Your Dedicated VM
Every Hermes subscriber gets a dedicated AWS Lightsail VM. This is not a shared container — it's your own isolated server.
| What you get | What you don't share |
|---|---|
| Your own VM (Lightsail instance) | Compute with other users |
| Your own memory files | Agent state or conversation history |
| Your own tool connections (Gmail, Slack…) | OAuth tokens or credentials |
| Your own bot token | Telegram bot identity |
| Your own encryption keys | Signing keys or mTLS certificates |
Security guarantees
- No public IP on your VM
- No SSH from Helium — your agent pulls its own config
- LLM keys never on your VM — all model calls go through a central gateway
- OAuth tokens never on your VM — decrypted in-memory in a separate service per call
If any provisioning step fails, the system automatically rolls back, cleans up all resources, and issues a full Stripe refund. You'll never be charged for a failed provision.