Dropbox‑simple.
GDPR‑provable.
Secretly Sovereign is a compliance-enforcing file sync layer: your data stays in its sovereign zone by construction, not by promise. Compliance runs in the request path, not in a document. Every file operation is classified, judged against jurisdiction policy, routed to its sovereign zone, encrypted with keys that never leave that zone, and audited. The user never thinks about regions. The system makes the residency decision, and when a transfer should not happen, it refuses, live, and writes down who asked, what was refused, and why.
| event | upload |
| session | us · usr_demo |
| file | passport-scan.txt · eu-resident |
| decision | POLICY_DENIED |
| reason | “EU PII must remain in the ‘eu’ zone; a us session cannot place it there” |
| rule | eu-data-refuse · set us-2.0.0 |
| audited | us zone · its own log |
One pipeline, enforced in line. Not bolted on.
Sovereign hosts store data in a region. Secure-file-sharing platforms hand you a policy document. Here the compliance story is the request path: five stages, every operation, no bypass to discipline yourself around. Buyers are moving from periodic attestations to continuous proof; the shortest route to continuous proof is a system that produces evidence for you.
Classify
Content, not filename. A spreadsheet of social security numbers named notes.txt is treated as US-resident data. A binary disguised with an innocent extension is flagged in the audit trail.
Decide
Versioned, per-zone rule sets judge the operation. Every denial records the exact rule and rule-set version that decided, so the decision is reconstructable months later.
Route
The jurisdiction router places data in the correct sovereign zone. Going from one zone to two changed zero interfaces; the router itself was never touched.
Encrypt
Zone-scoped keys held in the zone’s own namespace. The US side of the system physically cannot address EU key material. No code path to leak across, so no discipline required not to.
Audit
The refusing zone keeps the record. Each jurisdiction holds the evidence of its own enforcement, which is exactly the form a regulator asks for it in.
Captured against the deployed system, not a slide.
Bidirectional enforcement, verified live. EU personal data pushed from a US session is denied by the US zone’s own rules; the symmetric case is denied symmetrically; a session reaching across zones is refused by the zone that owns the file.
| Case | Session | File | Decision | Reason recorded | Audited in |
|---|---|---|---|---|---|
| eu blocks us-data | eu | medicare-enrollment.txt | POLICY_DENIED | US-resident data must live in the “us” zone; an eu session cannot place it there | eu audit_log |
| us blocks eu-data | us | passport-scan.txt | POLICY_DENIED | EU PII must remain in the “eu” zone; a us session cannot place it there | us audit_log |
| home zone allows | eu / us | same files, home zone | ALLOWED | routed and encrypted in the correct zone | respective zone |
| cross-zone reach | us | eu-owned file | REGION_MISMATCH | refused by the owning eu zone itself | eu audit_log |
| content vs. name | eu | team-notes.txt (SSN inside) | POLICY_DENIED | classified us-resident from content, not filename | eu audit_log |
| SSO share redeemed | verified identity | shared file (eu) | ALLOWED | audit row records who redeemed, verified cryptographically | eu audit_log |
Every row above is reproducible from the repository’s proof artifacts, with commands and captured output. The denial happens in front of the auditor and the audit row appears in the correct country’s log.
What has been proven. Not planned: proven.
Two sovereign zones coexist on one codebase.
An EU zone and a US zone, each with its own storage, database, and encryption key held in its own namespace. Key isolation is structural, not procedural.
The refuser keeps the record.
Enforcement is bidirectional, and the refusal lands in the refusing jurisdiction’s own audit log. Each country holds the evidence of its own enforcement.
One product, nothing sensitive crosses the border.
A federated metadata layer gives every user a single view of their files across zones. The federation store has no filename column at all; sensitive files appear across borders only as generated labels. Resolved by construction, not by promise.
Classification looks inside the file.
Residency decisions attach to what data is, not what it’s called. Magic-byte and content scanning catch mislabeled and disguised files.
Sharing carries identity when it should.
Ordinary share links are signed and time-limited. Sensitive shares require SSO before redemption, and the audit row records who redeemed, verified cryptographically.
Growth was rehearsed, and it was cheap.
Going from one zone to two changed zero interfaces. The next zone, a third country, a customer’s national cloud, an air-gapped deployment, is configuration and provisioning, not a rewrite. Claimed in Phase 1, treated as a falsifiable checkpoint in Phase 2, passed.
Sovereignty debt accrues silently. Compliance is graduating to proof.
Every feature shipped, market entered, and partner integrated while data location is unmanaged becomes something to untangle later: under regulatory pressure, at migration prices, on someone else’s deadline. The regulatory direction is one-way. GDPR set the template; PIPL, DPDP, and LGPD are converging on the same demand: prove where data lives, where it’s processed, and who holds the keys. The buyer’s question is shifting from “show me your policy” to “show me the enforcement record.” The products that answer with a system, not a document, will price like it.
“We have a policy.”
“Here is the audit row showing the system refused the transfer.”
Priced against fines, not against 2TB plans.
Moving bytes is commoditized. What monetizes is the refusal and the receipt: provable, on-demand evidence that data could not have gone where it shouldn’t. Four models, in the order they’re reachable. Packaging principle: everyone pays for sovereignty, only some pay for identity complexity.
Compliance-grade file exchange
regulated SMB · legal, clinical, cross-border HRPer-seat SaaS across three tiers. Core is a pilot-friendly self-serve plan with sovereignty built in. Business layers on SSO, SCIM, and identity-aware governance. Enterprise is priced as a platform, for regulated buyers who need customer-managed identity, dedicated deployments, and audit exports on demand.
Sovereign deployment licensing
governments · critical infrastructure · national cloudPer-deployment annual license and support. Few customers, high value, high stickiness; what the hardened Phase 3 variants exist for.
Sovereignty middleware / OEM
SaaS platforms entering EU, India, BrazilThe classify, decide, route, encrypt, audit layer embedded under their product, so residency doesn’t require re-architecting theirs.
IoT telemetry sovereignty
field sensors · agricultural fleetsTelemetry that stays local to a jurisdiction by default, per device or per fleet, riding the Phase 3 device tier.
Honest boundaries.
This is a working prototype that proves a pattern. Read the label.
- Login is mocked. SSO gates shares, not sign-in.
- The key manager is a stand-in for HSM-backed custody.
- Zone geography is logical, not yet contractually pinned to soil.
- Compliance mappings are engineering approximations, not legal advice.
None of these are unknowns. Each has a designed slot in Phase 3, and none required interface changes to defer, which is the point of having proven the pattern first.
Live now. The denial happens in front of you.
Portal, CLI, both zones, and SSO shares are deployed and verified end to end at a single URL. A demonstration takes minutes: upload the wrong file from the wrong place, watch the system refuse, and read the audit row in the correct country’s log.
Compliance owners, platform operators, and regulated-industry teams seeking early access.