MNEMOXMNEMOXverifiable memory
MNEMOX
Confidential AI · Verifiable memory

Privacy you can measure.
Memory you can prove.

Your whole knowledge base, encrypted under your key. Inference runs inside a hardware-isolated enclave. Every answer carries a cryptographic receipt — and you can prove a memory was deleted, not just hidden.

Encrypted on deviceInference in a TEESigned receiptProvable deletion
01The product

Confidence, by construction

Every guarantee is enforced by the code path your data travels — not by a policy you have to take on faith.

Encrypted under your key

Notes and chat are sealed in your browser with X25519 + XChaCha20. The key never leaves your device; the server stores only ciphertext.

Inference in a TEE

Your context is decrypted only inside a hardware-isolated enclave, where retrieval and the model run. The operator sees nothing.

Signed, verifiable receipt

Every answer carries an ed25519 receipt binding the model, the memory used and the build — verified in your browser.

Provable deletion

Forget a fact and get proof its commitment is revoked and absent from the new memory root — not just hidden in the UI.

Private retrieval

Vector retrieval runs over the decrypted corpus inside the enclave only, so what is relevant to you never leaks out.

Model-hash binding

Each receipt is bound to a specific model checkpoint, so a cheaper swap cannot masquerade as the model you asked for.

02How it works

Three steps, end to end

From your device to a verifiable answer — privacy is enforced by the code path, not by a policy you have to trust.

01

Encrypt your knowledge base

Notes, documents and chat history are encrypted in your browser with a key that never leaves your device. The server only ever holds ciphertext.

02

Ask — confidentially

Your question and the relevant slice of memory are decrypted only inside a hardware-isolated enclave, where retrieval and the model run. The operator sees nothing.

03

Verify the receipt yourself

Every answer carries an ed25519 receipt binding the model, the memory used and the build. Your browser checks it — no trust in the operator required.

03The problem

People put their most sensitive context into AI tools

Work documents, personal notes, medical and financial details, the history of how they think. Three things make that dangerous today.

The provider sees everything

In a normal setup the prompt is decrypted on the provider’s server. Operators with root access — and third parties via subpoena — can read it. “We don’t store it” is a promise, not a guarantee.

Memory is a black box

Assistants now have long memory, but you can’t see what the model remembers, when it surfaces, or what “delete” really does. The forget button gives you no proof the fact actually left the system.

“Privacy” is unprovable

Even services that run inference in a TEE usually prove only the correctness of a single call. The link between the environment, the model, the policy and the fate of your data is never shown to you.

04Architecture

Client encryption, a confidential enclave, on-chain attestation

Five layers your data passes through — and it never leaves your control in the clear.

01

Client encryption

Every item of your knowledge base is encrypted with a key that never leaves your device (X25519 + XChaCha20-Poly1305).

02

Encrypted storage

The operator stores only ciphertext and commitments. It holds no keys and can read nothing.

03

TEE inference node

Inside the enclave the channel terminates, the context is decrypted, retrieval and inference run — isolated from host and hypervisor.

04

On-chain layer

A registry of allowed build measurements, an attestation log and call receipts. Anyone can check the node ran a registered no-log build.

05

Verifiable memory

Each long-term memory item is a commitment. Adding, using and deleting are all provable events.

The path of a single request
  1. 1Attest

    The client pulls the enclave’s attestation and checks its measurement against the registry.

  2. 2Channel

    A secure channel is opened that terminates only inside the enclave (RA-TLS).

  3. 3Retrieve + infer

    Inside the TEE the relevant slice is decrypted; retrieval and the model run.

  4. 4Receipt

    The enclave returns the answer and a signed receipt: model hash, context & response commitments, measurement, no-log flag.

  5. 5Verify

    The receipt is anchored on-chain; the client verifies the signature and the bound build locally.

05Verifiable memory

Memory that is provably under your control

Each fact you save becomes a cryptographic commitment bound to your key — which gives three capabilities mainstream assistants don’t have.

Not hidden in a UI — revoked and proven gone.

Every add, use and forget is a Merkle-commitment transition you can recompute yourself, so the “forget” button comes with a proof instead of a promise.

Provable use

An answer shows exactly which memory cells were lifted into context — without revealing their contents to anyone else.

Provable deletion

On forget you get proof the commitment is revoked and absent from the new memory root — not just hidden in the UI.

Boundary control

The memory policy — what to keep, for how long, what never to use for adaptation — is baked into the measured build and reflected in the receipt.

06Proof boundary

What is proven — and what stays a trust assumption

The product draws the line explicitly. Cryptography proves one set of things; the rest is named honestly as an assumption, never implied as proven.

Proven by cryptography

  • The enclave channel terminates at a key bound to the attested environment (real ECDH).
  • Each receipt is an ed25519 signature binding model hash, context & response commitments and the build measurement.
  • Memory add / use / delete are real Merkle-commitment transitions you can recompute yourself.
  • No-log is a property of the registered build manifest, not the operator’s word.

Trust assumptions

  • Hardware TEE guarantees rely on the correctness of Intel / AMD / NVIDIA and the absence of unknown side-channels.
  • A hardware DCAP quote roots in the CPU vendor; the current attestation report is self-signed.
  • The measurements registry is anchored on-chain (Solana).
  • Output correctness (ZKML) is far more expensive and is explicitly out of scope, not implied.
07Built vs simulated

What runs for real today — and what is still simulated

Real cryptography is live now; the hardware and on-chain layers are still simulated, and the product says so plainly.

Real in this build

7
  • Client-side knowledge-base encryption
    X25519 + XChaCha20, key never leaves the device
  • Verifiable-memory commitments
    Merkle tree of commitments with inclusion/exclusion proofs
  • Provable deletion
    Commitment revoked + erased, proven absent from the new root
  • Signed inference receipt
    ed25519 signature + commitments, verified in your browser
  • Private retrieval (RAG)
    Vector retrieval over the decrypted corpus, in-enclave only
  • Model-hash binding
    Receipt is bound to a specific checkpoint identity
  • Secure channel (RA-TLS-like)
    Channel key derived via ECDH, sealed payloads end to end

Simulated / not yet real

5
  • Hardware TEE isolation
    Real TDX / SEV-SNP + Confidential GPU node
  • DCAP attestation quote
    Full hardware quote rooted in the CPU vendor
  • On-chain anchoring
    Receipts & measurements registry on Solana
  • Reproducible build chain
    Full source → measurement verification
  • Decentralized operator network
    Third-party staked TEE operators
MNEMOX

Privacy you can verify

Write a note, ask your second brain, verify the signed receipt, and prove a memory was deleted — every check runs client-side.