A model where cryptographic keys remain fully outside the service provider boundary and are used through controlled external trust.