Question 1

How does ZeroCopy compare to Turnkey for signing speed?

Accepted Answer

Turnkey P50 is 75ms (hosted SaaS, your signing traffic leaves your network). ZeroCopy Sentinel targets 41µs P50, a modeled improvement of approximately 1,215x. The difference is architectural: Turnkey routes every signing request through its hosted infrastructure; Sentinel signs inside your own VPC with no external round-trip.

Question 2

Who holds the private keys with Turnkey vs ZeroCopy?

Accepted Answer

Turnkey holds your keys in its hosted infrastructure; you cannot sign without Turnkey's servers. ZeroCopy Sentinel keeps your keys inside an AWS Nitro Enclave in your own VPC. ZeroCopy has no access to your keys, and neither does AWS when using Sentinel.

Question 3

Does signing traffic leave my network with Turnkey?

Accepted Answer

Yes. Every Turnkey signing request travels to Turnkey's hosted infrastructure over the internet and returns. With ZeroCopy Sentinel, signing requests travel from your application to the Nitro Enclave via virtio-vsock, a local IPC channel that never leaves your VPC.

Question 4

Is Turnkey or ZeroCopy better for institutional compliance?

Accepted Answer

ZeroCopy is designed for institutional compliance: keys in your VPC (self-custody), SOC 2 Type II examination scheduled for Q3 2026, SEC 17a-4 immutable audit log via S3 Object Lock, and EU AI Act Article 14 policy engine. Turnkey is a hosted service, so key material resides in Turnkey's infrastructure rather than your own.

Question 5

Can ZeroCopy replace Turnkey for an existing integration?

Accepted Answer

Yes. The Sentinel signing API is designed for drop-in replacement: same ECDSA output format, same key address derivation, same transaction serialization. Migration typically takes one to two weeks: parallel deployment, attestation verification, then traffic cutover.

Question 6

What happens to my keys if Turnkey shuts down?

Accepted Answer

With Turnkey, if the service is unavailable, signing stops. With ZeroCopy Sentinel, the enclave runs in your AWS account. There is no runtime dependency on ZeroCopy servers. If ZeroCopy shuts down, you fork the open-source zcp CLI and continue operating.

Question 7

Does Turnkey use TEE technology?

Accepted Answer

Turnkey uses secure enclaves in its hosted infrastructure. ZeroCopy deploys an AWS Nitro Enclave inside your own VPC, so the hardware isolation boundary is under your control and within your network perimeter rather than a third-party's data center.

Question 8

What is the annual cost difference between Turnkey and ZeroCopy?

Accepted Answer

Turnkey pricing is usage-based per signing operation. ZeroCopy is a fixed annual license per signing pod, so per-signature cost decreases as volume grows. For firms running more than 1 million signatures per day, ZeroCopy's fixed-cost model typically results in lower total cost of ownership.

Feature	Turnkey	ZeroCopy Sentinel
P50 Latency	75ms	41µs (target)
Key Location	Turnkey infrastructure	Your VPC enclave
Signing Traffic	Leaves your network	Stays in your VPC
TEE Type	Hosted enclave	AWS Nitro Enclave (your account)
SOC 2 Type II	Available	Scheduled Q3 2026
Pricing Model	Per-operation	Fixed annual license
Open Source CLI	No	Yes (zcp)
Kill Switch	Account-level	Cryptographic fleet revocation
Policy Engine	Limited	Declarative Rust rules, hot-reload
EC2 Dependency	None (hosted)	c6i/m6i/r6i family with Nitro

Feature	Turnkey	ZeroCopy Sentinel
P50 Latency	75ms	41µs (target)
Key Location	Turnkey infrastructure	Your VPC enclave
Signing Traffic	Leaves your network	Stays in your VPC
TEE Type	Hosted enclave	AWS Nitro Enclave (your account)
SOC 2 Type II	Available	Scheduled Q3 2026
Pricing Model	Per-operation	Fixed annual license
Open Source CLI	No	Yes (zcp)
Kill Switch	Account-level	Cryptographic fleet revocation
Policy Engine	Limited	Declarative Rust rules, hot-reload
EC2 Dependency	None (hosted)	c6i/m6i/r6i family with Nitro

ZeroCopy vs Turnkey

The Latency Gap

Custody Architecture

Side-by-Side

Honesty Box: When Turnkey is the right choice

Move your keys in-VPC

Other comparisons