Security & Sovereignty

Append-Only Architecture

The inability to modify or delete sealed facts is not a configuration option or policy decision. It is an architectural constraint enforced at every layer.

There is no admin override, no maintenance mode, no "soft delete". The append-only property is intrinsic to the system design.

Hash Chain Enforcement

Every fact is cryptographically linked to its predecessor. Any modification to a fact changes its fact_hash, breaks the prev_hash link from the next fact, and is immediately detectable by chain verification. This creates mathematical proof of integrity, not just access control.

Tenant Isolation

All data is scoped by tenant_id at the architectural level. Tenant A cannot list, read, verify, or access Tenant B's streams, facts, chains, or bundles. This isolation is enforced at the data layer, not just the API layer. Each tenant's streams maintain independent hash chains.

Privacy by Design

The custom_payload field is opaque to Horizon. Schema is not enforced, validation is not performed, indexing does not occur, and interpretation is not attempted. Horizon stores your payload exactly as provided.

Cryptographic Foundation

Facts are hashed using SHA-256 applied to a canonical JSON representation. Proof bundles are signed using Ed25519 with 256-bit security level. Bundles are self-contained: verification requires only the bundle itself and Horizon's public key. No network access to Horizon is required for verification.

Proof Ownership

Once a proof bundle is exported, it becomes your autonomous property. No dependency on Horizon, portable evidence in any jurisdiction, eternal validity even if Horizon ceases to exist, and third-party verifiable by any auditor, court, or regulator.

Deployment Options