Seed Round: $0.25/FRAC — Listing at $1.00 (300% ROI) — Buy Now
EU AI Act · Article 12 · high-risk logging staged from 2 Aug 2026

CityLedger

Every algorithmic decision your administration makes — auditable and challengeable, by design.

When a public algorithm denies a benefit, assigns a school place, or issues a fine, the affected person has a right to a reasoned, contestable decision — and, increasingly, the law requires the record of that decision to be tamper-evident and traceable after the fact. CityLedger seals each decision into an append-only registry the moment it is made and hands the citizen a receipt they can re-check without having to trust the government.

Built for compliance officers and CIOs, not cryptographers. The technology (post-quantum signatures, a public time-anchor, on-chain anchoring) sits underneath a simple contract: the record cannot be edited after the fact, and anyone can prove it.

The driver: a hard compliance deadline, not a technology trend

  • EU AI Act, Article 12 requires high-risk AI systems to keep automatic, tamper-evident logs that enable ex-post traceability, with defined retention. High-risk obligations apply on a staged calendar (transparency duties from 2 Aug 2026; several high-risk Annex III duties phased through 2027).
  • Article 50 adds transparency obligations for AI-mediated interactions and outputs.
  • Constitutional / administrative due process: the affected person is entitled to a reasoned decision they can challenge. Courts have held that administrative scoring systems must be open to scrutiny so the affected can verify and contest them.
  • The 2026 shift in algorithmic governance is from internal self-review to independent third-party audit — which needs an evidence trail an auditor can trust.

This is a technical compliance tool, not legal advice. It helps satisfy the tamper-evident-logging and verifiability aspects of the above; the exact obligations depend on your role, sector, and risk class.

How it works

  1. 1Your system registers a decision (the case reference, the model, the outcome, the reasons, who is accountable). Sensitive fields are hashed, never stored in the receipt — so it is safe to hand to a citizen without leaking personal data.
  2. 2CityLedger appends it to a tamper-evident registry (each entry chained to the last), signs it with a post-quantum key (Dilithium-2, NIST FIPS 204), stamps it with a public time-anchor (drand) so it can't be back-dated, and best-effort anchors it on-chain — independently of your own systems.
  3. 3The citizen receives a portable receipt. They (or their lawyer, or a judge, or an auditor) can re-verify it independently — with only the receipt, no account, no cooperation from your office required. That is the "verify it yourself" due process depends on.

A plain Postgres audit log does not achieve this: the administration that owns the database can edit it, so it is not non-repudiable. A cloud provider's audit trail belongs to the cloud provider (judge and party, and typically foreign jurisdiction). CityLedger gives the citizen a proof that stands even against the administration that issued it.

Live demo — seal a decision, then try to alter it

This runs against the real registry. Register the example decision, get the citizen receipt, verify it, then hit "Tamper & verify" — the independent check will fail, exactly as it must.

What CityLedger does — and does not — prove

It proves
  • the decision was recorded exactly as declared;
  • by this registry's post-quantum key (non-repudiation);
  • at that time, with no back-dating (public time-anchor);
  • and not altered afterward (tamper-evident, chained).
It does not prove
  • that the decision was correct, fair, or lawful;
  • that the model was unbiased;
  • anything the citizen can only settle through an appeal.

CityLedger attests provenance and integrity, not correctness. The citizen does not merely verify the record — they use it to challenge the decision on the real facts. Dilithium-2 is resistant to known classical and quantum attacks per NIST FIPS 204; that is a strong, standardised guarantee, not"unbreakable".

Engagement (proposed — pre-pilot)

Indicative, not a live tariff. CityLedger has no city as a customer yet; we are seeking a first pilot.

Citizen verifier
Free
Public, no account. The receipt verifier every citizen and court can use. Always free — that is the due-process point.
Pilot
18 mo free*
One agency / one decision type. Open-source, auditable, self-hostable in your jurisdiction. No lock-in — fork it if you want to.
Production
Per decision
Metered per sealed decision, with on-prem signer, retention SLA, and audit / court-export support. Scoped per agency.

*Pilot terms are a proposal to reduce the vendor-lock-in risk that blocks sovereign adoption. Not a contractual offer; subject to a scoping agreement.

Bring auditable decisions to your administration

If you are a CIO, data-protection officer, or legal counsel preparing for Article 12 and the move to independent algorithmic audit, we would like to run a scoped pilot on one decision type in your agency. Open-source and self-hostable, so nothing leaves your jurisdiction.