:
- compute stack selection (GPU/CPU, storage, networking)
- all software and orchestration
- security posture and encryption
- workload scheduling and priorities
- model and data lifecycle
If a tenant wants maximum confidentiality, they can run end-to-end encryption and keep operational details private by default.
What the host is allowed to monitor (and why)
To operate infrastructure safely and fairly, the host monitors only physical / utility-layer metrics, such as:
- power draw / energy consumption
- cooling flow and temperature differential across the heat exchanger
- pad availability (heartbeat/power draw)
- network link status and aggregate bandwidth usage
- alarms (over-temperature, hardware fault signals, fiber drop, etc.)
This is monitoring of infrastructure health, not monitoring of tenant activity.
Optional: higher assurance onboarding
For tenants with extremely sensitive workloads, the model can support optional hardware attestation (proof that the pad is in a known secure state at turn-up).
This is not required by default. The baseline model relies on isolation + encryption + strict boundary enforcement.
Contract structure (lease + SLA)
Tenancy is enforced through clear contracts:
Lease defines capacity + interfaces
A lease typically specifies:
- IT power capacity (kW) and power quality expectations
- cooling interface parameters (supply/return ranges, flow targets)
- fiber ports and connectivity expectations
- physical access rules and safety requirements
SLA defines reliability + response
The SLA commits the host to:
- infrastructure availability targets (power/cooling/network)
- response times for incidents
- scheduled maintenance windows and notification practices
If the host fails to meet SLA targets, credits/penalties apply.
The heat-first clause (public value built into the lease)
Kristal Farms is not a “compute-first” project.
It is governed as a heat-first system:
- waste heat is directed to local uses (district heating, greenhouse heating) whenever possible
- seasonal priorities exist (e.g., critical buildings in winter)
Contracts include a clause requiring tenants to cooperate with heat reuse.
In rare conditions, the host may request—or contractually enforce—non-essential workload curtailment to stay within environmental limits or to maintain safe operations.
Important: curtailment is infrastructure-level (power/thermal signaling), never data access.
Step-in rights (only for safety and contract breaches)
The host cannot interfere with tenant workloads except under predefined conditions:
- safety emergencies
- breach of agreed caps (e.g., exceeding power draw)
- refusal to connect to required infrastructure interfaces
- environmental compliance constraints that are explicitly defined in advance
These rules are designed to prevent arbitrary control while still protecting the site and community.
Public transparency without tenant surveillance
Kristal Farms can publish a public dashboard with:
- aggregate energy use
- aggregate heat recovered / delivered
- site uptime metrics
- environmental compliance indicators
- high-level network performance
But public reporting is aggregated and anonymized:
no tenant-specific operational details and no content visibility.
Related pages
