← Return to Datacendia
📜

Architecture Protocol

The definitive technical specification for the Datacendia Cortex. This document serves as the authoritative reference for system architecture, data flows, security boundaries, and integration protocols.

Version 1.0 · January 2026

Table of Contents

1

System Overview

The Datacendia Cortex is a decision operating system designed for enterprises that require cryptographic proof of AI reasoning. It is not a chatbot, not a copilot, and not a prediction engine. It is an accountability layer that sits between raw data and defensible business decisions.

The system comprises eight interdependent pillars, each addressing a distinct enterprise requirement:

  1. CendiaAgents — Cognitive engine (multi-agent deliberation)
  2. CendiaEthics — Governance layer (policy enforcement)
  3. CendiaGuard — Security layer (sovereignty protection)
  4. CendiaLineage — Provenance layer (data lineage & truth)
  5. CendiaHelm — Interface layer (command & control)
  6. CendiaPredict — Forecasting layer (scenario simulation)
  7. CendiaFlow — Execution layer (authorized actions)
  8. CendiaHealth — Reliability layer (system monitoring)

Together, these pillars transform the Cortex from "software" into "infrastructure" — a foundational layer that enterprises can trust with their most consequential decisions.

2

Design Principles

2.1 Sovereignty Over Convenience

Every architectural decision prioritizes customer control over operational simplicity. The customer owns the infrastructure, the encryption keys, and the audit trail. Datacendia provides software; the customer provides sovereignty.

  • Encryption keys never leave customer-controlled KMS/HSM
  • Data never leaves customer infrastructure perimeter
  • Air-gapped deployment is first-class, not an afterthought
  • No telemetry, no call-home, no license phone-home in offline mode

2.2 Proof Over Trust

The system generates cryptographically signed evidence packets for every decision. When a regulator asks "why did you decide this?", the answer is not a verbal explanation — it is a tamper-evident artifact.

  • Every decision produces a Decision Trace (inputs, reasoning, output)
  • Traces are cryptographically hashed and chained (Merkle tree)
  • Signatures use Ed25519 or RSA-PSS (customer choice)
  • Export formats: JSON, PDF, XBRL (regulatory)

2.3 Dissent Over Consensus

The Council architecture institutionalizes disagreement. Multiple specialized agents debate each decision. Conflict is a feature, not a bug — it surfaces blind spots before they become liabilities.

  • Minimum 4 agents per deliberation (configurable up to 14)
  • RedTeam agent always active (adversarial by design)
  • Consensus requires explicit agreement, not averaging
  • Deadlocks escalate to human review with full context

2.4 Depth Over Wrappers

The Cortex is not a thin layer over third-party APIs. Each pillar contains proprietary logic that cannot be replicated by prompt engineering alone. The moat is architectural, not superficial.

3

The Eight Pillars

3.1 CendiaAgents (The Cognitive Engine)

The orchestration layer where The Council lives.

The CouncilMulti-agent deliberation environment. Agents represent stakeholder perspectives (CFO, CISO, Risk, Strategy, Legal, Operations).
RedTeam ModuleProject HUME. Adversarial agent that challenges consensus. Always active. Cannot be disabled without audit trail.
Analyst ModuleProject SMITH. Strategic analysis and efficiency optimization. Primary data synthesizer.
Mirror ModuleStakeholder simulation. Models external perspectives (customers, employees, regulators) before they surface.
Synthesis EngineMeta-model that resolves agent conflict into final recommendation. Outputs include confidence intervals and dissent logs.

3.2 CendiaEthics (The Conscience)

The governance layer that prevents liability before it occurs.

CendiaVetoBinary logic gate. Blocks actions violating risk policy. No override without human approval + audit trail. The "kill switch."
The SpectatorImpartial Observer module (Adam Smith model). Flags reputational and ethical risks using stakeholder impact analysis.
Compliance OracleReal-time regulatory lookup. GDPR, Basel III, HIPAA, SOX, internal bylaws. Updated via secure channel or offline bundle.

3.3 CendiaGuard (The Shield)

The security layer protecting sovereignty.

Decision DNAImmutable audit ledger. Cryptographic hashing (SHA-256) of every decision. Merkle tree structure for efficient verification.
Anonymizer CortexPII stripping before context window ingestion. Configurable rules. Supports GDPR Article 17 (right to erasure).
Air-Gap ProtocolUnidirectional data flow management. Optical diode logic for classified environments. No outbound connections required.
Shadow Mode ShredderCryptographic deletion of intermediate "thought processes." Minimizes discovery risk in litigation.

3.4 CendiaLineage (The Truth)

The memory and provenance layer.

CendiaChronosTime-travel engine. Replays system state at T-1 to prove why a decision was made at that moment. Point-in-time reconstruction.
Knowledge GraphEntity relationship mapping. Connects people, policies, documents, and decisions. Neo4j-compatible export.
Source AttributionToken-level provenance. Every output token tagged with source document, page, and confidence score.
Data BrokerCentral nervous system. Routes data between storage, agents, and outputs. Full audit trail of all data movement.

3.5 CendiaHelm (The Interface)

The command and control layer.

NLP Command ProcessorNatural language to structured action translation. Supports complex queries without code.
Voice BiometricsOptional operator identity verification. Multi-factor for high-stakes decisions.
Sovereign Response GeneratorOutput formatting engine. PDF, JSON, email, XBRL, custom templates.

3.6 CendiaPredict (The Foresight)

The forecasting and simulation layer.

Scenario SimulatorMonte Carlo simulations driven by agent debates. Thousands of futures, ranked by probability and impact.
Trend ExtrapolatorTime-series projection. Identifies inflection points and emerging risks from historical patterns.

3.7 CendiaFlow (The Hands)

The execution and automation layer.

The ActuatorAuthorized action executor. API calls, emails, workflow triggers. Active only after CendiaVeto approval.
Connector MeshPre-built integrations. ERP (SAP, Oracle), CRM (Salesforce), Banking Core, HRIS. All connections stay within customer perimeter.

3.8 CendiaHealth (The Pulse)

The system reliability layer.

Drift DetectorModel behavior monitoring. Alerts when outputs deviate from baseline distribution.
Agent Sanity CheckPeriodic ground truth validation. Catches hallucination before production impact.
Resource MonitorVRAM/CPU/memory tracking. Prevents resource starvation in constrained environments.
4

Data Flow Architecture

Data flows through the Cortex in a strictly controlled sequence. No data bypasses the security and ethics gates.

┌─────────────────────────────────────────────────────────────────┐
│                        CUSTOMER PERIMETER                        │
├─────────────────────────────────────────────────────────────────┤
│                                                                  │
│  ┌──────────┐    ┌──────────────┐    ┌──────────────────────┐   │
│  │  SOURCE  │───▶│  ANONYMIZER  │───▶│     DATA BROKER      │   │
│  │   DATA   │    │    CORTEX    │    │  (CendiaLineage)     │   │
│  └──────────┘    └──────────────┘    └──────────┬───────────┘   │
│                                                  │               │
│                                                  ▼               │
│                                       ┌──────────────────────┐   │
│                                       │    THE COUNCIL       │   │
│                                       │   (CendiaAgents)     │   │
│                                       │  ┌────┐ ┌────┐       │   │
│                                       │  │ A1 │ │ A2 │ ...   │   │
│                                       │  └────┘ └────┘       │   │
│                                       └──────────┬───────────┘   │
│                                                  │               │
│                                                  ▼               │
│  ┌──────────────┐    ┌──────────────┐    ┌──────────────────┐   │
│  │   WITNESS    │◀───│   SYNTHESIS  │◀───│   CENDIA VETO    │   │
│  │   LEDGER     │    │    ENGINE    │    │   (Ethics Gate)  │   │
│  └──────────────┘    └──────┬───────┘    └──────────────────┘   │
│                             │                                    │
│                             ▼                                    │
│                  ┌──────────────────────┐                        │
│                  │   DECISION OUTPUT    │                        │
│                  │  (Signed Evidence)   │                        │
│                  └──────────────────────┘                        │
│                                                                  │
└─────────────────────────────────────────────────────────────────┘

Figure 4.1: Core data flow through the Datacendia Cortex

4.1 Ingestion Phase

Source data enters through the Anonymizer Cortex, which:

  • Identifies and tags PII using configurable rules
  • Strips or pseudonymizes sensitive fields before context window
  • Logs all transformations to Decision DNA

4.2 Processing Phase

The Data Broker routes cleaned data to The Council, where:

  • Multiple agents receive the same input simultaneously
  • Each agent processes independently (no cross-contamination)
  • RedTeam agent receives additional adversarial prompting

4.3 Synthesis Phase

Agent outputs flow to the Synthesis Engine, which:

  • Identifies areas of agreement and disagreement
  • Weights recommendations by agent confidence scores
  • Generates unified recommendation with dissent log

4.4 Veto Phase

Before output, CendiaVeto evaluates the recommendation against:

  • Configured risk policies (hard limits)
  • Compliance Oracle rules (regulatory constraints)
  • The Spectator assessment (reputational risk)
Critical Constraint

If CendiaVeto blocks a recommendation, no output is produced until human override with explicit justification. The override itself is logged to Decision DNA with the approver's identity.

4.5 Output Phase

Approved recommendations are:

  • Cryptographically signed (Ed25519 or RSA-PSS)
  • Hashed and appended to the Witness ledger
  • Formatted per Sovereign Response Generator templates
  • Optionally executed via The Actuator (CendiaFlow)
5

Deliberation Protocol

The Council's deliberation follows a structured protocol designed to maximize disagreement visibility while converging on actionable recommendations.

5.1 Agent Configuration

ParameterDefaultRangeDescription
agent_count84-14Number of active agents per deliberation
max_rounds31-5Maximum deliberation rounds before forced synthesis
consensus_threshold0.70.5-1.0Agreement level required to skip additional rounds
redteam_weight1.5x1.0-2.0xWeighting multiplier for RedTeam dissent
timeout_seconds30060-900Maximum time per deliberation

5.2 Deliberation Rounds

Round 1: Independent Analysis

  • Each agent receives identical input context
  • Agents produce independent assessments (no visibility to others)
  • Outputs include: recommendation, confidence, key evidence, risks identified

Round 2: Cross-Examination

  • Agents receive summary of Round 1 positions (anonymized)
  • Each agent responds to contrary positions
  • RedTeam agent specifically targets majority consensus

Round 3: Final Position

  • Agents issue final recommendations with updated confidence
  • Explicit "agree" or "dissent" on emerging consensus
  • Dissenting agents must provide specific objections

5.3 Deadlock Handling

If consensus_threshold is not met after max_rounds:

  1. Synthesis Engine generates "split recommendation" output
  2. All agent positions preserved in Decision Trace
  3. Decision escalated to human reviewer with full context
  4. Human must select a position or provide alternative
  5. Human decision logged with identity and justification
Design Rationale

Deadlocks are not failures. They indicate genuine uncertainty or conflicting priorities that require human judgment. The system is designed to surface complexity, not hide it.

6

Security Model

6.1 Trust Boundaries

The Cortex operates within a single trust boundary: the customer perimeter. Datacendia software runs inside this boundary; Datacendia personnel operate outside it.

ComponentLocationAccess
Application CodeCustomer infrastructureCustomer admins only
Customer DataCustomer storageNever leaves perimeter
Encryption KeysCustomer KMS/HSMCustomer-controlled
Audit LogsCustomer storageImmutable, customer-owned
Model WeightsCustomer computeEncrypted at rest

6.2 Encryption Standards

ContextAlgorithmKey Size
Data at restAES-256-GCM256-bit
Data in transitTLS 1.3256-bit (ECDHE)
Decision signaturesEd25519 or RSA-PSS256-bit / 4096-bit
Ledger hashingSHA-256256-bit
Key derivationHKDF-SHA256Configurable

6.3 Authentication & Authorization

  • Identity: SAML 2.0, OIDC, or local directory integration
  • MFA: Required for all administrative access
  • RBAC: Role-based access control with audit logging
  • Session: Configurable timeout, secure cookie handling

6.4 Air-Gap Protocol

For air-gapped deployments, the system operates with zero outbound network connectivity:

  • License validation: Offline cryptographic verification
  • Model updates: Secure offline bundle transfer (USB, optical)
  • Compliance updates: Manual Compliance Oracle refresh
  • Telemetry: Disabled entirely (no stub, no placeholder)
7

Audit & Lineage

7.1 Decision Trace Structure

Every deliberation produces a Decision Trace with the following components:

{
  "trace_id": "dt-2025-12-26-a1b2c3d4",
  "timestamp": "2025-12-26T14:32:17.000Z",
  "inputs": {
    "query": "Should we proceed with the acquisition?",
    "documents": ["doc-001", "doc-002", "doc-003"],
    "context_hash": "sha256:9f86d08..."
  },
  "agents": [
    {
      "agent_id": "analyst-001",
      "recommendation": "PROCEED",
      "confidence": 0.82,
      "key_evidence": ["revenue_projection.xlsx:row_47"],
      "risks": ["integration_complexity"]
    },
    {
      "agent_id": "redteam-001",
      "recommendation": "CAUTION",
      "confidence": 0.71,
      "dissent": "Regulatory approval timeline underestimated",
      "evidence": ["ftc_precedent_2024.pdf:page_12"]
    }
  ],
  "synthesis": {
    "recommendation": "PROCEED_WITH_CONDITIONS",
    "conditions": ["regulatory_contingency_clause"],
    "consensus_score": 0.73
  },
  "veto_status": "APPROVED",
  "signature": "ed25519:base64...",
  "ledger_hash": "sha256:3c9909a..."
}

7.2 Decision DNA Ledger

The Witness ledger is an append-only data structure with Merkle tree verification:

  • Each Decision Trace is hashed and appended
  • Each entry includes hash of previous entry (chain)
  • Merkle root updated with each append
  • Verification: Any entry can be proven against root

7.3 CendiaChronos Time-Travel

To prove why a decision was made at a specific point in time:

  1. Specify target timestamp (T-1)
  2. CendiaChronos reconstructs system state at T-1
  3. Replays deliberation with historical context
  4. Produces "Reconstruction Report" showing inputs available at T-1

This is critical for regulatory defense: proving the decision was reasonable given what was known at the time.

8

Deployment Modes

ModeInfrastructureNetworkDatacendia AccessUse Case
Private CloudCustomer VPC (AWS/Azure/GCP)Internet (TLS)Metadata only (opt-in)Enterprise standard
On-PremisesCustomer data centerInternal onlyNoneRegulated industries
Air-GappedIsolated networkNo externalNoneDefense, intelligence

8.1 Hardware Requirements

ComponentMinimumRecommendedNotes
GPUNVIDIA A10 (24GB)NVIDIA H100 (80GB)For local inference
CPU16 cores64 coresFor orchestration
RAM64 GB256 GBFor context caching
Storage500 GB SSD2 TB NVMeFor ledger + models

8.2 Container Architecture

The Cortex deploys as a set of containerized services:

  • cortex-core: Main application (CendiaAgents, CendiaEthics)
  • cortex-guard: Security services (CendiaGuard, Decision DNA)
  • cortex-lineage: Data services (CendiaLineage, CendiaChronos)
  • cortex-health: Monitoring (CendiaHealth)
  • cortex-inference: Model serving (GPU-bound)

Orchestration: Kubernetes (preferred) or Docker Compose (small deployments).

9

Integration Protocol

9.1 API Surface

The Cortex exposes a REST API for programmatic access:

POST /api/v1/deliberate
Authorization: Bearer {token}
Content-Type: application/json

{
  "query": "string",
  "documents": ["doc_id_1", "doc_id_2"],
  "agent_config": {
    "count": 8,
    "include_redteam": true
  },
  "output_format": "json" | "pdf"
}

9.2 Connector Mesh

Pre-built connectors for enterprise systems:

CategorySystemsProtocol
ERPSAP S/4HANA, Oracle EBS, NetSuiteOData, REST
CRMSalesforce, HubSpot, Dynamics 365REST, SOAP
DocumentSharePoint, Box, Google DriveREST, WebDAV
DatabasePostgreSQL, SQL Server, SnowflakeJDBC, ODBC
IdentityOkta, Azure AD, PingSAML, OIDC

9.3 Webhook Events

The Cortex emits events for external consumption:

  • deliberation.started — New deliberation initiated
  • deliberation.completed — Deliberation finished (includes trace_id)
  • veto.triggered — CendiaVeto blocked a recommendation
  • escalation.required — Human review needed
  • health.alert — System health warning
10

Known Limits

The following limitations are acknowledged and documented:

10.1 Technical Limits

LimitValueMitigation
Context window128K tokens (model-dependent)Chunking + retrieval augmentation
Concurrent deliberationsLimited by GPU memoryQueue management, horizontal scaling
Ledger sizeUnbounded (storage-limited)Archival policies, cold storage
Agent latency5-60 seconds per roundAsync processing, timeout controls

10.2 Operational Limits

  • Model drift: Models may degrade over time. CendiaHealth monitors, but cannot prevent drift — only detect it.
  • Adversarial inputs: Malicious prompts may cause unexpected behavior. Input sanitization reduces but does not eliminate risk.
  • Consensus deadlocks: Agents may fail to agree. System escalates to humans, but cannot force consensus.
  • Regulatory lag: Compliance Oracle updates are periodic. New regulations may not be reflected immediately.

10.3 What The Cortex Does Not Do

  • Does not make decisions autonomously (always produces recommendations for human action)
  • Does not guarantee correctness (provides evidence, not truth)
  • Does not replace human judgment (augments and documents it)
  • Does not connect to external networks in air-gapped mode (by design)
The Honesty Principle

This document exists because we believe enterprise buyers deserve to know the limits of the systems they depend on. If a failure mode isn't documented here, it's because we haven't discovered it yet — not because we're hiding it.

SYSTEM STATUS: AIR-GAP READY · NO TRACKER PIXELS DETECTED