COTRUGLITECH
Cotrugli Ledger · Custody

Shred the document. The proof survives.

Storage keeps things. A safe decides who may take them out, records every refusal, and can destroy what it holds without destroying the evidence that it once held it. The Vault keeps evidence by hash on source by default, treats encrypted custody as the governed exception rather than the norm, and lets documents leave only through single-use approvals committed in advance.

Launch the live demo →
The demo asks for a username and password. We issue those directly — ask us for access.
Don't trust us — verify.

What it is

A safe, not a hard drive.

Most systems answer “where is the document?”. The harder question is “who was allowed to have it, and what happened when someone who wasn't allowed asked?” — and that question is the Vault's whole subject.

Egress is gated by a real Chamber: a deal party is served, a suspended or unknown requester is refused, a member who isn't party to the deal is told an approval is missing, and a forged approval binding is caught as exactly that. Every refusal lands in the audit, because refusals are evidence too.

Then there is retirement. A deal is retired through a ceremony requiring two signers, which produces an attested record, and then the content is shredded. It is genuinely unrecoverable. The commitment holds, and every ledger entry still replays offline. Erasure and proof are not in tension here — that is the point of the design.

What you can check yourself

Ask for a document you shouldn't have.

The governed egress demo lets you pick who is asking and watch the gate decide, with the specific reason named — not a generic denial. A refusal that won't say why is indistinguishable from a bug.

The dossier shows manifests and hashes only. The documents themselves never reach your browser, which is not an oversight but the boundary being enforced in front of you.

01

The custody story, rebuilt live

Two deal chains, premium custody in a dual-control safe, and a retirement ceremony that shreds on completion.

02

Governed egress

Served, refused, approval missing, or a forged binding caught — each with the reason named, each landing in the audit.

03

Shred, then replay

Watch content become unrecoverable while the commitment holds and every entry still verifies offline.

What this does not claim

What a breach here would, and would not, cost you.

Infrastructure that oversells itself is worse than none, because people rely on it for things it was never built to do. So, plainly:

A Vault breach never breaks the ledgerThe custody layer holding content is separate from the evidence that content existed. Losing the safe does not rewrite history.
Erasure never breaks a proofShredding destroys the content and leaves the proof intact. That is the guarantee, and it is demonstrated rather than asserted.
Documents never reach the browserThe dossier is manifests and hashes. If you can see a document here, something is wrong.
Experimental and local, with a self-attested anchorSynthetic keys throughout, and no external witness in this mode.

A safe that can forget — and still prove.

Ask for something you shouldn't have and watch the gate name the reason. Then retire a deal, shred it, and verify the proof anyway.

Request access