When you switch AI providers, your context stays -- because you own it and it never lived inside their model.
Siri can act. Mandaire knows what it should act on, why, and what is safe to disclose.
A cross-provider context layer on three layers. Raw data comes in at the bottom, encrypted synthesis lives in the middle, and any AI reads from the top via a standard protocol. Nothing proprietary between your sources and your AI.
The architecture is designed so that the AI layer is replaceable. Claude, ChatGPT, and Gemini sit above a single synthesis layer that any of them can read. You are not locked to a provider because your context is not stored inside a provider.
The AI you already use. Reads Mandaire via MCP. Uses your context to answer better questions. Replaced without losing your data.
Your sources are resolved into a personal knowledge graph: how each person relates to you, what context you share, what your history suggests is appropriate to surface, and which claims from that history are reliable enough to act on. Encrypted at rest. Key derivation on your device is the goal: once built, only you hold the decryption key.
Gmail, iMessage, WhatsApp, Calendar, Apple Notes, AI conversation history from every provider. Minimum OAuth scopes. No writes upstream. You see exactly what we hold about you and can revoke any source at any time.
Each layer can be understood independently. If you want to know which sources Mandaire can read, that is the data layer. If you want to understand how encryption works, that is the synthesis layer. If you want to know how Claude connects to Mandaire, that is the AI layer. The full specification for each is at mandaire.org.
The sources Mandaire ingests are the ones the major AI providers structurally cannot reach. Apple-walled-garden data, cross-platform messaging, and AI conversation history from providers other than the one you are asking right now.
All access is read-only. Mandaire requests the minimum OAuth scopes needed to build your graph. You can revoke any source from your account settings and the corresponding data is removed from the index. The raw source data does not persist; only the encrypted synthesis does.
The sources list grows. The architecture is source-agnostic: a connector reads a source, normalises it into the entity and relationship model, and encrypts the result. Adding a new source does not change the AI layer or the synthesis layer. It adds a new input to the bottom.
Mandaire exposes a standard MCP server. MCP (Model Context Protocol) is an open protocol designed for AI providers to connect to external data sources. It is the same mechanism the AI providers use to connect to web search, GitHub, Notion, and similar services.
The connection is one URL and an OAuth handshake. You add Mandaire to Claude the same way you would add any other connector.
Same server. Same connection. Whichever AI you use, the context is identical. Switching AI providers does not require migrating your Mandaire data.
The MCP server exposes tools for searching your history, looking up people and their context, retrieving calendar information, and drafting in your voice. Read tools are always available. Write tools (send email, add calendar event) require your explicit authorization per action type and your confirmation on each individual action before it fires.
The protocol is open and documented. If another AI provider supports MCP, connecting to Mandaire requires no change on Mandaire's side.
The encryption model is designed around one principle: we should be architecturally unable to read your data even if compelled to. The full cryptographic architecture that achieves this is not yet complete. What is true today, and what we are building toward, is described below.
As we build toward full cryptographic privacy, we are implementing key-derivation architecture designed to make it impossible for anyone, including us, to read your data. The destination: key derivation on your device, ciphertext only reaching our infrastructure, so a legal demand produces only encrypted data we cannot read.
The intended end state: if you forget your password, your data is gone. We will not be able to recover it. A system that can recover your data for you is a system that holds your key. That is the architecture we are building away from.
The synthesis layer holds a personal knowledge graph. For every person in your corpus, the graph captures what the raw data reveals: how each person relates to you, what context you share, what your history suggests is appropriate to surface, and which claims from that history are reliable enough to act on. The AI queries the graph. Today, the raw source corpus is also retained locally on your server, inside the same trust boundary, to power live retrieval. The destination: raw source discarded after synthesis, only the encrypted graph retained, with key derivation on your device.
The full cryptographic specification, including key derivation function, cipher choice, and threat model, is documented at mandaire.org. Mandaire uses widely-audited open-source encryption libraries: Matrix Olm and Megolm for E2E messaging, the Python cryptography library for key operations, whose security properties can be verified independently of Mandaire.
The architecture handles not just what one person knows, but what two people can share with each other through their respective Mandaire instances. This is the disclosure layer: the rules that govern what leaves your encrypted store and in what form.
Disclosure is not binary. It is not "share everything" or "share nothing." Each disclosure is defined by who receives it, on what topic, in what context, through which surface. A conversation between two people is not a conversation between two companies. A deterministic gate enforces this boundary at the corpus access layer today, fail-closed: blocked categories are blocked before any data reaches the renderer LLM. Per-audience disclosure intelligence is live; the adaptive inference rules that calibrate per-topic policy are in shadow evaluation, generating decisions that are logged and reviewed before enforcement promotes them. The full per-tuple user-authored policy graph is in development.
This is the part of the architecture that has no equivalent in any current AI product. Single-provider memory systems are built for one person and one AI. They have no mechanism for mediated information exchange between people with different providers, different trust levels, and different topic-context-surface combinations. The architecture for that is documented fully at mandaire.org.
Mandaire is designed for users who want their personal data to remain within a legal and physical perimeter they control. The encrypted store runs on hardware you specify, under jurisdiction you choose. For users in the European Union, this means your personal data does not leave EU-hosted infrastructure by default. For users anywhere, the goal is that a government request to Mandaire produces only encrypted data we cannot read, an architectural property we are actively building toward.
The GDPR definition of a data controller applies to Mandaire: you are the data subject, and the system is operated on your behalf. Your information is not processed for advertising, model training, or any purpose beyond the specific synthesis tasks you invoke. The full data-controller obligations, including subject-access request handling and right-to-erasure mechanics, are documented at mandaire.org.
This is a structural goal, not a current deployed state. We are building toward an architecture where key derivation happens on your device and we do not hold the key. The intended destination: an acquisition of Mandaire, a hostile subpoena, or a hosting-provider breach all produce the same result. The data is yours, and no one else can read it without your key.
Two regulatory deadlines arrive in 2026 for AI products that centralize personal context.
Colorado's AI Act (SB 24-205) takes effect June 30, 2026. It requires deployers of high-risk AI systems to conduct algorithmic impact assessments, disclose AI use to affected individuals, implement risk management policies, and notify the state attorney general. The law targets systems that make or substantially inform consequential decisions about individuals. Mandaire's architecture is designed to place the user in direct ownership and control of the context layer. No centralized decision engine operates over a population of users.
The EU AI Act's Commission enforcement powers for general-purpose AI model providers activate August 2, 2026, with penalties of up to 15 million euros or 3 percent of global annual turnover. The underlying GPAI obligations have been in force since August 2025; August 2026 is when supervisory and enforcement authority begins. Mandaire is not a general-purpose AI model provider. It does not train or deploy a foundation model. The underlying model is provided by whichever AI vendor the user subscribes to. Mandaire's BYO-LLM architecture minimizes direct GPAI exposure compared to cloud-AI products that bundle a proprietary foundation model into the personal-context layer.
Neither of the above is a compliance certification. The full regulatory posture, including how Mandaire handles subject-access requests, impact assessments, and transparency obligations, is documented at mandaire.org.
This page describes the architecture at a level appropriate for a general technical reader. The complete specification, threat models, stated bets, and the charter that governs every architectural decision are at mandaire.org.
If anything on this page conflicts with what is written there, mandaire.org is right.
Read the full charter