Skip to content
MnemosyneRequest access

Mnemosyne · say “ne-MOSS-uh-nee” · the Titaness of memory

Fool the AI. Your data is still safe.

Mnemosyne is a company brain you run on your own infrastructure. Every answer it gives must dereference to a cryptographically anchored source, and every source’s clearance is checked outside the model — so a compromised model still cannot invent a fact, or leak one.

Security lives in the anchor, not the model’s obedience.

the gate · every claim must dereference to an anchored source
Every claim must dereference to an anchored source. No anchor, no answer.ARCHITECTURE §3.1

How is this different from Copilot or NotebookLM?

It is the first question everyone asks, and it deserves a precise answer rather than a slogan.

Copilot · NotebookLM · most “chat with your docs”

They are RAG.

Every query, they retrieve raw chunks of your documents and let the model author an answer out of them. That answer is ungrounded — the model can blend or invent. It is unverifiable — nothing checks its provenance outside the model. It is non-compounding — it is re-derived from scratch every single time you ask. And it happens in someone else’s cloud, with no need-to-know enforcement and no tamper-evident record of what was retrieved.

Mnemosyne

This is not RAG.

We curate your sources once into an anchored, verified, interlinked knowledge graph that compounds. Retrieval is ranked with ACT-R — a cognitive model of memory — not bare vector similarity. And every answer passes a grounding and clearance gate that runs outside the model, on immutable provenance.

RAG re-derives every query · Mnemosyne curates once, and compounds
Pay once to curate. Recall cheaply and provably, forever.STRATEGY_BRIEF §2A.1

The honest economics

We are not cheaper per document. We deliberately pay more, once, to curate. After that, recall is a cheap lookup of verified distillations — forever, and provably. Pay once to curate; recall cheaply and provably for as long as the company exists. A RAG tool pays a little on every query and re-derives the same answer, unverifiably, every time.

Four things those tools structurally cannot do

  • Give you an answer you can depend on completely — because nothing verifies the model’s claims from outside the model.
  • Tell you who knew what, and when — because there is no tamper-evident record.
  • Enforce need-to-know that holds even when the model is fooled — because the boundary lives inside the model’s obedience.
  • Keep your data inside your perimeter — because the data is the product.

Three guarantees, enforced outside the model

The model is untrusted by design. Every guarantee below is enforced by machinery the model does not control and cannot talk its way past.

Verifiable

Every claim dereferences to an anchored source.

Each unit of knowledge is content, a clearance tag, and a chain anchor — a hash and a signature that cannot be forged or silently altered. When the model answers, every claim it makes must resolve to one of those anchors. A claim with no anchor is a fabrication, and the gate blocks it. The model is never trusted to police itself.

ARCHITECTURE §3.1

Accountable

A tamper-evident record of every ingest, query, retrieval and answer.

Ed25519-signed, hash-chained blocks with Merkle roots, running locally inside your deployment. Alter one block and the chain says so — immediately, and mathematically. “Who knew what, and when” stops being a question you argue about and becomes one you can answer.

TIMECHAIN.md

Need-to-know

Clearance is checked outside the model, on immutable provenance.

Sources are sealed per compartment under their own encryption key, and clearance is resolved before retrieval — not after generation, when the damage is already done. No clearance means no key, which means no plaintext. A model that has been talked into betraying you has nothing to betray you with.

SECURITY.md · ARCHITECTURE §3.1

The same question. Two people. Two different answers.

Access control that lives inside the model is a suggestion. Ours lives outside it, on immutable provenance: the requester’s clearance is resolved against every source in a claim’s chain before that claim is allowed out. Two colleagues can ask the same question and correctly receive different answers — and neither of them, nor the model, can move that boundary.

two askers · three compartments · no clearance means no key
No clearance ⇒ no key ⇒ no plaintext. Checked outside the model.SECURITY.md

This is the gap Knostic raised $11M to name: being able to access something is not the same as needing to know it. Most tools enforce the first and quietly ignore the second.

Tamper with one block, and the whole chain says so.

Every ingest, every question, every retrieval and every answer is written to a local, append-only chain of Ed25519-signed blocks. Nothing leaves your network to make this true, and it costs you nothing to run.

a spine of signed, hash-chained blocks · alter one and the chain says so
Tamper with one block and the whole chain says so. Try it — click a block.TIMECHAIN.md

To be unambiguous, because security buyers rightly ask: there is no public blockchain here, no token, and no cryptocurrency of any kind. The chain is a local notary that runs inside your own deployment. Anchoring its root to an external ledger is an option we can switch on for organisations that want it — it is never the default, and it is never the point.

read this section first

What we do not claim

Most vendors tell you what their product cannot fail at. We would rather tell you where it can. If you are paid to be skeptical, this is the section you should read first.

The words we never use

We do not say our system is proof against jailbreaks, and we do not say it is free of hallucination. Prompt injection is the number one item on OWASP’s LLM risk list and NIST has called it the greatest security flaw in the technology. EchoLeak (CVE-2025-32711, CVSS 9.3) was a zero-click injection that broke Microsoft 365 Copilot and walked straight past Copilot’s own classifier. Any vendor promising you immunity is one disclosure away from being publicly wrong.

We do not need the promise. We assume the model will be fooled, and we put the guarantee somewhere the model cannot reach: breach-contained and fabrication-blocked under model compromise.

Grounding is not correctness.

The gate proves that a claim is grounded in an anchored source the requester is cleared to see. It does not prove the model reasoned correctly over the sources it was allowed to read. A wrong inference over authorised data is a real failure mode. We attack it with claim-level entailment checks and honest abstention — the system is built to say “I don’t know” — and we do not assume it away.

Tagging completeness is a precondition.

Enforcement is exactly as correct as the clearance labels on your sources. Mis-tagged data is mis-enforced data. So tagging is mandatory and auditable — and designed so the failure mode is asymmetric: a deterministic floor runs before the model is ever consulted, which means the system can only ever over-restrict, never under-restrict. Over-restriction costs convenience. Under-restriction costs the company.

Semantic leakage is open engineering.

A compromised model could try to encode a restricted fact into prose that carries no citation at all — laundering it past a gate that only matches provenance tags. That is a genuine problem, it is the hardest one in this space, and we are engineering it explicitly rather than pretending it is solved.

A local model is a weaker model.

If your data cannot leave your building, you do not get to use the largest frontier model. Our gate blocks fabrication, but it cannot make a smaller model smarter. We would rather set that expectation now than have you discover it in month three.

ARCHITECTURE §3.3

Two ways to run it. Both keep the data yours.

Managed, single-tenant

We operate an isolated deployment for you — your own instance, your own keys, never a shared multi-tenant pool. The fastest way to get value without taking on the operational burden.

Honest caveat: in this tier we hold the data. That is why it is single-tenant and isolated by construction, never pooled — but if your threat model does not permit us to hold it at all, take the tier below.

On-premise, air-gap-capable

The whole system runs on your metal, behind your firewall, with a local model. Nothing egresses. For organisations where that is not a preference but a legal requirement — government, defence, healthcare, legal, IP-heavy engineering.

A jailbreak needs somewhere to send the data. In an air-gapped deployment, there is nowhere.

Where we actually are

Mnemosyne is pre-launch. We would rather you hear that from us than discover it.

The trust substrate is built and running: the timechain, the per-compartment sidechains, the key-transparency log, envelope encryption, the policy engine, and the anchored knowledge graph. Its cryptography has been through independent adversarial review. The cognitive layer above it — ingestion, retrieval, and the answer gate — is in active construction.

We are looking for a small number of design partners: organisations with a real need-to-know problem, who will help us prove this on their data, under NDA, at a deliberately small scope. We have no paying customers yet, and we are not going to imply otherwise.

Request private demo access

The demo runs on a synthetic company — a full corpus of documents, spreadsheets, contracts and meeting notes with real clearance boundaries — so you can watch the gate refuse a question it should refuse, without either of us touching your data. Tell us a little about your situation and we will send you a link personally.

The live demo is being prepared. Request access and we will send you the link personally.

or email us directly

We store what you type here so we can reply to it. Nothing else. We do not sell it, we do not enrich it, and there is not a single third-party tracker on this page.

Questions we get asked

How do you pronounce it?
ne-MOSS-uh-nee. The leading M is silent. Mnemosyne is the Titaness of memory in Greek myth, and the mother of the Muses — which made her hard to improve on as a name for this.
Is this a blockchain product?
No. There is no public chain, no token, and no cryptocurrency. The “timechain” is a local, Ed25519-signed hash-chain that runs entirely inside your deployment — it costs nothing, exposes nothing, and depends on no external network. Anchoring its root to an outside ledger is an option we can enable for organisations that want the extra guarantee. It is never the default.
Does anything leave our network?
In the on-premise tier, no. The language model runs locally, the graph is local, the chain is local. There is no mandatory outbound connection — which is itself a security property, because an attacker who fools the model still has nowhere to send anything.
Which model does it use?
A local one, served by Ollama or vLLM — your choice of open-weight model. We are deliberately model-agnostic: the model is the untrusted component, so we avoid depending on any single one of them.
What does it cost?
We do not know yet, and we would rather tell you that than invent a number. Pricing will be discovered with our first design partners against what the system is actually worth to them.
What can it not do?
We wrote that down. It is the “What we do not claim” section above, and we put it on the front page on purpose.

Get notified

Occasional notes on what we are building — the demo going live, the design-partner programme opening. No noise, no newsletter, no list-selling.