Edge Proof Network

You can't prevent every incident.
You can prove exactly what happened.

Lumra signs every event the moment it happens: gate, camera, sensor, dashcam. It chains each one into a record that courts, insurers, and auditors can verify without trusting you, or us. It's insurance for your operational truth, at pennies per device.

Start your free 60-day pilot

No new hardware, nothing replaced, plugs into the systems you already run. Signing real events the same afternoon.

Incident record № 004-1187ed25519 · sha-256
eventgate.breach_detected
devicecam-east-04 (key #A2F1)
time
location33.9425, -118.4081
digestcomputing…
chain← №004-1186 · 9c41…e07b
Why now

Do the math your insurer already does

$110M

2026 California verdict in a single elopement incident a facility couldn't defend. One undocumented event can outweigh decades of premiums.

8.2¢

per high-liability device per day at the standard rate. One six-figure denied claim costs more than three decades of it. The math on this page only needs this number to stay small.

FRE 902

US federal evidence rules (902(13)/(14)) let hash-verified records self-authenticate through a written certification instead of live witness testimony. Lumra records and their export pack are built to support exactly that certification.

Run it with your numbers

Legal defense, settlement pressure, denied claims, lost contract: pick your number. High-liability means the devices disputes hang on: dashcams, access points, resident wearables.

Lumra, per month$625
Lumra, per device per day8.2¢
Years of Lumra one incident would buy33 yrs

One incident you can't prove costs more than 33 years of Lumra.

Standard Class 1 rate of $2.50/device/mo. Bulk telemetry sensors run from $0.01. Your exact quote is confirmed at pilot.

How it works

Sign. Chain. Verify. No new hardware.

01 · Sign

Signed at the source

Each device or system signs its own events with a key bound to it (Ed25519). The signature is born where the event is, not added later in someone's cloud.

02 · Chain

Chained, not stored

Compact signed digests are hash-chained into a tamper-evident ledger. We never need your raw video or audio. Privacy is the architecture, not a setting.

03 · Verify

Verified by anyone

A standalone verifier re-checks any record with no PriviNet servers involved. The proof survives us. That's the point. Go try to break one in the demo above.

Integration: point a webhook from your VMS, telematics, or IoT platform at Lumra. Typical pilot is signing real events the same afternoon.

Industries

The dispute you're one bad night away from

OperationThe incidentWhat the record settles
Senior & memory careA resident wanders; response timeline disputedSigned proof of when the alert fired and who was notified
Fleets & dashcamsCollision, "your driver ran the light"Impact event, time, and location, verifiable by the insurer, not just claimed
Ports & cargoContainer tampered somewhere along the chainWhich custody window it happened in
Airports & aviationPerimeter breach, ground-handling damageIndependently checkable sequence of events
Security & facilitiesGuard tour disputed, footage authenticity challengedEvent digests that survive vendor changes
Industrial & energyEquipment failure blame between operator and OEMSensor anomaly trail neither side can rewrite

→ Found your row? Run the 3-minute provability audit for your operation

Free mini audit

Which disputes can you prove today?

Pick your industry and the systems you run. In about two minutes you'll have a report of the events that decide disputes in your world, which ones you're capturing, which are provable, and where the gaps are. No email needed to see your results.

Which of these do you run? (tap all that apply)
Anything else worth knowing? (optional)
Has a dispute like these come up in the last 12 months?
~2 minutes · results shown right here, ungated
Proof stories

The day the record had to hold

Four ways this plays out. In every one, notice two things: the proof was created before anyone knew it would matter, and it's the other side who runs the verifier. Proof only exists where a signal was captured and signed, which is why every pilot starts by mapping your coverage.

An 80-bed facility, GPS wearables on wander-risk residents. Eight months after a 2 a.m. incident, a lawsuit claims staff ignored the alert for 40 minutes.

02:14:09 · signed at source · chainedgps.geofence_exit, resident crosses the boundary
02:14:11 · decision record + input digestsrisk: CRITICAL → escalate, with the explanation factors recorded
02:14:12 · signedstaff notification dispatched
02:19:47 · signed · chainedstaff acknowledgment
02:31:02 · signedresident located, safe
8 months laterThe dispute: "That acknowledgment was added to the log afterward."

The verification: plaintiff's own expert runs the free verifier. The 02:19 record's signature and chain links only compute if it existed at 02:19, inserting it later breaks every following link. The 40-minute theory dies in discovery. With the timeline beyond dispute, the case resolves around what actually happened (17 minutes, protocol followed) instead of a jury guessing whose logs to believe.

Illustrative scenario, how the system is designed to work.

A 40-truck fleet with dashcams. Intersection collision; the other driver's insurer demands the footage, and hints it will challenge the video's authenticity.

14:47:04 · signed at sourcefleet.impact. G-force spike, GPS, speed
14:47:05 · signed window referenceevidence exists: 14:47:03–:23, four segments, hashes h1…h4, the video itself never leaves the recorder
+3 weeks · appended to same chainrecall request from the insurer → access decision → time-limited token → retrieval receipt
the dispute"Dashcam clips get edited all the time."

The verification: the opposing expert hashes the video file they received against h1…h4, hashes committed and signed the day of the crash, weeks before anyone knew there'd be a fight. They match; editing is provably impossible. The clip shows a green light. Claim denied on the other side, and the chained recall log shows exactly who has ever viewed the footage.

Illustrative scenario, how the system is designed to work.

A container terminal. A pharmaceutical container reaches the consignee with a broken seal and product missing, and five custody parties blame each other.

06:02 · signed by gate sensorgate-in, seal intact
06:40–10:55 · signedyard position events
11:18 · signedgate-out to drayage, seal intact
the disputeThe adjuster trusts none of the five parties' logs. Ordinarily, whoever has the weakest paperwork eats the loss.

The verification: the adjuster, who trusts nobody, runs the verifier on each party's records. The terminal's verify cleanly and bracket the incident to a custody window after gate-out. The terminal didn't win by being more believable; it won by being checkable. Five suspects become one window; weeks instead of years.

Illustrative scenario, how the system is designed to work.

An energy facility with vibration and temperature sensors on critical pumps. A pump fails catastrophically, a week of downtime. The OEM denies warranty: "your operators ignored the early warnings."

30 days of telemetry · signedvibration / temperature events
day −14 · decision recordanomaly scored LOW risk, recorded with algorithm version and the digests of its exact inputs
day 0 · signedcatastrophic failure event
the disputeNegligence or defect? $2M rides on what the operators were actually told.

The verification: the OEM's engineers replay the decision, recorded inputs through the recorded algorithm version reproduce the recorded output, byte for byte. The "obvious early warning" was scored low-risk by analytics both sides can now inspect; the operators were never told to act. The negligence theory collapses; the warranty pays.

Illustrative scenario, how the system is designed to work.

The in-house question

Your IT team could hash logs in a weekend. Here is why it reads as self-audited paperwork in a deposition.

When a company hosts its own logging database, holds its own signing keys, and runs its own hashing script, it has built a closed loop: the party that benefits from the records is the same party that controls every piece of the machinery that produced them.

In a serious dispute, the other side's forensic experts ask three questions of a closed loop. Who has admin access to the logging database? Could someone with a stake in this case have altered a row and re-run the script? Prove the signing key was never used to retrofit history. If every honest answer is "us, trust us," the records are self-audited paperwork, and opposing counsel will say exactly that.

Lumra breaks the loop with separation of duties. Events are signed as they happen and chained into records held outside your administrative reach, so nobody on your side can quietly rewrite last month. And checking the records never runs through us: verification is a standalone open tool, no PriviNet servers involved.

An in-house script produces a self-audited trail. Lumra produces records neither side has to take on faith.

The two architectures, side by sideforensic view
In-house scriptyour database · your keys · your script · your admins. One party controls all four.
Cross-examination result"could an admin have re-run the hashing after editing the table?" has no good answer
Lumra: signed at sourceevents are signed the moment they happen, with keys your admins never hold
Chained beyond your reachrecords held outside your admin domain; your side cannot quietly rewrite them
Verified independentlystandalone verifier, open tools, no PriviNet servers
The party with a stake in the dispute controls none of the machinery. That is the difference between an exhibit and an argument.
Objections, answered

Questions buyers ask. Straight answers.

We already have logs. Why isn't that enough?

Because anyone with admin access can edit them, and that's why adjusters and opposing counsel discount them. Lumra records are signed at the source and chained; altering one breaks verification, as you saw above.

Will this work with the systems we already have?

If your platform can send a webhook or an HTTPS request, yes: telematics platforms such as Samsara, Motive, and Geotab support webhooks, as do most VMS and IoT hubs, and anything custom can call the events API directly. Consumer devices with no webhook output need a small bridge; ask us and we will point you at the shortest path. No hardware is replaced and no media is uploaded.

Why can't our IT team just hash and sign our own logs?

They can, and it will read as self-audited paperwork the day it matters. If your company controls the database, the signing keys, and the script, opposing experts will ask who had admin access and whether the hashing could have been re-run after an edit. There is no good answer inside a closed loop. Lumra provides the separation of duties: records signed at the source, chained outside your administrative reach by a party with no stake in your dispute, and verifiable by the other side with open tools that never contact PriviNet.

Do you see our video or audio?

No. Lumra works from compact signed metadata. Raw media stays yours; it can only be recalled under an audited, logged process. We can't leak footage we never receive.

What if PriviNet disappears?

Your records outlive us. The verifier is a standalone open tool that never phones home; anyone can re-check any record, forever. Proof that requires trusting the vendor isn't proof.

Is this blockchain?

No tokens, no mining, no consensus fees. Just the boring, court-tested cryptography (Ed25519 signatures, SHA-256 hash chains) that federal evidence rules already recognize.

How do dashcam videos hold up as evidence?

Dashcam footage holds up when you can prove nobody edited it after the fact. Lumra hashes each video segment at the moment of recording and signs the hashes into a tamper-evident chain. Under Federal Rules of Evidence 902(13) and 902(14), hash-verified records like these can self-authenticate through a qualified person's written certification rather than live testimony. Weeks later, anyone can hash the file they received and match it against the hashes committed on the day of the incident.

What is a tamper-evident audit log?

A tamper-evident audit log is a record of alerts, notifications, and responses that cannot be edited after the fact without detection. Lumra signs each event at the source, such as a geofence exit or a staff acknowledgment, and chains it to the previous record. If an entry is altered or inserted later, verification fails. Opposing experts can check the timeline themselves with a free standalone verifier.

How do you prove chain of custody for cargo?

Chain of custody is proven by signed records at each handoff. Lumra signs gate-in, yard moves, seal checks, and gate-out events on the devices that observe them, then chains the records so none can be rewritten. When a container arrives damaged, an adjuster who trusts no party can verify each record independently and narrow the loss to a specific custody window instead of relying on competing paperwork.

What is a cryptographically verifiable event record?

A cryptographically verifiable event record is an event that is digitally signed where it happens and linked by hash to the record before it. The signature proves which device or person created it, and the hash chain proves nothing was altered, inserted, or deleted afterward. Verification requires only the exported records and open cryptographic checks, not access to the vendor's systems.

How is this different from evidence vaults, photo apps, or free timestamping?

Different job. Evidence-management platforms are vaults: you upload media and trust whoever runs the vault. Photo-verification apps authenticate media captured through their own camera flow, and nothing outside it. Free timestamping proves a hash existed by a certain time, with no event, no custody, no paperwork. Lumra signs the operational events themselves, from the systems you already run, never takes your media, and hands you records anyone can verify plus the certification template to use them. And unlike most of the category, the pricing is on this page.

What is a ProofPack, and is verification free?

Verifying your records is always free and needs no PriviNet servers. A ProofPack is the assembled, court-ready file for a single incident: the signed records, a verification transcript, standalone verifier instructions, and a pre-filled FRE 902(13)/(14) certification template for your qualified person to sign. It is a paid deliverable you request when a dispute lands, and every pilot includes one free.

Who's behind this

Don't take our word for it. We insist.

PriviNet began as exactly what it sounds like: a private network, built to give IoT devices the security and privacy they shipped without. Then our engineers and AI scientists kept hitting the same wall. Privacy protects data; it doesn't prove anything. Safety, it turned out, lives in verification.

Our founder, Brad Listermann, is a serial entrepreneur who spent years consulting on the sale of high-end encryption, the kind of work he still can't say much about. Lumra is that obsession rebuilt as software anyone can check. And through Decern, our sister project, we're already building the next generation: verification designed to hold up in a post-quantum world.

Which brings us to the trust question, the one this section is supposed to answer. Our honest answer: don't. Every record Lumra signs can be verified independently. No PriviNet login, no PriviNet goodwill required. Scroll up and try to forge one. That's the whole pitch.

ProofPack

When the dispute lands, this is what you hand over.

Coverage keeps everything signed and chained in the background for pennies a day. ProofPack is what you request the day it matters: one incident, assembled into a single court-ready file your insurer, adjuster, or counsel can verify themselves.

It is not a database export. It is the finished artifact a records custodian signs and forwards, with the verification already done and the paperwork already drafted.

  • The signed event, analysis, and evidence-window records for that incident
  • A verification transcript: every hash recomputed, the signature checked, at export time
  • Standalone verifier instructions, so the other side confirms it with open tools and no PriviNet servers
  • A pre-filled FRE 902(13)/(14) certification template, ready for your qualified person (typically an IT director, records custodian, or forensics expert) to review and sign

Every pilot includes one ProofPack, free, generated from your own incident. You see exactly what lands on your desk before you ever need it.

The day it happens:
  1. The incident occurs. Its records are already signed and chained; nothing to remember in the moment.
  2. You request the ProofPack for that incident from your portal or by email, in one line.
  3. It is assembled and delivered, typically the same business day: $2,500 standard, $1,500 on Audit-Ready, free in your pilot.
ProofPack · incident 004-11877 sections · v1.1
01Incident record, signed at sourceEd25519 signature · key sw-1af02408 · 02:14:09Z
02Analysis recordrisk score, escalation decision, explanation factors, ruleset version
03Evidence-window referencessegment digests h1…h4 · media never leaves your systems
04Canonical inputsevery byte needed to reproduce every hash, independently
05Verification transcript4 digests recomputed · all match · signature valid
06Standalone verifier instructionsopen tools only · no PriviNet servers involved
07FRE 902(13)/(14) certificationpre-filled declaration · awaiting your qualified person's signature
Summary view. The full pack is a complete, machine-verifiable file. Verification is always free.

Download a real sample ProofPack →Generated by the live engine from a demonstration incident. Open it: every hash reproduces, the signature checks, and the declaration is inside.

Pricing

Priced like insurance. Budgeted like insurance.

Coverage, by liability class
$2.50*
per high-liability device per month · telemetry from $0.01

Price follows the risk of the asset, not the size of the fleet. Best for: most fleets and facilities, any size.

  • Class 1, high-liability: dashcams, access points, resident wearables. $2.50/device/mo
  • Class 2, bulk telemetry: temperature, moisture, vibration. $0.01/sensor/mo in 1,000-sensor packs
  • Sensor gateways (LPWAN): $99/gateway/mo covers every sensor behind the gateway, no per-device fees
  • Unlimited signing, chained records, free verification forever
Start free pilot
Audit-Ready
$299*
flat per month · one line item for procurement

Coverage plus the court-ready file, budgeted before you ever need it. Best for: operations that expect at least one dispute a year.

✓ Includes 1 ProofPack per year
  • Up to 500 devices, of which up to 100 high-liability
  • Everything in Coverage, all classes
  • Additional ProofPacks at the pre-negotiated $1,500 rate
  • Priority custodian support when a dispute lands
Start your free pilot
ProofPack
$2,500*
per incident, standard · $1,500 pre-negotiated on Audit-Ready

The court-ready file, assembled the day you need it.

✓ 1 free ProofPack in every pilot
  • Full evidence bundle for one incident
  • Verification transcript & verifier instructions
  • Pre-filled FRE 902(13)/(14) certification template
Start your free pilot

*Standard published rates; your exact quote is confirmed at pilot. Verification of your records is always free; ProofPack is the assembled, certification-ready deliverable. Multi-facility, insurer, and platform programs (VMS, dashcam, and wearable providers embedding Lumra): custom annual terms.

Sixty days. Twenty-five devices. Zero dollars.

Day one: real signed records from your own gates, cameras, and sensors. Day sixty: you'll wonder how you ever walked into a dispute without them.

Sign up now, no waiting: instant credentials →

Self-serve takes about three minutes: agree to the pilot terms, get your keys, send your first signed event. Prefer a human? Use the form below and we reply within one business day.

Not sure what you'd even need to capture? Run the 3-minute audit first →