How the On-Chain Audit Trail Works

Most apps ask you to trust their database. Ours leaves a trail anyone can check, even us.

Here is what that means in plain English.

Every tap leaves a record

When you tap Approve on a draft email or a calendar event, the assistant writes down what just happened: which tool, what was sent, when, who asked, and what came back. That record gets a fingerprint nobody can forge. The fingerprint is small. The record is small. We keep both.

Every five records, a receipt of receipts

Every fifth action, we take all the fingerprints from the last five and roll them into one. Then we post that one to a public chain. The public chain is not ours. It costs us a fraction of a cent to post. We cannot quietly remove it.

Why this matters: if we ever tried to rewrite history by editing one of your earlier actions, the rolled-up fingerprint would no longer match the new edits. The chain catches the lie.

Every record gets a public backup

Beyond the chain, each record also lands on a public storage network the day it is signed. Anyone can fetch the same record from that network and compare it to what we have. If they differ, somebody changed something.

You can see these backups on your security page. The small filecoin: and 0g: links next to each row open the public copy.

Why we built it this way

The simplest version of trust is "we promise." That breaks the day promises change hands. Companies get acquired. Founders leave. Databases get migrated.

The version that survives those days is a record on a network we do not own. So that is what we built.

This is the same plumbing that lets you prove a year from now that the email your assistant sent really did go out on the date you remember. Nothing fancier than that, but nothing weaker either.