Home / Capabilities / Enterprise Trust Network
Trust

Trust Network

No single entity — including us — can control the network. A vast-majority quorum of independent keyholders governs every critical operation, behavioral trust scoring earns node standing, consent is irrevocable, and safety constraints are enforced at the type-system level. This is not a policy. It is mathematics.

Request Demo All Capabilities

Cryptographic Node Identity

Every node in the network proves its identity with Ed25519 signatures. No shared secrets, no certificate authorities you don't control, no impersonation possible.

Identity
Ed25519 Key Pairs
Each deployment generates a unique Ed25519 key pair at first startup. The public key becomes the node's permanent identity. Every message, every handshake, every data exchange is signed and verified. No unsigned communication is possible.
Verification
Mutual Authentication
When two nodes connect, both sides prove their identity simultaneously. The connection is established only after mutual verification succeeds. Man-in-the-middle attacks are structurally impossible — intercepted messages cannot be re-signed.
Immutability
Permanent Identity Binding
A node's identity is cryptographically bound to its data and behavioral history. Key rotation preserves identity lineage while permanently invalidating old signing material. No re-activation of retired keys is possible.

Byzantine-Tolerant Federation

The network continues operating correctly even when some participants behave maliciously. Consensus is reached through curated groups of trusted backbone nodes, not open-join voting.

Consensus
Curated backbone consensus
Critical network decisions — governance changes, trust model updates, safety constraint modifications — require agreement from a curated set of backbone nodes. These are not self-selected; they earn their position through sustained reliable behavior and verified identity.
  • Curated backbone nodes, not open-join validators
  • Weighted voting based on behavioral history
  • Malicious votes detected and discarded automatically
  • Network-wide propagation via protocol-level gossip
Resilience
Partition-tolerant operation
When network partitions occur, each partition continues operating independently with the data it has. On reconnection, a proprietary merge protocol reconciles divergent state without data loss. Higher aggregate trust wins conflict resolution; ambiguous cases are flagged for review.
  • Each partition operates independently during splits
  • Automatic reconciliation on partition heal
  • No automatic data deletion during recovery — ever
  • Conflicting records flagged for human review

Threshold Signing Authority

No single entity controls the network. Critical operations require multi-party agreement from independent keyholders.

Multi-Party
Vast-majority threshold quorum
Governance requires a vast-majority quorum of independent keyholders — at minimum 3 of 5, scaling as the keyholder pool grows. No single party, including us, can reach quorum alone. No bypass, no emergency override, no exceptions.
Independence
Distributed key custody
Keyholders are structurally independent — different organizations, different jurisdictions, different incentive structures. Reaching quorum by collusion requires compromising a vast majority of independent parties simultaneously.
Scope
Governance vs. operations
Threshold signing governs network-level decisions: safety constraints, consensus rules, trust model changes. Day-to-day operations — data ingestion, queries, node management — use standard Ed25519 authentication. The threshold exists to prevent capture.

Structural Safety Guarantees

Some constraints are not enforced by policy — they are absent from the code entirely. These guarantees hold even when an attacker has read every line of documentation.

No Self-Propagation
Cannot deploy itself anywhere new
VectorScaleDB physically cannot install itself anywhere new — the propagation guard is a compile-time invariant; there is no code path to deploy to a host where it isn't already running. Federation connects only to nodes that already exist. This cannot be configured on.
Universal Consent
Irrevocable, every entity type
Consent gates every entity type, not just neural data. Revocation is a compile-time irrevocable latch with no admin-override method — no emergency bypass, no temporary suspension. A subject's revocation is final.
Biological Invariants
B1–B12 compile-time guarantees
Deployments touching biological substrates carry twelve additional compile-time invariants — containment, no uncontrolled replication, continuous active consent, biodegradation, genetic diversity, and material biocompatibility — each verified at the type level.

Behavioral Trust Scoring

Trust is earned through behavior, not claimed through credentials. Every node builds a trust score based on its operational history.

Scoring
Continuous behavioral evaluation
Each node accumulates a trust score based on observable behavior: uptime consistency, data integrity, response latency, gossip protocol compliance, and federation cooperation. New nodes start with minimal trust and build it over time. There is no shortcut.
  • Trust earned through sustained reliable behavior
  • Weighted by node age and operational history
  • Low-trust nodes cannot influence network decisions
  • Trust events from quarantined nodes are discarded
Anti-Sybil
Sybil attack resistance
Creating many fake identities to overwhelm trust scoring is structurally prevented. Trust scores weight node age and behavioral history, making fresh identities nearly weightless. Backbone consensus groups are curated, not open-join. The cost of sustained good behavior across multiple fake identities exceeds the benefit of any attack.
  • New nodes carry negligible voting weight
  • Backbone groups are invitation-only
  • Behavioral anomalies trigger automatic quarantine
  • Quarantined nodes cannot participate in consensus

Network-Wide License Management

Irrevocable license revocation propagated to every node in the network. Once revoked, always revoked.

Propagation
Gossip-based revocation
License revocations propagate through the network's gossip protocol, reaching every connected node within seconds. Nodes that were offline during revocation receive the update on reconnection. No node can miss a revocation.
Enforcement
Pre-operation revocation checks
Every federated operation — data exchange, query forwarding, template sharing — checks the revocation list before proceeding. Revoked licenses are rejected immediately. There is no grace period, no override, no appeal mechanism in the protocol.
Finality
Irrevocable by design
Revocation is a one-way operation. The protocol has no "un-revoke" capability. If a revocation was issued in error, a new license must be provisioned from scratch — there is no shortcut to restore a revoked identity.

Anti-Impersonation Protocol

Incarnation-based conflict resolution ensures that stale or replayed identity claims are rejected automatically.

Incarnation
Monotonic incarnation counters
Each node maintains a monotonically increasing incarnation number. When a node restarts or its identity is challenged, it increments its incarnation. Stale messages from previous incarnations are automatically rejected by all peers, preventing replay attacks and identity confusion.
Detection
Automatic conflict resolution
If two messages claim the same node identity but carry different incarnation numbers, the higher incarnation wins. This prevents split-brain scenarios where a node's old state lingers in the network after restart. The gossip protocol propagates the latest incarnation within seconds.

Related Capabilities

Enterprise Security
Learn more →
Decentralized Architecture
Learn more →
Distributed Intelligence
Learn more →
Cross-Tenancy Portals
Learn more →
API Reference →

Build on a network you can trust

See how VectorScaleDB's trust network secures federation at enterprise scale.

Request Demo