Skip to content
Mnemosyne

Mnemosyne · say “ne-MOSS-uh-nee” · the Titaness of memory

Fool the AI. Your data is still safe.

Mnemosyne is a company brain you run on your own infrastructure. Every answer it gives must dereference to a cryptographically anchored source, and every source’s clearance is checked outside the model — so a compromised model still cannot invent a fact, or leak one.

Security lives in the anchor, not the model’s obedience.

the gate · every claim must dereference to an anchored source
Every claim must dereference to an anchored source. No anchor, no answer.

How is this different from Copilot or NotebookLM?

It is the first question everyone asks, and it deserves a precise answer rather than a slogan.

Copilot · NotebookLM · most “chat with your docs”

They are RAG.

Every query, they retrieve raw chunks of your documents and let the model author an answer out of them. That answer is ungrounded — the model can blend or invent. It is unverifiable — nothing checks its provenance outside the model. It is non-compounding — it is re-derived from scratch every single time you ask. And it happens in someone else’s cloud, with no need-to-know enforcement and no tamper-evident record of what was retrieved.

Mnemosyne

This is not RAG.

We curate your sources once into an anchored, verified, interlinked knowledge graph that compounds. Retrieval is ranked with ACT-R — a cognitive model of memory — not bare vector similarity. And every answer passes a grounding and clearance gate that runs outside the model, on immutable provenance.

RAG re-derives every query · Mnemosyne curates once, and compounds
Pay once to curate. Recall cheaply and provably, forever.

The honest economics

We are not cheaper per document. We deliberately pay more, once, to curate. After that, recall is a cheap lookup of verified distillations — forever, and provably. Pay once to curate; recall cheaply and provably for as long as the company exists. A RAG tool pays a little on every query and re-derives the same answer, unverifiably, every time.

Four things those tools structurally cannot do

  • Give you an answer you can depend on completely — because nothing verifies the model’s claims from outside the model.
  • Tell you who knew what, and when — because there is no tamper-evident record.
  • Enforce need-to-know that holds even when the model is fooled — because the boundary lives inside the model’s obedience.
  • Keep your data inside your perimeter — because the data is the product.

Three guarantees, enforced outside the model

The model is untrusted by design. Every guarantee below is enforced by machinery the model does not control and cannot talk its way past.

Verifiable

Every claim dereferences to an anchored source.

Each unit of knowledge is content, a clearance tag, and a chain anchor — a hash and a signature that cannot be forged or silently altered. When the model answers, every claim it makes must resolve to one of those anchors. A claim with no anchor is a fabrication, and the gate blocks it. The model is never trusted to police itself.

Accountable

A tamper-evident record of every ingest, query, retrieval and answer.

Ed25519-signed, hash-chained blocks with Merkle roots, running locally inside your deployment. Alter one block and the chain says so — immediately, and mathematically. “Who knew what, and when” stops being a question you argue about and becomes one you can answer.

Need-to-know

Clearance is checked outside the model, on immutable provenance.

Sources are sealed per compartment under their own encryption key, and clearance is resolved before retrieval — not after generation, when the damage is already done. A reader must out-rank the document’s level, hold every one of its compartments, and clear every caveat — a lattice, not a flat list — and that check happens when the key is wrapped, so it is cryptographic, not a display filter. No clearance means no key, which means no plaintext. A model that has been talked into betraying you has nothing to betray you with.

The same question. Two people. Two different answers.

Access control that lives inside the model is a suggestion. Ours lives outside it, on immutable provenance: the requester’s clearance is resolved against every source in a claim’s chain before that claim is allowed out. Two colleagues can ask the same question and correctly receive different answers — and neither of them, nor the model, can move that boundary.

two askers · three compartments · no clearance means no key
No clearance ⇒ no key ⇒ no plaintext. Checked outside the model.

This is the gap Knostic raised $11M to name: being able to access something is not the same as needing to know it. Most tools enforce the first and quietly ignore the second.

Tamper with one block, and the whole chain says so.

Every ingest, every question, every retrieval and every answer is written to a local, append-only chain of Ed25519-signed blocks. Nothing leaves your network to make this true, and it costs you nothing to run.

a spine of signed, hash-chained blocks · alter one and the chain says so
Tamper with one block and the whole chain says so. Try it — click a block.

To be unambiguous, because security buyers rightly ask: there is no public blockchain here, no token, and no cryptocurrency of any kind — and no wallet, no coins, and no fee, ever. The chain is a local notary that runs inside your own deployment. Anchoring its root to an outside ledger — Bitcoin, via OpenTimestamps — is switched on in our own deployment and available to yours: it publishes one hash of a hash, never your data, and it can be switched off. The public timestamping calendars aggregate every submitter into a single Bitcoin transaction they pay for themselves, which is why it costs nothing. It is a switch, not the point.

read this section first

What we do not claim

Most vendors tell you what their product cannot fail at. We would rather tell you where it can. If you are paid to be skeptical, this is the section you should read first.

The words we never use

We do not say our system is proof against jailbreaks, and we do not say it is free of hallucination. Prompt injection is the number one item on OWASP’s LLM risk list and NIST has called it the greatest security flaw in the technology. EchoLeak (CVE-2025-32711, CVSS 9.3) was a zero-click injection that broke Microsoft 365 Copilot and walked straight past Copilot’s own classifier. Any vendor promising you immunity is one disclosure away from being publicly wrong.

We do not need the promise. We assume the model will be fooled, and we put the guarantee somewhere the model cannot reach: breach-contained and fabrication-blocked under model compromise.

Grounding is not correctness.

The gate proves that a claim is grounded in an anchored source the requester is cleared to see. It does not prove the model reasoned correctly over the sources it was allowed to read. A wrong inference over authorised data is a real failure mode. We attack it with claim-level entailment checks and honest abstention — the system is built to say “I don’t know” — and we do not assume it away.

Tagging completeness is a precondition.

Enforcement is exactly as correct as the clearance labels on your sources. Mis-tagged data is mis-enforced data. So tagging is mandatory and auditable — and designed so the failure mode is asymmetric: a deterministic floor runs before the model is ever consulted, which means the system can only ever over-restrict, never under-restrict. Over-restriction costs convenience. Under-restriction costs the company.

Semantic leakage is open engineering.

A compromised model could try to encode a restricted fact into prose that carries no citation at all — laundering it past a gate that only matches provenance tags. That is a genuine problem, it is the hardest one in this space, and we are engineering it explicitly rather than pretending it is solved.

A local model is a weaker model.

If your data cannot leave your building, you do not get to use the largest frontier model. Our gate blocks fabrication, but it cannot make a smaller model smarter. We would rather set that expectation now than have you discover it in month three.

Two ways to run it. Both keep the data yours.

Managed, single-tenant — zero-access

A private instance we run for you: your own keys, one customer per box, never a shared pool. It runs inside an attested confidential enclave — so we operate the box and still cannot read your data. Sovereignty without the operational burden.

In design for our first customers. The zero-access model — your keys released only into hardware we cannot see into — is how managed keeps the guarantee that on-premise gives you. Talk to us about an early-access trial.

On-premise, air-gap-capable

The whole system runs on your metal, behind your firewall, with a local model. Nothing egresses. For organisations where that is not a preference but a legal requirement — government, defence, healthcare, legal, IP-heavy engineering.

A jailbreak needs somewhere to send the data. In an air-gapped deployment, there is nowhere.

Where we actually are

Mnemosyne is pre-launch. We would rather you hear that from us than discover it.

The trust substrate is built and running: the timechain, the per-compartment sidechains, the key-transparency log, envelope encryption, the policy engine, and the anchored knowledge graph. Two derived stores — the graph’s fact-labels and the vector index — are being brought under that same seal before any real customer data is ingested; everything else is sealed today. Its cryptography has been through adversarial review. The cognitive layer above it — ingestion, retrieval, and the answer gate — is in active construction.

We are looking for a small number of design partners: organisations with a real need-to-know problem, who will help us prove this on their data, under NDA, at a deliberately small scope. We have no paying customers yet, and we are not going to imply otherwise.

Request private demo access

The public demo above runs on a synthetic pharmaceutical company, and it is live right now — no sign-up. This form is for the next conversation: a private walkthrough against your own documents and your own threat model, under NDA, whenever you are ready.

The live demo is running now on a synthetic pharmaceutical company — real documents, real clearance walls, real numbers. No sign-up, no data of yours. Watch it now →

or email us directly

We store what you type here so we can reply to it. Nothing else. We do not sell it, we do not enrich it, and there is not a single third-party tracker on this page.

Questions we get asked

How do you pronounce it?
ne-MOSS-uh-nee. The leading M is silent. Mnemosyne is the Titaness of memory in Greek myth, and the mother of the Muses — which made her hard to improve on as a name for this.
Is this a blockchain product?
No. There is no public chain, no token, and no cryptocurrency — and no wallet, no coins, and no fee. The “timechain” is a local, Ed25519-signed hash-chain that runs entirely inside your deployment: it costs nothing, exposes nothing, and needs no external network to work. Separately, its root can be anchored to Bitcoin via OpenTimestamps — that step does reach a public timestamping calendar, publishing a single hash and never your data. It is switched on in our own deployment, it is a switch you control, and it is not what the product is about.
Does anything leave our network?
In the on-premise tier, no. The language model runs locally, the graph is local, the chain is local. There is no mandatory outbound connection — which is itself a security property, because an attacker who fools the model still has nowhere to send anything.
Which model does it use?
A local one, served by Ollama or vLLM — your choice of open-weight model. We are deliberately model-agnostic: the model is the untrusted component, so we avoid depending on any single one of them.
What does it cost?
We do not know yet, and we would rather tell you that than invent a number. Pricing will be discovered with our first design partners against what the system is actually worth to them.
What can it not do?
We wrote that down. It is the “What we do not claim” section above, and we put it on the front page on purpose.

Get notified

Occasional notes on what we are building — the demo going live, the design-partner programme opening. No noise, no newsletter, no list-selling.