About Déjà  //  Why this company exists

Every regulated firm runs on evidence.Most engineering teams produce none.

The system of record for engineering truth — cryptographically signed, deterministic audit evidence, generated automatically.

Built for Heads of Risk, CROs, CISOs, Directors of Risk Engineering, and audit-firm technologists at firms operating under SOC 2 Type II, ISO 27001, NYDFS Part 500, DORA, or SR 11-7. Déjà is building the cryptographic evidence custody infrastructure that regulated firms need and the market doesn't currently produce — deterministic Abstract Syntax Tree (AST) analysis, eight weighted scoring factors (W1–W8), Ed25519-signed receipts written to an immutable, append-only, tamper-evident ledger, signed at attribution and verifiable offline by your audit firm. No LLM. No probabilistic guessing. No hallucination at audit time. Verifiable by any audit firm with the open verifier CLI — KPMG, Deloitte, EY, PwC, BDO, Grant Thornton, or any independent firm; no Déjà account required. Not documentation. Not alerts. Evidence.

The insight · why this company exists

Regulated industries have a structural evidence problem.

Every compliance framework — SOC 2 Type II, ISO 27001, HIPAA, PCI-DSS, NYDFS Part 500, DORA, SR 11-7, FFIEC IT Examination, GDPR — asks the same fundamental question: can you prove that your systems behaved the way your controls claim they do? Auditors don't want to be convinced. They want to be shown. And what they want to be shown is evidence.

But the way most engineering teams produce evidence today is manual reconstruction at audit time. Someone opens Jira, exports tickets. Someone else copies Slack threads into a wiki page. A third person runs queries against production logs and pastes the results into Google Docs. The evidence exists, but it's scattered across systems, edited after the fact, and unverifiable.

"The audit trail your compliance team hands to auditors isn't evidence — it's a story told by humans about what they think happened. Déjà exists because that's not good enough for regulated industries, and it's getting worse as systems get more complex."— Déjà · incorporated 2024 · thesis 2025

The architectural insight behind Déjà is that evidence has to be produced at the moment the event occurs, not reconstructed afterward. A signed receipt issued when a production incident is causally attributed to a specific PR — and immutable after issuance — is fundamentally different from a postmortem written three days later. The first is evidence. The second is narration.

This sounds obvious in retrospect. It wasn't obvious in the tools that existed before. Every incident management platform on the market produces postmortems as their primary output. Postmortems are documents for humans. They're not evidence primitives. Déjà flips that inversion: evidence is the output, and human-readable documentation is derived from it — not the other way around.

That inversion leads to everything else about Déjà. Cryptographically signed receipts instead of prose. Deterministic attribution instead of probabilistic LLM guessing. Open standards instead of proprietary formats. Offline verification instead of vendor dependence. Every design decision flows from the same architectural commitment: produce evidence at the source, and make it verifiable independent of the vendor.

Four principles · from insight to architecture

Principles that shape what we ship.

Principles are cheap. Commitments that constrain product decisions are not. Every principle here has a concrete manifestation — what Déjà actually does that proves the commitment isn't rhetorical.

principles: 4

Principle 01

Deterministic over probabilistic.

Probabilistic systems — LLM-powered postmortem suggestions, statistical correlation engines — are built on guesses that might be right most of the time. Regulated industries need answers that are right every time, or explicit acknowledgment when the system couldn't produce a definitive answer. Déjà issues high-confidence attribution receipts when the mechanism supports it, and exception receipts when it doesn't. No hallucinations. No "best guesses" that become audit liabilities.

> manifestation: Schema Deduction Engine · W1–W8 causal scoring · CCS ≥ 0.80 threshold

Principle 02

Open over proprietary.

A closed evidence format means vendor lock-in — and for regulated industries, vendor lock-in is a governance risk, not just a commercial inconvenience. If the vendor disappears, is breached, or changes terms unfavorably, the evidence must still verify. Déjà publishes DSR/1.0 as an open specification under Apache-2.0, with a working group that includes customer representatives. Your evidence is interoperable, portable, and verifiable outside our systems.

> manifestation: DSR/1.0 spec · dsr-verifier-cli · Apache-2.0 license · working group

Principle 03

Evidence over documentation.

Postmortems and incident reports are narration — prose written after the fact that describes what someone thinks happened. That's useful for learning. It is not evidence an auditor can verify. Déjà produces structured, signed receipts at the moment of attribution — evidence primitives that auditors can ingest directly, verify cryptographically, and trust independently. Documentation is derived from evidence. Not the other way around.

> manifestation: R1/R2 receipts · append-only ledger · Ed25519 signatures · structured JSON

Principle 04

Standards over lock-in.

We'd rather be the company that defined an open standard than the only company selling a proprietary format. The Déjà commercial product exists because operating the infrastructure at scale requires dedicated engineering — but the specification itself is not the moat. If a competitor eventually adopts DSR/1.0, that's success: the category becomes evidence-first, which is the outcome we actually care about. Our job is to execute the standard better than alternatives, not to prevent alternatives from existing.

> manifestation: open CLI · public spec · interoperable JSON · no proprietary receipt format

DSR/1.0 · The open standard

Déjà isn't building a product. We're building a standard.

DSR/1.0 — the Déjà Signed Receipt specification — defines the canonical format for cryptographically signed incident attribution evidence. It's published under Apache-2.0, maintained by a working group that includes Charter customers, and referenced in four patent applications covering the underlying attribution mechanism, the Schema Deduction Engine, and append-only ledger architecture.

The product Déjà sells is the infrastructure to produce, store, and serve DSR/1.0 receipts at scale. The standard itself is open. If DSR/1.0 becomes the default evidence format for regulated industries — including if other vendors adopt it — that's the outcome we want.

Read the DSR/1.0 specification
Specification versionspec document v0.9 · protocol DSR/1.0
v0.9
Patent applicationsfiled · US PTO
4
Licensespec + verifier CLI
Apache-2.0
Working group seatsCharter + Sovereign tiers
Open

The team · building DSR/1.0 v1

Small, focused, deliberately so.

Déjà is a founder-led company with a small founding team. We're keeping the team deliberately small while we build the foundation — the spec, the product, the first Charter customers. Scaling the team comes after DSR/1.0 v1 ships and Charter cohort is seated.

headcount: 4

A note on team size. Déjà is intentionally not hiring aggressively at this stage. A small team shipping a focused product with explicit commitments is more credible — and more accountable — than a larger team building in multiple directions. We'll scale engineering after DSR/1.0 v1 ships and Charter cohort is fully seated. Quality of thinking, not headcount, is what regulated industries trust.

Where we are · status as of April 2026

Concrete milestones, concrete dates.

Early-stage companies often speak in aspirations. We prefer to speak in shipped artifacts. Here's where Déjà actually is, with actual dates.

snapshot: 2026-04-25

Dec 2025

Non-provisional CIP filed

Schema Deduction Engine non-provisional continuation-in-part (CIP) application 19/430,349 filed with the US Patent & Trademark Office. This is the non-provisional CIP — not the SDE provisional.

Filed

Mar 2026

CIP filed · patent family

Continuation-in-part filed covering cryptographic receipt generation and append-only ledger (Claims 25–31). Full patent family now spans four applications, with the Schema Deduction Engine provisional filed shortly after.

Filed

Apr 2026

Codebase audit · 9.7/10

Internal codebase health audit

Completed 12-section audit and remediation sprint. Resolved 20 OpenAI/LLM blockers, patched security vulnerabilities, achieved 9.7/10 codebase health.

Shipped

Now

Charter program · 0/15 seats

Founding customer program is open. 0 of 15 seats remaining. Charter customers shape DSR/1.0 v1 and hold working group seats.

Open

Q2 2026

Self-serve launch

Self-serve onboarding (Standard tier) launching from spec-complete to production. Package 01 in active build.

In progress

Q3 2026

SOC 2 Type II audit

audit preparation in progress

Target date for SOC 2 Type II report. Audit engagement active. Full report available to customers under NDA on completion.

On track

Q4 2026

DSR/1.0 v1 ratified

First ratified version of the Déjà Signed Receipt specification. Published under Apache-2.0 with working group sign-off.

Target

2027

ISO 27001 + Enterprise

ISO 27001 certification and full Enterprise tier readiness including multi-vault deployment, custom retention, and dedicated CSM.

Planned

Why we built it this way

The architecture is the answer.

Every architectural choice in Déjà reflects a single conviction: audit evidence is not a thing you produce — it is a thing you preserve, cryptographically, at the moment it occurs. That conviction is why we chose deterministic over probabilistic, append-only over editable, offline-verifiable over vendor-trusted. The product's architecture is not a separate decision from the company's purpose; they are the same decision.

Proof of mechanism · why deterministic

Déjà is not an LLM wrapper. We chose a deterministic engine performing raw Abstract Syntax Tree (AST) analysis — with a Causal Confidence Score (CCS) computed from eight weighted scoring factors (W1–W8) — because evidence that depends on a probabilistic model cannot withstand an auditor asking "why this attribution and not the alternative?". Deterministic means reproducible. Reproducible means verifiable. Verifiable means defensible. No probabilistic guessing. No hallucination at audit time. Triggered via background webhook interception — silent on the merge, signed at the moment of attribution.

For the engineer · zero-friction

Zero-click compliance. Background webhook interception on every pull_request.merged. No manual screenshotting of Jira tickets. No audit-prep sprints at cycle time. The engineer should never have to think about compliance evidence — that's the architectural goal.

For the auditor · instant verification

Live Verifier via dsr-verifier-cli, Apache-2.0 open source. Independent Ed25519 signature verification, offline. No Déjà account required. No source code access required. The auditor verifies attribution, not the codebase. The verification logic is theirs to run, not ours to gate.

Why the company exists · vs. manual evidence

The company exists because manual evidence reconstruction is the default — and it is structurally broken. Based on Déjà's conversations with regulated-firm engineering teams, audit prep can consume multiple FTE-weeks per cycle reconstructing what nobody captured at the time — searching Slack for incident context, screenshotting Jira tickets, copying deployment logs into spreadsheets. The cost compounds across SOC 2 Type II, ISO 27001, NYDFS Part 500, DORA, and SR 11-7. The output is unsigned, unverifiable, and reconstructed under deadline pressure. That's the default we set out to eliminate.

Metric 1 · Engineering hours saved

Engineering time spent reconstructing evidence at audit cycles is reclaimed for product work.

Metric 2 · Audit risk reduced

Cryptographically verifiable, tamper-evident receipts eliminate the audit-finding category of "evidence reconstruction was manual."

Zero-trust principle · why we invest in the open standard

Receipts are independently verifiable. No implicit trust required between Déjà, the customer, or the audit firm. The signature is the contract; the verifier is the proof; the append-only ledger is the chain. We invest in DSR/1.0 as an open standard precisely so this property survives Déjà — your evidence verifies offline forever, independent of whether we continue to exist. That is the property that defines audit-defensible evidence — and the property no other compliance category preserves.

Three ways to be part of this.

Different readers arrive here with different questions. Here are three paths — one commercial, one founding, one technical — depending on what you're evaluating.

Path 1 · Founding

Apply for Charter

15 founding customer seats · 0 remaining. Direct founder support. Permanent DSR/1.0 working group seat. Named founding partner. Founding pricing locked for life.

$30K / year · locked for life →

Path 2 · Commercial

Create your vault

Standard tier. 14-day trial. No credit card. Your vault starts building signed evidence from your first connected service.

Free trial · no card →

Path 3 · Technical

Read the DSR/1.0 spec

Open specification + CLI · Apache-2.0 · no account required. Evaluate the standard directly before evaluating the product.

Install the CLI →