Platform Clearinghouse Mail Drive Cybersec Pricing
Every VPN claims no-logs. None prove it. This does.

The VPN industry runs on trust. Providers claim no-logs policies. Verification is periodic third-party audits — point-in-time snapshots. They verify what was true during the audit window. They cannot verify what happened last Tuesday, or what is happening right now. RAM-only servers are a hardware improvement — but still require trusting the operator between reboots.

What this solves
Continuous, user-verifiable session integrity

Every session produces a hash chain: sha256(prev_hash + canonical(event)). A new link every 5 seconds. At disconnect, the terminal hash from the server is compared to the client. Match = verified. Divergence = the exact link where tampering occurred is identifiable. This is not a periodic audit — it is continuous, per-session, and user-verifiable.

Session birth and death certificates

Every session produces SESSION_BIRTH (anchored at connect, recording jurisdiction, tunnel type, code hash) and SESSION_DEATH (at disconnect, recording both chain hashes, traffic totals, duration, disconnect reason) Merkle leaves. These are independently verifiable. No VPN provider produces cryptographic session certificates. The concept does not exist elsewhere.

DNS fidelity proofs

A separate DNS chain records every DNS query (hashed) during the session. This proves queries were not leaked, injected, or altered — a common VPN failure mode that current providers address through configuration, not cryptographic proof.

Code attestation

CODE_DEPLOYMENT leaves record the code hash, commit hash, and deployer identity. The client verifies the server's running code matches a specific deployment in the log. This answers the question no current VPN does: "what software am I actually connecting to?"

Tunnel-agnostic governance

This is not a VPN service — it is a governance protocol for any tunnel. Operators run WireGuard, OpenVPN, or any tunnel and integrate via the Counter Relay SDK. The governance layer produces the same proofs regardless of which tunnel carries the traffic. Infrastructure for tunnel operators, not a consumer VPN.

Business value

VPN operators: differentiation through verifiable honesty, not marketing claims about honesty. Enterprise network teams: compliance evidence that is continuous rather than periodic. DORA/NIS2 regulated industries: cryptographic operational accountability for network infrastructure — turns "we have a VPN" into "we have a provably accountable VPN." Commercial model: protocol licensing and SDK integration fees for tunnel operators who need to prove their claims.

Governed Sessions
Active attested tunnels
Attested Bytes
Chain-verified transfer
Audited DNS
Hash-chained queries

Quick Connect

Start a governed tunnel session. Every byte, every DNS query, every connection event is recorded in a cryptographic hash chain and anchored in a public transparency log. This isn't another VPN — it's provable accountability for the tunnel operator.

Active Sessions

Session History

Code Deployments

Every worker deployment is recorded in the transparency log with a CODE_DEPLOYMENT leaf.

Per-Session DNS Chain Audit

Each governed session records DNS queries in a separate hash chain. Auditors can independently verify that no DNS queries were leaked, injected, or redirected outside the tunnel.

Live DoH Test

Test encrypted DNS resolution through the governance-attested DNS proxy. Queries are hashed and chained for auditability.

Billing & Settlement

Metered governance billing. Usage is measured by governed sessions, attested bytes, and audited DNS queries — charged to the tunnel operator, not the end user.

Data Transferred
This billing period
Active Sessions
Current
DNS Queries
Encrypted queries
Identity: Tenant: Tier: Subscription: Billing Cycle: Monthly, metered usage Payment Method:

System Status

Infrastructure status for the governance protocol. These workers provide session attestation, chain integrity, DNS auditing, and transparency log anchoring.

Tunnel Worker
Session lifecycle, hash chains, DNS-over-HTTPS
Checking…
Protocol Worker
AGTS protocol, gate evaluation, Merkle proofs
Checking…
Key Registry
ECDH-P384 key management, identity
Checking…
Transparency Log
Merkle tree, STH, inclusion proofs
Checking…

Log STH

Tree Size: Root Hash:

Tamper Detection Demo

Proof that hash chain integrity catches data manipulation

This is what the user gets. A governed tunnel session produces a cryptographic hash chain — every link is sha256(prev_hash + canonical(event)). If the operator alters any record — bytes transferred, DNS queries, session metadata — the chain breaks and the exact point of tampering is provably identified. No trust required.

Activity Log

Deployment Readiness

Pre-flight checklist for governance protocol production readiness.

CF Access Identity
Infrastructure Workers
Transparency Log
Tunnel Worker
Billing Integration