Trust through structure,
not promises.

Every SaaS asks you to trust that admins won’t read, export, or mutate user data they shouldn’t. That trust is enforced by HR policy, NDAs, and access logs that the same admins can edit. There is no structuralreason a curious or coerced admin can’t quietly read your data right now. The industry has normalized this and given it a soothing name: access controls.

Access controls describe what is allowed. They do not describe what actually happened. The gap between those two things is where every real breach, insider incident, and quiet exfiltration lives.

The bug is easier to see once you line up the clauses side by side. Every privacy policy on earth contains a variant of the same sentence: “We limit access to [employees / authorized personnel / school officials / covered entities] who have a [need to know / legitimate educational interest / minimum necessary / authorized business purpose].” The load-bearing verb is “we limit.” It describes a promise about future behavior by employees the reader cannot see, enforced by HR policy the reader cannot inspect, recorded in audit logs the same employees can rewrite. It is structurally unverifiable. The reader is asked to take the sentence on faith.

The industry costume changes. The clause does not. Google says its employees are under “strict contractual confidentiality obligations” and may be disciplined or terminated for misuse — you cannot check whether any specific access was legitimate, or whether any discipline ever followed. Banks say access is limited to “authorized personnel” under role-based access control and the principle of least privilege — you cannot check whether the access logs shown to the auditor are the actual access logs, or whether a DBA quietly scrubbed a few rows the night before the audit. HIPAA-covered entities say protected health information is read only to the “minimum necessary”— you cannot check whether last Tuesday’s read of your chart was minimum-necessary, or was curiosity, coercion, or a billing dispute you were never told about. Schools and universities say records are accessed by officials with “legitimate educational interest” — and at least one FERPA notice in plain language adds that “curiosity is not a legitimate educational interest” — but you cannot check whether the professor who pulled your transcript in March had an educational reason, or was looking up a neighbor’s kid. Insurers, utilities, HR systems, dating apps, ride-share services, consumer-finance providers — every one of them has a clause in this exact shape. The verb is limit, or restrict, or ensure, or permit only. Every one of them is a promise about an employee’s state of mind at the moment of access. Nothing in the existing stack lets the affected person check whether that state of mind was real.

This is the same structural bug, over and over, in seven costumes. The reason it has been normalized is not malice — it is that the infrastructure to close the gap did not exist as commodity software until about three years ago. The clause is in every policy because there was no alternative to write instead. There is now. Read the receipts → for the verbatim text of every clause this section names (GDPR, HIPAA Privacy & Security, CCPA, PIPL, FERPA, GLBA, PCI DSS, NYDFS, HITECH, 42 CFR Part 2, SOC 2, DORA) with primary-source links that scroll straight to the sentence on each regulator’s own website.

And now the costume has changed one more time. The eighth version of this clause is not about personnel at all. It is about a large language model with tool-use credentials, handed a database connection string by an engineer who has since moved teams, given a “need to know” defined by a prompt template nobody reviews, running on a schedule no human attention span can match, executing thousands of queries per user per day against records the affected person will never be told were read. The industry is about to write this version of the clause into every privacy policy on earth — in the same voice, with the same load-bearing verb, with the same structural unverifiability. “We restrict automated systems to the minimum data necessary for their intended task.” “Our AI assistants operate under the same access controls as our employees.” “Agent access is limited to authorized workflows.” Each sentence is a promise about the state of mindof a process that has no state of mind. “We trust our employees” at least survives a polite conversation. “We trust our LLM” does not survive being said out loud. The gap between promise and architecture, wide for forty years of human admins, is about to become a canyon in the next eighteen months of autonomous ones.

The standard answer is “we have audit logs.” Audit logs are written by the same system being audited, on disks the admin can reach, in formats the admin can rewrite. The compliance industry sells platforms to the company being audited, not the user. It is selling fire alarms to the arsonist. They satisfy compliance because compliance was designed around what was technically convenient in 2005, not around what would actually catch a bad admin in 2026.

If you can DELETE FROM audit_log and the only thing stopping you is a policy document, the audit log is not evidence. It is decoration. It is paperwork, not proof.

The fix isn’t more policies. It is a cryptographic guarantee, exactly the way Certificate Transparency became the default for web traffic. It’s making the access trail a property of the infrastructure, not a feature of the admin’s good behavior. Cryptographic linking, so an entry can’t be retroactively edited without breaking every entry after it. An independent observer that reads the database’s own replication stream and maintains its own chain, so a compromised proxy can’t quietly lie about what it forwarded — v1 ships with one observer, and commits to full Byzantine-fault-tolerant witnesses in v2 via multi-observer quorum. And — the part nobody else does — verification that runs on the user’smachine, in their browser, in WASM, so the server can’t fake a passing result.

If the server lies, the user finds out. Not the auditor. Not the regulator. The user. That inversion is the entire product.

When a human admin touches your data, you should know. When an AI agent touches your data, you must know. That sentence is the entire “why now.” Every other reason is a footnote to it.

The old trust model — “we promise our employees won’t peek” — could limp along for forty years because the admin population at any given company was a small set of vetted humans with HR files, working hours, and an implicit social cost to misbehavior. Slow, flawed, sometimes abused, but real. That model does not survive the moment when “our employees” means “an autonomous process running with admin credentials, on a schedule, at scale, in service of a prompt nobody reviewed.” You cannot interview an LLM. You cannot fire an LLM. You cannot check whether last Tuesday’s read of a user’s record was “minimum necessary” or “legitimate educational interest” or any of the other state-of-mind phrases the clause has worn for decades — because there is no mind to check.

There is also the second answer, which is still true and still worth saying: the five primitives that make this protocol possible (Merkle chains, transparent database proxies, client-side WASM verification, per-customer VPCs, Rust systems networking) all hit commodity maturity within the last three years. The category could not have existed in 2018. It can exist now. GDPR Article 32 enforcement is the first forcing function. AI agents with database credentials are the second, and unlike the first, the second has no opt-out, no “we’re a US company so it does not apply,” and no willingness to wait for a competitor to get fined.

Every era has its landlords — systems that say “trust us.” Today they wear enterprise logos. In the digital world, we own less every year — data, memory, history are all rented back to us monthly by whoever holds the servers. Users operate like serfs, paying a subscription landlord with no verifiable proof of what happens behind the API. You do not beat these landlords by storming the castle; you make the castle unnecessary. The empire falls by irrelevance. The architectures that survive will let the user look inside. The rest will hide behind a marketing page that says “enterprise-grade security” and mean nothing by it.

AGPLv3. The reference implementation — the Rust proxy, the chain engine, the replica verification, the dashboard, the Terraform — is all in the server/ repo. You can read it. You can run it. You can fork it. You can host the entire stack on your own metal and never pay us a cent, and that’s the same software we run for paying customers.

This is not a marketing concession. If we kept the proxy closed, we’d be asking users to trust usnot to lie about what the proxy does — exactly the failure mode the product exists to prevent. Open source isn’t a nice-to-have here. It is the only configuration in which the claim is real.

Not a blockchain. There’s no consensus, no token, no distributed ledger. Each user has their own independent append-only chain, and when they delete their account the chain goes with them — GDPR by construction.

Not a compliance checklist. The compliance industry manages policy — who has permission, which controls are documented, which attestations are signed. We make one specific thing — what an admin actually did to user data — tamper-evident and user-visible.

Not a way to lock you into our cloud. The hosted offering exists because most teams don’t want to operate replica VMs, write Terraform, and manage TLS. If you do want to, the AGPLv3 repo is right there.

Not a gateway wire-tap. Agent gateways do useful work, but an agent that bypasses the gateway and uses raw database credentials is invisible to them. We watch the wire protocol, so we see everything that touches the database.

Not a prompt-trace tool. Observability tools log what the model said. We log what the database actually served. If you want to know what your agent did, you need to see the data it pulled.

Not an agent credential vault. Vaults manage the issuance of credentials; we audit their use. The distinction matters because minting credentials and recording access are orthogonal — the right architecture has both.

Not an AI guardrail. Lakera, Robust Intelligence, and NeMo Guardrails block what an AI does at runtime— a different category, often a complementary one. We don’t decide whether the agent should have made the query. We record what happened, after the fact, into a log the affected user can verify. Camera, not the locked door — most deployments need both, and we ship the one nobody else does.

Read the code. Run it against your own database. Verify a chain in your own browser. Then, if you don’t want to operate it yourself, let us host it for you. The product is the same either way. The point is that you can leave at any time — and that the trust property doesn’t depend on us being trustworthy.

That’s the whole pitch. Trust through structure, not promises. Deploy it. Verify it. Trust nothing.