Secretly·Sovereign Phases 1–2 built, deployed, verified · 2026
Secretly·Sovereign
00 Compliance-native file exchange

Dropbox‑simple.
GDPR‑provable.

Secretly Sovereign is a compliance-enforcing file sync layer: your data stays in its sovereign zone by construction, not by promise. Compliance runs in the request path, not in a document. Every file operation is classified, judged against jurisdiction policy, routed to its sovereign zone, encrypted with keys that never leave that zone, and audited. The user never thinks about regions. The system makes the residency decision, and when a transfer should not happen, it refuses, live, and writes down who asked, what was refused, and why.

Specimen · audit_log (us) captured live
eventupload
sessionus · usr_demo
filepassport-scan.txt · eu-resident
decisionPOLICY_DENIED
reason“EU PII must remain in the ‘eu’ zone; a us session cannot place it there”
ruleeu-data-refuse · set us-2.0.0
auditedus zone · its own log
01 Mechanism

One pipeline, enforced in line. Not bolted on.

Sovereign hosts store data in a region. Secure-file-sharing platforms hand you a policy document. Here the compliance story is the request path: five stages, every operation, no bypass to discipline yourself around. Buyers are moving from periodic attestations to continuous proof; the shortest route to continuous proof is a system that produces evidence for you.

1.0

Classify

Content, not filename. A spreadsheet of social security numbers named notes.txt is treated as US-resident data. A binary disguised with an innocent extension is flagged in the audit trail.

2.0

Decide

Versioned, per-zone rule sets judge the operation. Every denial records the exact rule and rule-set version that decided, so the decision is reconstructable months later.

3.0

Route

The jurisdiction router places data in the correct sovereign zone. Going from one zone to two changed zero interfaces; the router itself was never touched.

4.0

Encrypt

Zone-scoped keys held in the zone’s own namespace. The US side of the system physically cannot address EU key material. No code path to leak across, so no discipline required not to.

5.0

Audit

The refusing zone keeps the record. Each jurisdiction holds the evidence of its own enforcement, which is exactly the form a regulator asks for it in.

02 Evidence

Captured against the deployed system, not a slide.

Bidirectional enforcement, verified live. EU personal data pushed from a US session is denied by the US zone’s own rules; the symmetric case is denied symmetrically; a session reaching across zones is refused by the zone that owns the file.

Enforcement record · Phase 2 verification · 2026-07-06
Case Session File Decision Reason recorded Audited in
eu blocks us-data eu medicare-enrollment.txt POLICY_DENIED US-resident data must live in the “us” zone; an eu session cannot place it there eu audit_log
us blocks eu-data us passport-scan.txt POLICY_DENIED EU PII must remain in the “eu” zone; a us session cannot place it there us audit_log
home zone allows eu / us same files, home zone ALLOWED routed and encrypted in the correct zone respective zone
cross-zone reach us eu-owned file REGION_MISMATCH refused by the owning eu zone itself eu audit_log
content vs. name eu team-notes.txt (SSN inside) POLICY_DENIED classified us-resident from content, not filename eu audit_log
SSO share redeemed verified identity shared file (eu) ALLOWED audit row records who redeemed, verified cryptographically eu audit_log

Every row above is reproducible from the repository’s proof artifacts, with commands and captured output. The denial happens in front of the auditor and the audit row appears in the correct country’s log.

03 Findings

What has been proven. Not planned: proven.

3.1

Two sovereign zones coexist on one codebase.

An EU zone and a US zone, each with its own storage, database, and encryption key held in its own namespace. Key isolation is structural, not procedural.

3.2

The refuser keeps the record.

Enforcement is bidirectional, and the refusal lands in the refusing jurisdiction’s own audit log. Each country holds the evidence of its own enforcement.

3.3

One product, nothing sensitive crosses the border.

A federated metadata layer gives every user a single view of their files across zones. The federation store has no filename column at all; sensitive files appear across borders only as generated labels. Resolved by construction, not by promise.

3.4

Classification looks inside the file.

Residency decisions attach to what data is, not what it’s called. Magic-byte and content scanning catch mislabeled and disguised files.

3.5

Sharing carries identity when it should.

Ordinary share links are signed and time-limited. Sensitive shares require SSO before redemption, and the audit row records who redeemed, verified cryptographically.

3.6

Growth was rehearsed, and it was cheap.

Going from one zone to two changed zero interfaces. The next zone, a third country, a customer’s national cloud, an air-gapped deployment, is configuration and provisioning, not a rewrite. Claimed in Phase 1, treated as a falsifiable checkpoint in Phase 2, passed.

04 Warning

Sovereignty debt accrues silently. Compliance is graduating to proof.

Every feature shipped, market entered, and partner integrated while data location is unmanaged becomes something to untangle later: under regulatory pressure, at migration prices, on someone else’s deadline. The regulatory direction is one-way. GDPR set the template; PIPL, DPDP, and LGPD are converging on the same demand: prove where data lives, where it’s processed, and who holds the keys. The buyer’s question is shifting from “show me your policy” to “show me the enforcement record.” The products that answer with a system, not a document, will price like it.

Yesterday’s answer

“We have a policy.”

Today’s answer

“Here is the audit row showing the system refused the transfer.”

05 Indications

Priced against fines, not against 2TB plans.

Moving bytes is commoditized. What monetizes is the refusal and the receipt: provable, on-demand evidence that data could not have gone where it shouldn’t. Four models, in the order they’re reachable. Packaging principle: everyone pays for sovereignty, only some pay for identity complexity.

5.1

Compliance-grade file exchange

regulated SMB · legal, clinical, cross-border HR

Per-seat SaaS across three tiers. Core is a pilot-friendly self-serve plan with sovereignty built in. Business layers on SSO, SCIM, and identity-aware governance. Enterprise is priced as a platform, for regulated buyers who need customer-managed identity, dedicated deployments, and audit exports on demand.

5.2

Sovereign deployment licensing

governments · critical infrastructure · national cloud

Per-deployment annual license and support. Few customers, high value, high stickiness; what the hardened Phase 3 variants exist for.

5.3

Sovereignty middleware / OEM

SaaS platforms entering EU, India, Brazil

The classify, decide, route, encrypt, audit layer embedded under their product, so residency doesn’t require re-architecting theirs.

5.4

IoT telemetry sovereignty

field sensors · agricultural fleets

Telemetry that stays local to a jurisdiction by default, per device or per fleet, riding the Phase 3 device tier.

06 Limitations

Honest boundaries.

This is a working prototype that proves a pattern. Read the label.

Known limitations · disclosed
  • Login is mocked. SSO gates shares, not sign-in.
  • The key manager is a stand-in for HSM-backed custody.
  • Zone geography is logical, not yet contractually pinned to soil.
  • Compliance mappings are engineering approximations, not legal advice.

None of these are unknowns. Each has a designed slot in Phase 3, and none required interface changes to defer, which is the point of having proven the pattern first.

07 Availability

Live now. The denial happens in front of you.

Portal, CLI, both zones, and SSO shares are deployed and verified end to end at a single URL. A demonstration takes minutes: upload the wrong file from the wrong place, watch the system refuse, and read the audit row in the correct country’s log.

Compliance owners, platform operators, and regulated-industry teams seeking early access.