Audit-grade. Offline by design.
The Matrix files your documents on the machine they were scanned on — your scan contents never traverse the internet, never reach an LLM, and never appear on someone else's server.
14 days · no credit card · Windows + Linux today, macOS coming soon
Four claims. Each backed by a line of code.
If you can read Python, you can audit our claims. Source paths point to public files in the same repo we ship from.
Offline by design
The stamp and read pipelines read and write files on the user's machine only. No upload step exists. The only outbound HTTP call the desktop app makes is a license validation POST that contains the license key, machine ID, and app version — nothing else.
apps/tray/app.py — validate_license() services/license/main.py — /license/validateCryptographic chain-of-custody
Every stamped page carries a 36-byte payload: a license-keyed XOR-scrambled record of (license_id, doc_id_hash, page_num, timestamp) followed by an HMAC-SHA256 signature truncated to 16 bytes. Forgeries fail HMAC verification on read and are quarantined as UNKNOWN.
Deterministic, not probabilistic
No AI. No OCR. No machine-learning classifier. The barcode either reads cleanly or it doesn't — pages without a verifying payload are classified UNKNOWN, never silently misfiled. A $10M contract cannot be misclassified as an invoice because we don't classify by content.
Nothing we can see
ChunkLand operates no document ingest service. The license server stores license keys, plans, machine IDs, and seat counts — that's it. We literally cannot answer "how many documents does customer X have" because we don't have the data.
services/license/db.py — licenses, machines tables onlyWhat The Matrix does not do.
Security reviews live or die on the negatives. Here is everything that is absent — by design.
- No cloud document ingest. Your scans never leave your disk.
- No OCR. We don't read your text.
- No AI classification. We don't summarise, categorise, or interpret content.
- No training on your documents — we never receive them.
- No third-party analytics inside the desktop app. No telemetry on file activity.
- No data-broker sharing. Ever.
- No ad networks, no tracking pixels, no marketing SDKs in the app.
- No password reset flow on the license server — license keys are the only credential.
Every stamped page is a signed receipt.
When you print through The Matrix, each page is stamped with a QR code in the top-right corner. The payload is signed by your license key. Tampering, swapping, or fabricating a page breaks the signature.
The HMAC payload
36 bytes total. The first 20 bytes are XOR-scrambled with a keystream derived from your license key:
MAGIC(1 byte) +VERSION(1 byte)license_id(4 bytes) — derived from your license keydoc_id_hash(8 bytes) — uint64 hash of the document namepage_num(2 bytes) — 1-based page numbertimestamp(4 bytes) — minute-resolution Unix time
Then 16 bytes of HMAC-SHA256(license_key, scrambled_payload). Verification is constant-time via hmac.compare_digest. A wrong key or a flipped bit fails the read with CodecError("HMAC mismatch — wrong license key or forged payload").
Above is illustrative output — see src/codec.py decode() for the verifier.
Every outbound packet, accounted for.
If you put The Matrix behind a firewall and watched the traffic, this is everything you would see. Nothing else.
| Destination | When | Body sent | Body NOT sent |
|---|---|---|---|
license.chunkland.com /license/validate |
App start, then on-demand | license_key, machine_id, machine_label (optional), app_version |
No scan contents. No file paths. No file names. No user names. No document IDs. No HMAC payloads. |
hello@chunkland.com (mailto:) |
Manual — you click "Resend my license" or "Email support" | Whatever you type in your email client | App never auto-sends mail. App never reads your inbox. |
That's the entire egress surface. The license server never receives document data because the desktop app never sends document data — the validate endpoint accepts the four fields above and rejects anything else (verified in services/license/main.py — ValidateRequest).
How The Matrix maps to your framework.
We sit on the lawful side of these regimes by handling no personal information ourselves. You stay the data controller. Below: what each framework requires, how The Matrix meets it, and what stays your job.
| Framework | What it requires | How The Matrix meets it | What you still need to do |
|---|---|---|---|
| Privacy Act 1988 (AU) & the APPs | Lawful collection, use, disclosure, security, and storage of personal information; cross-border disclosure controls (APP 8). | The Matrix never collects, uses, or discloses your clients' personal information. Scans stay on your device. No cross-border transfer occurs because no transfer occurs. | Maintain your own APP 1 privacy policy. Secure the workstation. Manage retention/destruction of the local files. |
| GDPR (EU) | Lawful basis, data minimisation, purpose limitation, security of processing, data-subject rights, restricted international transfers. | ChunkLand processes no personal data inside your scans (Art. 4). No transfer to the EU/from the EU is performed by the app. The license server holds your own contact email + license key only. | You remain the controller. Document your lawful basis, run your DPIA, and handle subject access for the documents you hold. |
| HIPAA (US) | Covered entities and business associates must safeguard PHI; vendors who touch PHI sign a BAA. | We do not claim a BAA — and we don't need one, because The Matrix does not transmit, store, or process PHI on our infrastructure. You process PHI locally; we never see it. | You apply HIPAA Security Rule controls to the workstation, the disk, and your backup chain. |
| Attorney–client privilege | Privileged communications must not be disclosed to third parties; cloud transmission can risk waiver. | Privileged matter never leaves your control. There is no third party in the document path. Stamped pages are signed under your license — providing a forensic chain-of-custody if challenged. | Apply your firm's standard physical and digital safeguards to the workstation. |
Not legal advice. ChunkLand is a sole trader (ABN 53 628 676 390) — you are responsible for your compliance posture. We're happy to provide written attestation (below) for your auditor.
Local + deterministic vs. cloud + probabilistic.
The category that uploads your scans to a server, runs an OCR + LLM pass, and "intelligently" sorts. That's a different threat model from ours.
| The Matrix (local + deterministic) | Cloud AI doc sorters | |
|---|---|---|
| Where your data lives | Your disk. Optional external drive. That's it. | Vendor cloud + sub-processors (LLM provider, storage, CDN). |
| Who can subpoena it | Only you. We hold no copy. | Vendor + every sub-processor in their chain. |
| Forensic provability | HMAC-SHA256 per page — tamper-evident. | "Filename was correct when we last saw it." |
| Offline operation | Yes — 7-day grace mode for air-gapped runs. | No. Loss of internet = no sorting. |
| Cost scaling | Flat fee per seat. Unmetered pages. | Per-page or per-API-call — costs grow with volume. |
| Misfile risk | Page either has a valid signature or is flagged UNKNOWN. No silent misclassification. | Probabilistic — model confidence varies, errors are silent. |
Signed attestation letter.
Business-tier customers can request a signed PDF attestation suitable for sharing with internal audit, an external assessor, or a procurement reviewer.
What the letter says
It's a one-page PDF on ChunkLand letterhead, signed and dated, stating:
ChunkLand attests that The Matrix does not transmit scanned document contents over any network. The desktop application's only outbound communication is a license-validation request to license.chunkland.com, the contents of which are limited to license key, machine ID, machine label, and app version. Valid from {issue_date} for 12 months.
Signed, ChunkLand sole trader
ABN 53 628 676 390
If your procurement process requires it earlier, send us your customer name and we'll issue it within two business days.
Request attestation letterQuestions we get from compliance teams.
Does The Matrix send my documents to OpenAI, Google, or any LLM?
No. There is no LLM call, no AI vendor, and no inference service in the document path. See "Network-egress audit" above — the only outbound traffic is a license-validation POST containing the license key, machine ID, machine label, and app version. No scan contents, file names, or document IDs ever leave your machine.
Where is my data stored?
On your machine's disk, in folders you choose during setup (default ~/Matrix/inbox, outbox, scans, filed). You can point those at an external drive, an encrypted volume, or a network share that you control. ChunkLand has zero copies — we have no document storage of any kind.
Can I run this air-gapped?
Yes. The desktop app validates your license online at first launch, then enters a 7-day offline grace period. While in grace mode, stamping and reading both work without a network connection. Re-validate online once a week to keep grace rolling. Implementation: apps/tray/app.py — validate_license(), grace_days = 7.
What happens to my data if ChunkLand shuts down?
Nothing happens to your data. Your stamped PDFs and your already-sorted folders sit on your disk forever — they're regular files we never touched. Your license key sits in a local config file and your ~/Matrix folders keep working. Worst case, the desktop app stops being able to call the validation server; a future release would unlock that with an offline-permanent license. There is no vendor lock-in because there is no vendor data path to lock you into.
Do you have SOC 2 or ISO 27001?
Not yet. We're a sole trader; enterprise-grade audits cost $50k+ and we'd rather pass that cost on transparently than bake it into prices for customers who don't need it. If your procurement process requires SOC 2 or ISO 27001 to deploy, email us — we're open to procurement-funded certification for contracts at or above $25,000 ARR.
What's your data-breach notification policy?
We have no customer document data to breach. The only customer data we hold is on the license server: license keys, contact email addresses, plan, seat counts, and machine IDs/labels (the threat model and rotation procedures for these are documented in services/license/SECURITY.md). If that database is ever compromised, we will notify affected customers by email within 72 hours and follow the rotation playbook. There is no document-content breach path because there is no document-content storage.
Already an enterprise buyer?
If you need to take this to a security committee before signing, we're happy to walk through any of the following — at no cost, no obligation.
What we can run with you
- Source-code review — remote, ~30 minutes. We share screen, walk you through codec.py, reader.py, and the license-validate endpoint, and you ask whatever you want.
- Egress firewall test — run The Matrix behind a restrictive firewall on your side. We'll specify the only outbound destination it needs (license.chunkland.com), and you can confirm with your own packet capture that nothing else moves.
- Custom attestation language — if your procurement template needs specific wording, send it over. We'll mark up what we can sign as-is, redline what needs adjusting, and explain why.
Email hello@chunkland.com with the subject line "Procurement review". A human responds within one business day.
Email — subject "Procurement review"Pilot it on a folder. Show your auditor the result.
Spin up a 14-day trial, stamp a real day's worth of work, and hand your security reviewer this page plus the signed attestation letter. No credit card. Cancel any time.