Tamper-evident
Mutate any sealed record by a single byte and the signature fails. We don't trust the storage layer, the cloud provider, or our own future selves — the math does the trusting.
Home / Platform / Provenance Ledger
Platform · The differentiating layerThe Provenance Ledger. The receipt under every answer.
Other AI assistants give you confident sentences. Lossless gives you a sealed envelope behind every fact: who said it, when, in what version, signed at the moment it entered your account, and verifiable a decade later. We invented a name for this layer because nobody else built it. It's called the Provenance Ledger.
A single Shopify order, expanded. Seven lifecycle events. Each one sealed at ingestion, each one chained to the next, each one independently verifiable. This is what one record looks like inside the Provenance Ledger. There are a hundred thousand of them in a typical Lossless account.
Our term · Our category
A Provenance Ledger is what an evidence-grade memory looks like.
A Provenance Ledger is an append-only store of atomic, typed records — each one signed at ingestion with the source pointer, the parser version, the user's consent scope, and a cryptographic seal. Records are chained through their lifecycle (an order → payment → shipment → return → refund are linked, not orphaned rows). The ledger is bi-temporal: amendments don't overwrite history, they extend it. Every read is audit-logged. Every export carries the signatures with it. Re-verify the chain ten years from now and it still holds.
This is the layer beneath every Lossless surface — Records, Chronology, Chat, Voice, the Agent API, every Workspace. When we say a Lossless answer is grounded, we mean it cites a row in the Provenance Ledger. No row, no answer.
Cryptographically sealed
Ed25519 signature over canonical JSON at ingestion. Content-addressed storage. Per-tenant signing key. The seal is computed once and travels with the record forever.
Audit-ready
Every read, every write, every agent call writes an audit row. "Who saw what, when" is a query — not a forensic project. Export the audit log to your CPA, your lawyer, your auditor in one click.
Court-defensible
Bi-temporal model (occurred-at and known-at) plus signed chain means the ledger reconstructs to "as of any date X" — the bar for discovery, FRE 902(14) self-authentication, and forensic accounting.
User-owned & exportable
Your signing key, your bucket, your namespace. Export the entire ledger as a signed bundle whenever you want — Lossless going dark tomorrow cannot strand a single record of yours.
Immutability guarantee
Append-only. Corrections become new versioned records that reference what they amend — they never overwrite. The original is still there, still signed, still queryable as of any prior date.
The architectural difference
Why we coined a new term. Because the old ones don't fit.
"Memory" is a vector database with no source. "Knowledge base" is a wiki nobody updates. "Audit log" is a write-only file nobody can read across. None of those words capture what we built — so we named it.
What AI assistants ship today
- Documents chunked into 512-token slabs — provenance discarded
- "Memory" is a single embedding namespace shared across users
- Answers cite a vector cosine score, not a record
- No lifecycle — an order, its payment and its refund are unrelated rows
- Last-write-wins. An amendment overwrites the original silently
- "Export" means a JSON dump with no integrity guarantee
- "Audit log" is the vendor's internal observability, not yours
The Lossless Provenance Ledger
- Atomic typed records, sealed at ingestion · Ed25519 signed
- Per-tenant DB, bucket, vector namespace and signing key
- Every answer cites the row — open the envelope, see the source
- Lifecycle chained: order → payment → ship → return → refund linked
- Bi-temporal. Amendments extend history, never overwrite it
- Export is a signed bundle. Re-verify the chain offline, forever
- Read/write audit log is the customer's — queryable, exportable
Specific use · By customer
What the Provenance Ledger does concretely for each Workspace.
The same six guarantees, six different shapes of value. Each Workspace uses the ledger as its evidentiary backbone — the thing the IRS, the opposing counsel, the auditor, or the agent on the other end of the API will accept without argument.
For households & CPAs · Every January, every line auditable
Hand your CPA a signed bundle, not a shoebox. Every deduction maps to a sealed receipt, every K-1 to its source statement, every Schedule E line to the lease and the payout that backs it. Audit risk drops because the math is reproducible from the ledger.
What it unlocks: one-click CPA handoff · IRS-ready binder export ·
"show me the source" on every line in the return · reproducible
recompute years later.
For divorcing households · Forensic accounting, 60–80% automated
Divorce discovery normally costs $15–60K in forensic accountant hours reconstructing transactions across years of statements, email, and Venmo. The Provenance Ledger already is that reconstruction — chained, dated, signed, and self-authenticating under FRE 902(14).
What it unlocks: as-of-date reconstruction · marital-vs-separate
classification with citations · single-button discovery export ·
opposing counsel cannot dispute the chain.
For landlords & small portfolios · Schedule E without the shoebox
Every rent collection, every CapEx receipt, every depreciation schedule, every tenant communication chained to the unit. When the tax-time question is "where's the documentation for this $4,800 roof repair," the ledger has the receipt, the contractor's invoice, the bank charge, and the message that authorized it — sealed, dated, exportable.
What it unlocks: Schedule E binder · per-property P&L with
sourced lines · tenant-dispute timeline · depreciation continuity
across the holding period.
For attorneys & clients · Custody & support, dated & sourced
Communications, exchanges, transfers, and missed-pickups become sealed records the moment they enter the account. Build a child-support recomputation, a custody-calendar reconstruction, or a marital-agreement timeline straight from the ledger. The other side's lawyer cannot argue with the seal.
What it unlocks: sealed evidence binder per matter · timeline
view across years of family records · attorney-friendly export
packs.
For defendants & counsel · Alibi & disclosure reconstruction
The defense version of forensic accounting: cell tower pings, charges, tolls, calendar entries, ride-share trips, and messages chained into a sealed, dated reconstruction of where someone was and what they did. Discovery becomes proactive, not reactive.
What it unlocks: as-of-date location & activity reconstruction ·
tamper-evident alibi binder · sealed bundle for counsel · chain
preserved through trial and appeal.
For attorneys & guardians · Multi-year matters, evidence intact
Juvenile matters span years and switch hands across attorneys, GALs, and courts. The ledger is the continuity — sealed records, audit log, and export bundle survive any change of counsel. The next attorney inherits an authenticated history, not a folder of PDFs.
What it unlocks: sealed evidence ledger across hand-offs ·
audit log of who accessed what · matter-scoped export.
For founders running on agents · Agent Cost Recovery
Every API call, model invocation, vendor charge, and reimbursement request enters the Provenance Ledger sealed and chained. When you dispute a vendor charge, claim a R&D tax credit, or reconcile agent-driven spend across LLM providers, you don't argue with a screenshot — you produce a sealed bundle.
What it unlocks: vendor-dispute pack · R&D credit
substantiation · cross-provider agent spend reconciliation ·
corporate-concierge artifact archive.
For multi-entity households · One ledger, every entity
HNW finances live across LLCs, trusts, brokerage, real estate, and entity-to-entity transfers. The Provenance Ledger lets the CPA query across the whole estate without trusting a bookkeeper's spreadsheet. Every cross-entity transfer is a chained, sealed record on both sides.
What it unlocks: cross-entity P&L · related-party
transaction trail · estate-planning evidence pack · K-1
substantiation by entity.
Anatomy of one sealed record
Open the envelope. Every field has a reason.
The graphic at the top of this page is one Shopify order, expanded. Here's what each part of the envelope means in plain English — and why we built it this way instead of just storing a JSON blob.
- Source pointer. The exact origin — a Shopify order ID, a Gmail message URI, a Plaid transaction hash. Re-fetch and re-verify against the seal.
- Parser version. The version of the schema-aware connector that produced the typed record. If we rev the parser, the old record's seal still validates against the old version.
- Consent scope. What the user actually permitted — read receipts, not bodies; read vehicle telemetry, not finance. Recorded on the record itself so the scope travels with it.
- Lifecycle chain. Order → payment → shipment → delivery → return → refund are linked by chain ID, not by guesswork. The right column of the graphic is this chain.
- Bi-temporal stamps. Both occurred-at and known-at. An amended bank entry doesn't overwrite — it appends with a known-at later than the original.
- Ed25519 signature. Computed over the canonical JSON form at ingestion. The seal you see at the bottom of every card in the graphic. One byte change → invalid.
- Audit row. Every read of this record writes a corresponding line to the audit log. Includes which agent, which scope, which session.
- Export bundle membership. The record knows which exports it has been included in — so a CPA's January bundle and a lawyer's discovery bundle are both reproducible.
"Every other AI tool is a black box that promises a good answer. Lossless is a glass box that proves it."
— Beta user · forensic CPA
Continue the architecture tour
Provenance is the floor. Records are the bricks.
Now that you've seen what gets sealed, see what we seal — the atomic unit, the schema, the typed payload. Or jump to the back of the pipeline and see how the seal is verified at read time.