Personal data and routes never leave
Trip routes and passenger data are never written to the ledger or sent to the registry. The boundary is structural, not a setting.
Enterprise · data sovereignty
The node processes. The registry routes and certifies.
Everything operational — dispatch, pricing, trips, passengers, local payments — happens in your node, on your infrastructure. The global registry never sees, stores, or can reconstruct your trips.
Sovereignty isn’t a marketing promise. It’s the architecture: a government can truthfully state that its mobility operation runs on its own infrastructure, and that no third party sees its citizens’ trips.
What lives where
Your data stays in your node. The registry holds the minimum.
A clean split, by design. The operational record — who rode where, for how much — is yours and never leaves your infrastructure. The registry carries only what makes nodes interoperable.
In your node · M03 · yours
Operational data, on your infrastructure
Processed and stored locally. Never written to the ledger, never sent to the registry.
- Trip and passenger data
- Fares and local rules
- Your own-brand app
- Fleet and local drivers
- Local payments
In the registry · minimal
Only what makes nodes interoperable
Deliberately small. No personal data, no routes — the registry can’t reconstruct a trip.
- Driver identity and verification
- Portable reputation Ledger · roadmap
- Payment events — hash + amount, no personal data
- Cross-network routing Roaming · roadmap
- Protocol versioning Protocol · roadmap
your node → certifies → the registry · never → trips, routes, personal data
Build status. The operation plane — the node, your apps, dispatch, payments, tracking — is what ships today. The network layer that holds the registry’s portable reputation (the ledger), cross-network roaming, and protocol versioning is on the roadmap and shown here as the target architecture, not a live service.
The boundary, line by line
A field-by-field map of the data boundary.
The same split, stated formally. Each row names a category and where it lives — there is no overlap and no hidden copy.
| Data category | In your node (yours) | In the registry (minimal) |
|---|---|---|
| Trips & passengers | Stored locally | Never sent |
| Fares & local rules | Stored locally | Never sent |
| Own-brand app | Yours | Not in registry |
| Fleet & local drivers | Stored locally | Not in registry |
| Local payments | Stored locally | Never sent |
| Driver identity & verification | Local copy | Certified |
| Portable reputation | — | Ledger · roadmap |
| Payment events (hash + amount) | — | No personal data |
| Cross-network routing | — | Roaming · roadmap |
| Protocol versioning | — | Protocol · roadmap |
Guarantees
Four guarantees, enforced by the design.
Not policies you have to trust — properties of where the data physically lives and what the registry is built to carry.
Card data is tokenized at the gateway
Raw card details never touch your node or the registry — they are tokenized at the payment gateway, so nothing sensitive is stored downstream.
Data policy configurable by jurisdiction
Residency, retention, and what may cross a border are set per jurisdiction — the rules follow the law where you operate, not a one-size default.
Total portability — your data is yours
If you leave the network, your local data is yours and you export it in full. No lock-in, no hostage data — the operational record was always on your side of the line.
Why it unblocks the public sector
A government can say it truthfully: no third party sees its citizens’ trips.
Public-sector mobility carries a hard constraint — citizen data can’t sit on someone else’s servers, and no vendor can be in a position to reconstruct who went where. This architecture makes that statement true by construction, not by contract.
The operation runs on the government’s own infrastructure. The registry certifies and routes, but holds no trip and no personal data it could ever hand over. Sovereignty isn’t a promise to audit later — it’s the shape of the system.
Sovereignty checklist
- Runs on your infrastructure. The node, the apps, the operational record — all yours.
- No reconstructable trips. The registry holds no routes and no personal data.
- Card data tokenized at the gateway — nothing sensitive stored downstream.
- Policy by jurisdiction. Residency and retention follow local law.
- Full export on exit. Leave with everything; no hostage data.
The registry, ledger, roaming, and protocol shown here are roadmap network-layer components, presented as the target architecture — not a live service today.
Talk to us
Bring your data-protection team. Verify where everything lives.
We’ll walk the boundary field by field — what the node holds, what the registry carries, how policy is set by jurisdiction, and how you export in full if you leave. Under NDA where it matters.