CityLedger
Every algorithmic decision your administration makes — auditable and challengeable, by design.
When a public algorithm denies a benefit, assigns a school place, or issues a fine, the affected person has a right to a reasoned, contestable decision — and, increasingly, the law requires the record of that decision to be tamper-evident and traceable after the fact. CityLedger seals each decision into an append-only registry the moment it is made and hands the citizen a receipt they can re-check without having to trust the government.
Built for compliance officers and CIOs, not cryptographers. The technology (post-quantum signatures, a public time-anchor, on-chain anchoring) sits underneath a simple contract: the record cannot be edited after the fact, and anyone can prove it.
The driver: a hard compliance deadline, not a technology trend
- EU AI Act, Article 12 requires high-risk AI systems to keep automatic, tamper-evident logs that enable ex-post traceability, with defined retention. High-risk obligations apply on a staged calendar (transparency duties from 2 Aug 2026; several high-risk Annex III duties phased through 2027).
- Article 50 adds transparency obligations for AI-mediated interactions and outputs.
- Constitutional / administrative due process: the affected person is entitled to a reasoned decision they can challenge. Courts have held that administrative scoring systems must be open to scrutiny so the affected can verify and contest them.
- The 2026 shift in algorithmic governance is from internal self-review to independent third-party audit — which needs an evidence trail an auditor can trust.
This is a technical compliance tool, not legal advice. It helps satisfy the tamper-evident-logging and verifiability aspects of the above; the exact obligations depend on your role, sector, and risk class.
How it works
- 1Your system registers a decision (the case reference, the model, the outcome, the reasons, who is accountable). Sensitive fields are hashed, never stored in the receipt — so it is safe to hand to a citizen without leaking personal data.
- 2CityLedger appends it to a tamper-evident registry (each entry chained to the last), signs it with a post-quantum key (Dilithium-2, NIST FIPS 204), stamps it with a public time-anchor (drand) so it can't be back-dated, and best-effort anchors it on-chain — independently of your own systems.
- 3The citizen receives a portable receipt. They (or their lawyer, or a judge, or an auditor) can re-verify it independently — with only the receipt, no account, no cooperation from your office required. That is the "verify it yourself" due process depends on.
A plain Postgres audit log does not achieve this: the administration that owns the database can edit it, so it is not non-repudiable. A cloud provider's audit trail belongs to the cloud provider (judge and party, and typically foreign jurisdiction). CityLedger gives the citizen a proof that stands even against the administration that issued it.
Live demo — seal a decision, then try to alter it
This runs against the real registry. Register the example decision, get the citizen receipt, verify it, then hit "Tamper & verify" — the independent check will fail, exactly as it must.
What CityLedger does — and does not — prove
- the decision was recorded exactly as declared;
- by this registry's post-quantum key (non-repudiation);
- at that time, with no back-dating (public time-anchor);
- and not altered afterward (tamper-evident, chained).
- that the decision was correct, fair, or lawful;
- that the model was unbiased;
- anything the citizen can only settle through an appeal.
CityLedger attests provenance and integrity, not correctness. The citizen does not merely verify the record — they use it to challenge the decision on the real facts. Dilithium-2 is resistant to known classical and quantum attacks per NIST FIPS 204; that is a strong, standardised guarantee, not"unbreakable".
Engagement (proposed — pre-pilot)
Indicative, not a live tariff. CityLedger has no city as a customer yet; we are seeking a first pilot.
*Pilot terms are a proposal to reduce the vendor-lock-in risk that blocks sovereign adoption. Not a contractual offer; subject to a scoping agreement.
Bring auditable decisions to your administration
If you are a CIO, data-protection officer, or legal counsel preparing for Article 12 and the move to independent algorithmic audit, we would like to run a scoped pilot on one decision type in your agency. Open-source and self-hostable, so nothing leaves your jurisdiction.