Technology

Proof created at the source. Verified by anyone.

Lumra signs an event where it happens, links it into a hash-chained ledger, and exports a bundle that a standalone tool can verify with no dependency on PriviNet. Below is exactly how that works.

Architecture

From the edge, through Lumra, to independent verification.

Three stages. Each meaningful event flows left to right, gaining a signature at the source, a place in the chain, and a path to verification that needs nothing from us.

Edge / source
Worker phone

Taps an NFC checkpoint or scans a code, then signs the event.

biometric-gated Ed25519
Enrolled gateway

Witnesses a sensor reading and signs it with a per-tenant key.

gateway Ed25519
Existing systems

Cameras, dashcams, IoT platforms, and sensors arrive by webhook.

vendorSignatureUnverified
Lumra core
Ingest adapters

Normalize incoming events and forward any upstream signatures honestly.

mioty_webhook · http_webhook
Audit ledger

Meaningful events, each linked to the hash of the entry before it.

multi-tenant · hash-chained
Telemetry store

High-volume routine readings, Merkle-anchored into the ledger.

7-day retention
Verification
Signed export

The ledger exports as a portable, signed bundle.

JSON Lines audit pack
Standalone verifier

Checks every signature and the full chain. No PriviNet runtime.

Node.js · zero dependency
Any third party

An auditor, insurer, regulator, or counterparty can run it themselves.

independent trust
Signed at the source  ·  linked into the chain  ·  verifiable without us
The model

Proof is created where the event happens.

01 / SIGNED AT SOURCE

The signature is bound to the actor and the device

A worker phone signs an event with an Ed25519 key gated behind the device biometric, so the signature attests that a specific person, on a specific enrolled device, acted at a specific time.

An enrolled gateway signs a witnessed sensor event with a per-tenant key. Proof is created at the edge, not reconstructed later from logs.

Ed25519biometric-gateddevice-boundper-tenant keys
02 / HONEST INGEST

It rides on top of systems you already run

Events from MIOTY gateways, generic sensors, cameras, and dashcams arrive through webhook adapters. Lumra normalizes them and writes them into the ledger.

When an upstream device provides its own signature, Lumra forwards it without claiming to have verified it, marked vendorSignatureUnverified. The system never overstates what it can prove.

mioty_webhookhttp_webhookcamera / VMSdashcam
Two data planes

Permanent proof and high-volume telemetry are kept apart, on purpose.

Putting every raw reading into the chain would bloat it and slow verification. Lumra separates the record that must be permanent from the stream that does not.

Plane 1 · audit ledger

Hash-chained, permanent

Carries only meaningful events: check-ins, custody handoffs, sensor anomalies, threshold crossings, and batch anchors.

  • Each entry signed at the source
  • Each entry linked to the prior hash
  • Tampering with any entry breaks the chain
  • Retained for the life of the record
Plane 2 · telemetry store

High-volume, not chained

Carries routine readings that do not each need to be permanent proof, kept available for a short window.

  • Never written directly into the ledger
  • Summarized as a Merkle root
  • That root is anchored into the ledger
  • 7-day retention by default
Every 60 seconds, a Merkle root of recent telemetry is anchored into the audit ledger, so the high-volume stream is provable without ever bloating the chain.
Independent verification

The proof has to hold up without us. So it does.

The point of a proof layer is that you do not have to trust the company that wrote it. Lumra's verifier is a standalone tool that anyone can run against the exported bundle.

No runtime dependency

The verifier is a standalone Node.js tool. It does not call our servers, our database, or our API. It needs only the signed export and the public keys.

Anyone can run it

An auditor, insurer, regulator, or counterparty checks the record themselves. Trust comes from the math, not from PriviNet's word.

The record survives us

If PriviNet were gone tomorrow, an exported bundle would still verify. The proof outlives the vendor.

verify — node
$ node verify.js audit-export.jsonl
# checking signatures and chain integrity
 
entries 1,482 read
signatures 1,482 valid
chain intact (no breaks)
anchors all telemetry roots match
 
✓ VERIFIED — record is complete and unaltered

Illustration of verifier output. Change one byte in the export and verification fails, naming the broken entry.

Primitives & standards

Built on established cryptography, not novelty.

Lumra uses well-understood primitives. The value is in where they are applied, at the source, end to end, not in inventing new cryptography.

Ed25519
Digital signatures for every signed event, at the phone, the gateway, and the export.
SHA-256
Hashing for the chain links and the Merkle anchoring of telemetry batches.
Merkle trees
Compress a window of telemetry into a single root that anchors into the ledger.
ETSI TS 103 357
The MIOTY (TS-UNB) backbone Lumra ingests from, for long-range, low-power edge sites.
JSON Lines
The portable export format for the signed audit pack, one record per line.
Build status

Real and demoable today.

This is a working build, not a concept. The core signing, ledger, anchoring, and verification paths run now.

Ed25519
Signing at the source
end-to-end
Pipeline live
CI-tested
Automated test suite
0-dep
Standalone verifier
webhook
MIOTY ingest live

Shipped: source signing, hash-chained ledger, Merkle-anchored telemetry, MIOTY and HTTP webhook ingest, and the standalone verifier. On the roadmap: deeper hardware-level attestation and broader source integrations. We will not describe a capability as available until it is.

See it run on real hardware.

A phone tap, a signed event, an independent verification. Tell us your environment and we will scope a pilot.

Request a pilot