Trusted Data Format

The Trusted Data Format (TDF) is the envelope that every protected object in Lattix is wrapped in. It is the contract that lets a data object travel across boundaries — between clouds, organizations, or user devices — without losing its policy, its cryptographic binding, or its audit linkage.

The envelope

A TDF object has two inseparable parts:

• A manifest: a structured JSON document that describes the envelope. It carries the policy reference, the wrapped data encryption key, the classification metadata, the assertion set, and the identifiers needed to locate the object's audit history.
• An encrypted payload: the actual data, encrypted under a per-object key with authenticated encryption. The ciphertext cannot be read without first obtaining the unwrapped key.

The manifest and payload can be packaged several ways — bundled together in a single archive, with the manifest pointing to a remote payload, or with the manifest embedded directly inside the data object. All approaches satisfy the same contract: the manifest and payload are cryptographically bound.

Why it matters

Every protection the platform provides is anchored in this envelope.

• The policy travels with the data. There is no separate policy store a consumer must consult. If the envelope exists, the rules governing access to it exist.
• Revocation is effective after the fact. Because every decryption requires a fresh policy evaluation against current context, revoking access today prevents future unwraps of objects that left your environment months ago.
• The audit trail is intrinsic. Every unwrap attempt — successful or not — produces a ledger record bound to the envelope identity.

Assertions

Beyond the policy reference, the manifest can carry cryptographically signed assertions — statements about the object's provenance, classification, or handling requirements. Assertions are produced at wrapping time by identified signers and carried alongside the payload. A consumer that unwraps the object can verify not only that the payload is intact but that the originally declared claims still hold.

Examples of assertions an organization might bind:

• The data object is the output of a specific build, tagged with the build's signed provenance record.
• The object was reviewed and approved for release by a named authority.
• The object is classified at a stated level and must be handled accordingly.

Standards alignment

The Lattix envelope implements the Trusted Data Format standard and remains compatible with published extensions for structured policy expression and classification marking. Where standards are still evolving — post-quantum envelope keys, richer assertion schemas — the platform tracks the specifications published by the relevant standards bodies rather than introducing proprietary variants.

Relationship to other concepts

• The manifest's policy reference is resolved by the Policy Decision Plane.
• The wrapped data encryption key is released by the Key Access Service only on a positive decision.
• Every unwrap event is recorded on the Immutable Ledger.
• The object's payload is identified in the content addressing system by its cryptographic hash — see Content Addressing.