Core Concepts

Trusted Data Format

The envelope that wraps every Lattix-protected object — manifest, encrypted payload, policy binding, and assertions.

The Trusted Data Format (TDF) is the envelope that every protected object in Lattix is wrapped in. It is the contract that lets a data object travel across boundaries — between clouds, organizations, or user devices — without losing its policy, its cryptographic binding, or its audit linkage.

The envelope

A TDF object has two inseparable parts:

  • A manifest: a structured JSON document that describes the envelope. It carries the policy reference, the wrapped data encryption key, the classification metadata, the assertion set, and the identifiers needed to locate the object's audit history.
  • An encrypted payload: the actual data, encrypted under a per-object key with authenticated encryption. The ciphertext cannot be read without first obtaining the unwrapped key.
A TDF envelope: manifest and encrypted payload, cryptographically bound/ ZTDF ENVELOPEMANIFESTJSON · signed• policy reference• wrapped DEK• KAS endpoint• classification tags• assertions[ ]• payload CID• manifest signatureTRAVELS WITH THE DATABOUNDENCRYPTED PAYLOADciphertext · AEAD9d 3f a0 c2 18 77 e4 b1 5c 02 fe 8841 6b d9 73 ea 04 2c 90 35 ab 17 cdb8 72 1a 45 e6 0f 89 33 df 21 a7 6530 c4 e1 5b 82 97 f5 0d 14 aa bf 6852 9c e8 77 4a 13 6f 38 d1 9b 02 571e 87 63 ba 09 f2 4d 71 e5 23 c6 988f 45 d3 71 60 a8 ca 17 32 b9 0e 5cKEY NEVER IN STORAGE

The manifest and payload can be packaged several ways — bundled together in a single archive, with the manifest pointing to a remote payload, or with the manifest embedded directly inside the data object. All approaches satisfy the same contract: the manifest and payload are cryptographically bound.

Why it matters

Every protection the platform provides is anchored in this envelope.

  • The policy travels with the data. There is no separate policy store a consumer must consult. If the envelope exists, the rules governing access to it exist.
  • Revocation is effective after the fact. Because every decryption requires a fresh policy evaluation against current context, revoking access today prevents future unwraps of objects that left your environment months ago.
  • The audit trail is intrinsic. Every unwrap attempt — successful or not — produces a ledger record bound to the envelope identity.

Assertions

Beyond the policy reference, the manifest can carry cryptographically signed assertions — statements about the object's provenance, classification, or handling requirements. Assertions are produced at wrapping time by identified signers and carried alongside the payload. A consumer that unwraps the object can verify not only that the payload is intact but that the originally declared claims still hold.

Examples of assertions an organization might bind:

  • The data object is the output of a specific build, tagged with the build's signed provenance record.
  • The object was reviewed and approved for release by a named authority.
  • The object is classified at a stated level and must be handled accordingly.

Standards alignment

The Lattix envelope implements the Trusted Data Format standard and remains compatible with published extensions for structured policy expression and classification marking. Where standards are still evolving — post-quantum envelope keys, richer assertion schemas — the platform tracks the specifications published by the relevant standards bodies rather than introducing proprietary variants.

Relationship to other concepts

Core Concepts

The primitives that appear throughout the Lattix platform — ZTDF, ABAC, the hierarchical key model, the mesh fabric, and the immutable ledger.

Policies and ABAC

Attribute-based access control in Lattix — how policies are expressed, evaluated, and bound to data.

On this page

The envelopeWhy it mattersAssertionsStandards alignmentRelationship to other concepts