Loading
The master document of Citrate Network. Everything else forks from this. We are stewards of software. We are not owners of your data.
This document records what Citrate will do, what it will never do, and what each of those costs. Everything that follows is a commitment a customer, a regulator, or a critic can hold us to.
We are stewards of software. We are not owners of your data.
That sentence is the operative rule of this company. It appears again in the economics, in the architecture, in how we treat a school, and in how we treat a defense prime. If our conduct ever contradicts it, the sentence wins and the conduct is the error.
Our mission is to be the most compliant network for private and public use, and to make that compliance a foundation other people build their own trust on.
Compliant means that in every industry we enter, on every decision that touches security, safety, and auditability, we go further than the regulation asks. A school should not have to read a privacy policy to know its students are safe. A defense prime should not have to take our word that the ledger is honest. The architecture makes the answer obvious.
We give data ownership back to the people who generate it, the corporations that hold it, and the institutions that depend on it. Wherever it can be done, we design for on-premise operation, local ownership, and the customer keeping the keys.
A distributed network that lets an organization run intelligence on its own machines, train models on its own data without surrendering the data, and earn from compute that would otherwise sit idle. The same network is offered to public schools at no cost, so the infrastructure that serves the enterprise also funds the classroom. Underneath it runs a public ledger open enough that a regulator, an auditor, or a parent can check it and find nothing hidden.
We do not want your data to train our model. We have no model that needs your data. We sell the substrate, not the output. There is a token. It meters compute and settles payments. We will never market it as an investment, and we structure the company so our revenue does not depend on its price. We do not hold your workloads on our servers. Your machines, your keys, your premises, your data.
Two business models touch customer data. Own the software and let the customer own the data, or give the software away and take the data. We build the first one. The institutions that matter most to us cannot legally or safely use the second.
This is a constraint we design under. When an engineer here chooses between an architecture that would let us see customer activity and one that would not, the one that keeps us blind wins, even when it is harder to build.
The customers we want cannot use the other model. A hospital cannot put patient data in a cloud that trains on it. A school cannot, by law, hand student records to a vendor that monetizes them. A defense prime cannot run classified workloads on infrastructure it does not control. An accounting firm cannot let its working papers train someone else's product. Serving these institutions honestly is the business.
A constitution that would not survive contact with the P&L is decoration. Here is how the company makes money, stated plainly enough to check.
The business is software and the marketplace.
Revenue comes from three places. Licenses for the software, paid by the organizations that run it. A small fee on real compute changing hands in the marketplace, taken when buyers and sellers transact. And services: implementation, support, and the work of making sovereign infrastructure run inside a real institution. Each one earns money whether the token rises, falls, or sits flat.
We state earnings as outcomes, never as raw rates. The conservative figure is that an idle device earns single-digit to low double-digit dollars per month, depending on the hardware and the demand the network is carrying. A district with a fleet of devices left plugged in overnight earns a sum that is meaningful against a maintenance budget. We will not promise more than the market clears.
Two figures stay out of external use. The raw hourly compute rate, because it forces the reader to do arithmetic to learn what they get. And any device earnings figure stated as a best case, because a best case overstates. The unit economics live in an appendix for the people who need to verify them. The reader gets the outcome.
Enterprises and institutions pay. Public schools do not. The same infrastructure serves both, and the paying side underwrites the free side by design. This is written into what the company is for, and it does not get withdrawn when a quarter looks tight. An enterprise customer should understand, when they sign, that a fraction of what they buy is a classroom they will never see.
What follows are commitments. Each one is something a customer, a regulator, or a critic could check, and each one costs us something.
WE COMMIT
We design every product so the customer can run it on their own premises, hold their own keys, and own their data and models outright. Where on-premise operation is impossible, we state in writing what leaves the building and why.
The cost: on-premise software is harder to sell and support than a hosted service that accumulates lock-in. We build the harder one.
WE COMMIT
Every node operator is identity-verified. There are no anonymous operators on our network and there will be none. We verify who an operator is so the ledger can be trusted. We are built so we cannot see what they compute. The architecture keeps those two things separate.
The cost: identity verification adds friction at signup and rules out the anonymous operator market. We accept both, because a network that runs a hospital's workload cannot be a network of strangers.
WE COMMIT
We treat FERPA, COPPA, CIPA, and PPRA as a floor. A student's models and the adapters they train stay in private custody that the student and their institution control. No student data trains anything of ours. No student data is sold, shared, or surveilled, by anyone, including us. A student carries their models forward year to year.
The cost: public schools join at no cost, so this is the most sensitive data we touch and the one we earn the least to protect. It gets the strongest commitment in this document anyway.
WE COMMIT
We submit to external security audit before mainnet and on a standing basis after. We publish that we have been audited and that findings are closed. We delay any launch that still carries an open serious or critical finding. A deadline never beats a security finding.
The cost: standing audits and launch delays slow us down and cost money. Each industry sets its own regime, and we treat the strictest applicable standard as the baseline.
WE COMMIT
We ground claims in verifiable data. We use plain language with people who did not ask for jargon. We never let a marketing sentence outrun an engineering fact. We publish the research, cite the source, and state the conservative number. When something is unproven, we call it unproven. When we are wrong, we say so and fix it, in public if it was public.
The cost: restraint loses the room to louder competitors in the short run. The reputation we want can only be accumulated slowly.
The commitments above are universal. Each kind of person who touches the network is owed a specific version of the same promise. Article V is the bridge into the go-to-market document.
You keep your data, your models, and your keys. You run on your own premises. You turn idle compute into a line of revenue. You do it on infrastructure built to satisfy your auditors.
You get the same network the enterprises pay for, at no cost, with the strongest child-safety commitments we know how to write. Your students get models that are genuinely theirs. Your district gets revenue from devices that used to sit dark all night. No new hardware, no new taxes, no curriculum mandate.
You get a substrate for verifiable compute that is honest, formally specified, and memory-safe from the ground up. Every job is checked, not trusted. The result is proven and leaves an auditable receipt. You get verified peers. You earn from real demand rather than token emissions. You get documentation that tells you the truth, including where the hard edges are.
You earn from the device you already own, in dollars. You will never be asked to understand a blockchain to benefit from one. The technology is our problem. The benefit is yours.
You get a network built to be checked, not trusted: a ledger you can audit and a company that publishes its audits. We treat your scrutiny as the product working. We would rather you find nothing because there is nothing to find.
This constitution sits above the marketing, the roadmap, and the quarterly pressure to do the easy thing. The go-to-market segmentation forks from Article V. The sequencing plan answers to Article III and Article IV: nothing ships that violates a commitment, and the order of work bends to the commitments, not the other way around.
When a future decision conflicts with a sentence written here, one of two things is true. The decision is wrong, or the sentence needs to change in the open, with a reason, recorded. We will not let a contradiction stand silently. A constitution that is quietly ignored teaches the team that the words mean nothing. These words mean something.
We are stewards of software. We are not owners of your data.