Architecture
Designed so your security and legal teams can answer "is this safe to put our offsite on?" with specifics — not vibes. Here is exactly how it fits together.
Three actors, one rule. Your organization issues certificates. A Geo-managed relay authenticates them and routes the right traffic to the right peers. Members hold their own keys on their own devices. A computational wall keeps your space and the public app from ever seeing each other.
Each member gets a certificate signed by your organization: alias, role, and an optional verified email. Membership is what the certificate says it is — and you can revoke it at any time. Access ends at the relay, not by trust.
A managed super-peer that we operate. Its job is small and specific: authenticate every connection against your organization’s certificate authority, and only route your private topics to authorized peers. It is a gatekeeper and a rendezvous — not a content store.
Public topics are addressable by geography alone — anyone can find them. Private topics are addressable only with your organization’s secret. Public clients cannot subscribe to your topics because they have no way to compute the topic key. Identity, arrival, departure, and in-space relationships never merge into the public reputation graph.
When a member joins your space, the exact text of the disclosure they accepted is captured against a specific policy version ID. Years later, you can still reproduce the words they agreed to. DSAR requests are answerable by registry ID and timestamp.
| You | Geo | Your members | |
|---|---|---|---|
| Who is invited to the space | ● | ||
| Issuing and revoking member certificates | ● | ||
| Setting space policies + disclosures | ● | ||
| Running the managed super-peer | ● | ||
| Keeping the public/private wall enforced | ● | ||
| Holding device keys | ● | ||
| Storing event content | ● | ||
| DSAR + audit tooling | ● |
Cryptographic identity per member. No shared accounts, no SSO password to phish. Certificates are revocable in real time; revocation is enforced at the relay.
Event content moves directly between authenticated peers. The relay logs connection + access metadata for your audits; retention is configurable. No third-party analytics, no tracking pixels.
Every consent record carries the policy version ID, the disclosure snapshot, and the timestamp. Reproduce any member’s agreement on demand. Export and erasure tooling included.
Private Spaces are for events that happen in the real world inside your organization. They are not:
We’ll walk your security and legal teams through the architecture in detail and provision a sandbox space for evaluation.