Features How it works Use cases Developers Blog Contact
Now onboarding EU partners

Verifiable records for
regulated industries

An on-device or in-app agent signs every record at the moment of capture with a hardware-backed key, then anchors a tamper-evident proof on a public consensus ledger. Any auditor with a record reference verifies against the chain — without us, and without your internal systems.

Request Early Access How it works
How your data becomes trusted
Your Device
Measures & reports in real time
Live data
Secure transmission
Trustnex
Seals & preserves your proof
Tamper-proof
Permanent record
Auditor or Buyer
Verifies independently, instantly
✓ Trusted

From the moment your sensor reports a measurement to the moment an auditor confirms it — Trustnex guarantees nothing was changed.

The chain of evidence has three links, and we don't sit inside any of them.

Each record is signed at the source with a hardware-backed key and anchored on a public consensus ledger. An auditor with a record reference checks it against the chain directly. The company is not a party to the proof.

If Trustnex disappears tomorrow, your records remain provable. The signatures live on your devices, the anchors live on a public ledger, and neither depends on us being online.

What happens to your data
  • We do not store, see, or hold custody of your raw measurements
  • We cannot alter or un-publish a record once it's anchored on-chain
  • No intermediary sits between your device and the public ledger
  • Any third party with the record ID can verify independently
  • Verification keeps working if Trustnex disappears
  • Tampering is detectable in seconds — broken signature, missing leaf, no anchor

You choose what leaves your premises.

Two modes, identical proof. The verifier doesn't know — or care — which one your records came from. You decide what Trustnex sees, record by record.

Mode 1 · Default

Proof only

What leaves your site: a device or source identifier, a timestamp, a hash of the record, and a cryptographic signature. The record itself stays on-premise.

  • Trustnex never sees the actual data
  • Data-sovereignty boxes check themselves
  • Auditors verify by comparing hashes against your own database
For: regulated data you cannot share, in-scope process readings, or anywhere data-sovereignty is mandated.
Mode 2 · Optional

Proof + data

Same signatures and anchors as above, plus the records themselves flow to Trustnex. Enables dashboards, anomaly detection, and analytics on verified data.

  • Identical cryptographic signatures and on-chain anchors
  • Per-source choice — on for some, off for others
  • A customer-owned mirror keeps a copy under your control
For: when the value of analytical insight outweighs the privacy boundary, or for non-sensitive records.

The proof bundle, the verification flow, and the public anchor are identical in both modes. An auditor can't tell which one produced a record — and doesn't need to.

Where unverifiable data turns into liability.

Four threats Trustnex neutralises directly. Each one corresponds to a verification step in the chain — when a link breaks, it breaks in public, not inside our database.

Threat

Device tampering

The signing key lives inside a hardware crypto chip on the device — it never exists in software memory and never leaves the chip. Firmware modification or sensor substitution breaks the signature path and is detectable at the moment of verification.

Threat

Database modification

Records altered after sealing no longer match the proof already anchored on-chain. The mismatch is observable by anyone, not just by us. Each record cryptographically references its predecessor — silently rewriting an old record breaks the chain, detectable at the bundle level before any anchor is consulted.

Threat

Insider manipulation

Anchoring is one-way and timestamped on a public consensus ledger. Each record carries a hardware-rooted sequence number that cannot be reset, even with physical access to the device. Silent reorder, replay, or insertion of historical records is mathematically detectable.

Threat

Regulatory dispute

An auditor verifies independently from the public ledger using the record reference. Trustnex is not on the proof path — the company name does not appear in the verification chain. Early pilots estimate audit time and cost reduced by 30–50% versus traditional on-site review.

Not a database. Not a dashboard. A proof layer.

Trustnex sits between your telemetry and the public ledger. Every measurement gets sealed; nothing else passes through. What an auditor verifies is the chain, not us.

Tamper-evident at the source

Each reading is signed on the device with a hardware-backed key before it leaves the box. Any byte modified downstream — in transit, in storage, in our pipeline — invalidates the signature.

Mapped to EU reporting

Built to plug into CSRD, CBAM, DPP, and Verra VCS workflows. Auditors fetch the proof directly instead of taking your spreadsheet on faith.

Verifiable without us

A third party with the record reference checks it against the on-chain anchor directly. Trustnex is not in the verification loop.

Built to fit existing infrastructure.

Five components in a clear chain. The signing key never leaves the device, and verification needs nothing from us.

Sources

Data sources

Your existing sources — sensors, apps, services — keep operating without changes to your pipeline.

Edge

Runtime agent

A small agent runs alongside your existing code. The signing key never crosses the network.

Batch

Merkle batcher

Records are grouped on a fixed interval into a single tamper-evident batch.

Anchor

Public consensus ledger

Each batch is recorded on a public consensus ledger with a verifiable timestamp no one can rewrite.

Verify

Public verifier

Anyone with a record reference checks it against the public anchor — without us in the loop.

Lifecycle

One record, six irreversible stages.

Follow a single measurement from capture to public verification. Each stage produces evidence the next one binds to.

01
Captured
{ temp: 21.4, ts: 1729384921 }
02
Hashed
SHA-256 · a3f9c2d4…
03
Signed
Ed25519 · device key
04
Batched
Merkle root · 8b1e9c…
05
Anchored
Ledger · seq 1729384
06
Verified
OK · without us
How it works

A measurement becomes a checkable record without changing how you collect data.

Trustnex works quietly in the background — your operations stay the same, but every measurement becomes a piece of verified, permanent evidence.

Your devices keep working

Nothing changes in how you collect data. Trustnex connects to your existing infrastructure without disruption or downtime.

We seal every measurement

Each reading is signed by our on-device agent the moment it's captured and anchored to a public ledger. The result: an unbreakable record that proves your data has never been touched.

Anyone can verify, instantly

Share a link. Your auditor, buyer, or regulator opens it and sees instant confirmation — no calls, no paperwork, no delays.

Six sectors where regulators ask for the number and the proof behind it.

Each sector pairs with a real regulatory frame — CSRD, CBAM, DPP, Verra VCS — and with the audit-trail expectations of food and pharma chains. Trustnex provides the proof that lives alongside the record.

Agriculture · Verra VCS

Carbon-farming claims, signed at the field

Soil-carbon meters, methane sensors, dosing pumps — each reading carries its own signature before it leaves the device. Certification bodies pull MRV evidence aligned with Verra VCS instead of trusting your operator log.

Manufacturing · CBAM

Cross-border emissions, backed by evidence

Process meters and emissions instruments sign each reading at the line. CBAM declarations carry verifiable evidence at the level of individual measurements, not a year-end self-attestation.

Sustainability reporting · CSRD

Operational data your CSRD report can stand on

Production lines, emissions stacks, water meters — sensor data arrives at the assurance provider already carrying its own proof.

Food & beverage · audit trail

Farm-to-shelf records you can hand to a certifier

Origin readings, processing steps, cold-chain events — each one signed at capture. Certifiers and retail buyers query the record itself, not your paper trail.

Supply chain · DPP

A Digital Product Passport you can actually verify

Origin readings, batch records, handover events — each step signed and anchored. DPP entries carry verifiable evidence across the whole product lifetime.

Pharma · cold chain (GDP)

Distribution records aligned with GDP

Temperature, location, and custody events along the distribution chain — each one signed at the event. Inspectors get records aligned with Good Distribution Practice without the paper.

Field workforce · mobile evidence

Inspection and sampling records signed in-app

Surveyors, sample takers, and compliance inspectors capture readings, photos, and timestamps inside the app. The Secure Enclave on iOS and the hardware-backed Keystore on Android sign each record at the moment of capture — same proof as a fixed sensor, same verifier.

What the record is built to satisfy.

Six EU frameworks Trustnex is designed to feed evidence into. These are not certifications we hold — they are the reporting regimes our records are shaped to satisfy.

CSRD

Corporate Sustainability Reporting Directive

Operational sustainability metrics with proof attached, ready for assurance providers.

CBAM

Carbon Border Adjustment Mechanism

Cross-border emissions reporting backed by per-measurement verifiable evidence, not a self-attestation.

DPP

Digital Product Passport

Origin, batch, and material records signed at every handover, attached to the product across its lifetime.

Verra VCS

Verified Carbon Standard

MRV evidence for carbon credit issuance — field measurements, baselines, and audit trails sealed at the moment of capture.

Food chain

Provenance & processing

Origin records, processing steps, and cold-chain events with the integrity assurance certifiers and retailers ask for.

Pharma GDP

Cold-chain integrity

Distribution-chain records aligned with Good Distribution Practice — temperature, handling, custody, all signed at the event.

These are not certifications Trustnex holds. They are the reporting regimes our records are shaped to support. Formal assurance happens through an accredited verifier — we are the evidence layer underneath.

What an auditor sees when they verify a record.

Verification happens on a dedicated portal at verify.trustnex.io. Auditors open scoped share-links your admin generates, then verify against the public ledger independently from us. The panel below is what they see.

Record verified
  • The reading itself Flow rate 4.82 L/s, recorded on 31 May 2026 at 14:22 UTC.
  • Who recorded it Signed by device gw-eu-7c2a4f91 at the moment of capture, with a key the device cannot copy.
  • That it hasn't been altered Sealed in a public record one minute later. An auditor checking this in a year — or after Trustnex shuts down — gets the same answer.
See a live anchor on Hedera

A real anchor from a pilot device on Hedera testnet. Opens on hashscan.io — third-party explorer, no Trustnex involvement on the verifying side.

Raw record · for developers
record_id7f3a1b94-9d2c-4a8e-b5f1-c4d8e2a7b71e
devicegw-eu-7c2a4f91
metricflow_rate_lps
value4.82
ts2026-05-31T14:22:08Z
ed25519_siga3f9c2d4…b71e
merkle_root8c4f9d7a3b2e…d2a1
ledger_ref0x4a2b8c1d…f93e
sealed_at2026-05-31T14:23:01Z

Verification is initiated by you, not by us. Admins generate scoped share-links and hand them to auditors — each link carries a token bound to a specific source or period. Every record is also mirrored to a customer-owned store, so the proof can be checked against the bundle and the public ledger directly — without calling Trustnex at all. If Trustnex disappears tomorrow, every record stays checkable from your mirror.

For Developers

Drop in the agent, post a measurement, hand the record ID to whoever asks.

The agent runs on any Linux device alongside your existing code. You POST a JSON payload to localhost; the agent signs with a hardware-backed key, batches into a Merkle tree, and anchors the root publicly. You get back a record ID anyone can resolve.

Drop in the agent

Linux binary, or an embedded library compiled into your firmware. Runs on Raspberry Pi, Nvidia Jetson, BeagleBone, mobile apps, STM32 / ESP32 / nRF microcontrollers. The signing key lives inside the hardware crypto element on the device — a secure element on embedded targets, the Secure Enclave on iOS, the hardware-backed Keystore on Android. It never exists in software memory and never leaves the chip.

Send a measurement

Speak whatever transport your stack already uses — HTTPS, gRPC, or MQTT. The agent canonicalises the payload, signs it, and queues it for the next Merkle batch.

Hand off the record ID

The recipient — auditor, regulator, buyer — fetches the Merkle path and the on-chain anchor and confirms the value end-to-end.

// Sign and anchor a single measurement
const res = await fetch('http://localhost:8082/v1/attest', {
  method: 'POST',
  headers: { 'Content-Type': 'application/json' },
  body: JSON.stringify({
    metric: 'flow_rate_lps',
    value: 4.82,
    ts: '2026-05-31T14:22:08Z'
  })
});

// → { record_id, signature, merkle_path, chain_anchor }
Bindings
Go · Node.js · Python · Swift · Kotlin · C
Transports
HTTPS · gRPC · MQTT
Targets
Raspberry Pi · Nvidia Jetson · BeagleBone · iOS · Android · STM32 · ESP32 · nRF
Read the Docs →

Hand auditors a record ID, not another spreadsheet.

We onboard a small number of EU partners per quarter. Brief us on the use case and we will come back with the integration shape and timeline.

Request Early Access How it works
Get in touch

Talk to us — pilot, partnership, or a question.

A few fields, then we'll write back from a person — usually within two business days.

  • Onboarding a small number of EU partners per quarter
  • Replies from a person, not a queue
  • No newsletter, no follow-up sequence

Message received.

Thanks for writing — a person on our side will reply shortly, usually within two business days.