Security architecture

Cryptographic auditability for spreadsheets that drive real money.

Bind sources. Anchor reviewer attestations in an append-only hash-chain ledger. Replay material drivers live through Excel. Export a tamper-evident certificate anyone can recompute — no install, no ModelxcelPro required.

Join the waitlistDownload a sample certificate

The problem

Most spreadsheets supporting real decisions can't be trusted six months later.

Public studies have estimated material errors in 88-94% of non-trivial spreadsheets. The error rate isn't the only problem — the bigger one is that nobody can prove which inputs and formulas drove the number a reviewer signed off on.

Today

The trust gap

  1. Junior builds the model. Inputs come from "wherever."
  2. Senior reviews and emails approval. Where? Inbox. How? Recall.
  3. The deal closes. Model goes in a folder.
  4. Six months later — a value moved. Why? Nobody knows.

With Proof

Evidence travels with the file

  1. Inputs are bound — SHA-256 of every source is pinned.
  2. Formulas are attested — every record chains to the prior one in a tamper-evident ledger.
  3. The ledger ships with the workbook in custom XML; the certificate exports alongside.
  4. Six months later=WhyThisNumber() answers it.

Three primitives

Bind. Sign. Verify.

Every part of the system reduces to one of these three operations. Replay is a fourth, derived from the others.

01

Bind

Pin every input to its source.

  1. Reviewer selects an input cell or vector and clicks Bind Source.
  2. The source contents are hashed with SHA-256.
  3. The hash + URI go in the workbook custom XML part causality:bindings.
  4. If the source ever changes, the hash mismatch surfaces as drift.
02

Sign

Attest a formula or block.

  1. Reviewer selects a cell or contiguous block sharing one R1C1 formula.
  2. The canonical record is hashed with SHA-256 and chained to the prior ledger entry.
  3. The ledger’s head hash is recomputed; the workbook’s custom XML stores the new head.
  4. Pasted-over or R1C1-divergent edits surface as drift on next verify — the chain doesn’t lie about what it covered.
03

Verify

Recompute, replay, report.

  1. Bulk re-read every bound input via Excel interop; recompute hashes.
  2. Replay every signed formula to its current value; compare to last signed state.
  3. Append counter-records for any scope that has drifted.
  4. Generate Proof Coverage: % bound + % signed across the workbook.

The fourth primitive

Replay Proof: when a number moved, prove why.

Replay is what makes Proof useful in audit and FP&A workflows. The reviewer points at any output that has changed since the last attested state, ModelxcelPro replays the material drivers through live Excel — and for .mxreplay exports, emits an Ed25519-signed envelope any auditor can verify with the shipped Node CLI, no install required.

What you get

  • The full causal chain that fed the output, with each step’s before/after value — replayed live through Excel, not simulated. Actual formulas, UDFs, and named ranges executing in a temp copy of the baseline workbook.
  • Up to 8 ranked drivers, each with a per-driver dependency path from input to output and a per-driver trust status (vector fresh/broken, block signed/broken, bound, no record).
  • The list of bound inputs whose source SHA-256 changed since last verify; the list of attested formulas whose R1C1 has drifted.
  • Two layers of integrity. Every export is a tamper-evident SHA-256 self-hash over the canonicalized certificate JSON, anchored to the workbook ledger head. .mxreplay exports also write a sibling .mxreplay.signed envelope with a real Ed25519 asymmetric signature (BouncyCastle Ed25519Signer) over the canonical certificate plus envelope metadata. The public key is embedded in the envelope. Per-user keypair, private key sealed with DPAPI in %APPDATA%\\ModelxcelPro\\keys\\.
  • A standalone Node verifier in the shipped repo at tools/verify-replay/verify-replay.js — zero npm dependencies, uses Node’s stdlib crypto. Any auditor can run it against any .mxreplay.signed envelope without installing ModelxcelPro: rejects duplicate top-level keys, checks algorithm/canonicalization/version, recomputes the keyId, reconstructs the signed payload, and verifies the Ed25519 signature.
  • An external artifact (.mxreplay JSON paired with the signed envelope, or optional XLSX / PDF) that travels with the workpaper. Issuance writes a CertificateIssued record back into the workbook ledger so the audit trail captures every export.

What this verification does and doesn’t prove. The Ed25519 signature proves the envelope was signed by the private key matching the embedded public key. It does not prove that public key belongs to a trusted reviewer or organization, and it does not check revocation. Public-key trust, organizational identity binding, and revocation are the future enterprise layer; what we ship today is honest cryptographic integrity for the artifact, plus a verifier the receiving party can run against it.

The formal model-audit question. A formal model audit can produce a signed opinion letter, an external liability framework, and a full consulting engagement. Replay Proof does not replace that liability transfer. It is the desktop evidence layer that runs between formal audit events, with a signed artifact the auditor can verify themselves.

The Microsoft question. Excel’s native digital signatures sign the file: “you were the last person to make changes.” Replay Proof signs the derivation: why the number is what it is. File integrity vs cell-level causal evidence — both real, different jobs.

The inspection surface

TrustLens connects formula inspection to proof state.

Proof is invisible until you have a place to look at it. TrustLens is that place. Reachable from six entry points across the product — Worksheet Map peek, Cell Search right-click, Compare delta drill-in, Formula Explorer purple button, Ribbon, Ctrl+Shift+I — every node shows live proof state with per-node badges (Bound / Stale / Signed / Vector / Tampered). The Path tab is full counterfactual reasoning: which IF branch fires today, what would flip it, which IFERROR fallback caught the error, which SUMIFS criteria pair matched.

Worksheet Map peeks. Cell Search drills. Compare delta opens. Formula Explorer hands off. Every analysis path on the moat ends in the same workbench — with the same Proof tab, the same drift detection, the same evidence-path timeline. The ledger isn’t a separate report you have to open; it’s the layer underneath every cell you inspect.

The ledger

An append-only chain inside the workbook.

Every Bind, Sign, and Verify writes one record to causality:bindings. Each record\'s hash includes the prior record\'s hash — reordering or tampering invalidates the chain.

Verify Ledger recomputes the chain locally. If anyone has edited the XML by hand or tools have stripped a record, the head hash won\'t match and the verdict is tampered.

Sample envelope + verifier

What you actually hand off.

A signed JSON envelope (.mxreplay.signed) carrying the canonical replay certificate, the Ed25519 signature, the embedded public key, and metadata. Below is a redacted example. The shipped Node verifier runs locally — no ModelxcelPro install, no npm install required.

sample.mxreplay.signed
{
  "algorithm": "Ed25519",
  "canonicalization": "modelxcelpro.replay.canonical/v1",
  "envelopeVersion": 1,
  "keyId": "5f2c8e1a3b4d7090",
  "publicKey": "MCowBQYDK2VwAyEA…GtXz4",
  "signature": "5c1f…a3e9",
  "signedAt": "2026-05-10T14:22:08Z",
  "signedBy": "ana@modelxcel.com",
  "certificate": {
    "schema": "modelxcelpro.replay.certificate/v1",
    "output": { "address": "Outputs!B12", "before": 412800000, "after": 410200000 },
    "drivers": [
      { "address": "Inputs!C7", "claim": "Revenue growth assumption", "contribution": -2100000 },
      { "address": "Inputs!C9", "claim": "Working-capital days", "contribution": -500000 }
    ],
    "ledgerHead": "0x8f92…b401",
    "issuedAt": "2026-05-10T14:22:08Z",
    "certificateHash": "d3a8c…0f12"
  }
}
verify-replay.js
# Verify a ModelxcelPro Replay Proof signed envelope from the command line
# Requires: Node 20+ (no npm install — uses Node's built-in crypto)
# Verifier is shipped in the ModelxcelPro repo at tools/verify-replay/verify-replay.js

node tools/verify-replay/verify-replay.js sample.mxreplay.signed

# Output:
#   [verify-replay] algorithm: Ed25519
#   [verify-replay] verified: true

# What it does:
#   1. Rejects duplicate top-level keys in the envelope
#   2. Checks algorithm/canonicalization/envelope version match the spec
#   3. Recomputes keyId = SHA-256(publicKey)[0:16] and confirms it matches
#   4. Reconstructs the signed payload bytes per the canonicalization spec
#   5. Verifies the Ed25519 signature against the embedded public key

The verifier is shipped in the ModelxcelPro repo at tools/verify-replay/verify-replay.js — zero npm dependencies, uses Node’s built-in crypto. A committed sample tools/verify-replay/sample.mxreplay.signed demonstrates the round-trip. Replace it with any real .mxreplay.signed from a signed workbook export and the same script verifies it the same way.

What this means for

Three takes on the same artifact.

Auditors

The certificate that tick-marks itself.

Recompute, reperformance, vouch — the three things audit standards (PCAOB AS 2315) ask you to do, baked into a verifiable artifact. Proof Coverage gives a defensible % bound / % attested metric. Verify Ledger detects tampering or reordering by recomputing the hash chain — not heuristic. The certificate attaches to the workpaper as evidence that survives discovery and email handoff.

CFOs

Confidence in the number you sign off on.

When forecasted EBITDA moved between Tuesday\'s board pre-read and Thursday\'s actual board meeting, you don\'t guess which assumption changed. =WhyThisNumber() answers it before the meeting starts.

Modelers

Hand off the model and your reputation with it.

Sign Block once for the output region, export the certificate, attach it to the deal folder. Five years later, when someone asks why a sculpted DSCR row says what it says, the signed proof chain is still in the workbook.

Technical FAQ

The 10 questions sophisticated buyers ask.

  1. 01Which cryptographic primitives does Proof use?

    Source snapshots are pinned with SHA-256. Reviewer attestations are canonical records ({address, formulaR1C1, value, timestamp, reviewer}) appended to a hash-chained ledger; each entry’s hash includes the prior entry’s — standard Merkle-style tamper detection. Replay certificates carry a SHA-256 self-hash over their canonicalized JSON. Replay Proof .mxreplay exports also write a sibling .mxreplay.signed envelope with a real Ed25519 asymmetric signature (BouncyCastle Ed25519Signer) over the canonical certificate plus envelope metadata; the public key is embedded in the envelope so a third party can verify without ModelxcelPro installed. Sign Cell, Sign Block, and Export Proof Certificate use the hash-chain layer only — Ed25519 reviewer-identity signatures across those flows are a future enterprise layer.

  2. 02Where does the ledger live?

    Inside the workbook itself, in a custom XML part named causality:bindings. The file remains a normal .xlsx — you can email it, share it on OneDrive, or commit it to git, and the proof history travels with it. No external database. No vendor lock-in.

  3. 03What happens if someone copies a signed cell?

    The signature covers the canonical R1C1 form of the formula plus the cell address. Copying a signed formula to a new address breaks the signature on the new cell and leaves the original intact. Verify Ledger flags both.

  4. 04How is the ledger integrity protected?

    Every ledger record’s hash incorporates the prior record’s hash, forming an append-only chain anchored in the workbook custom XML part causality:bindings. Any mid-chain edit changes every subsequent hash; the head hash recorded on disk no longer matches what Verify Ledger recomputes. Tampering, reordering, and strip-and-replace attacks all surface as a head-hash mismatch. Replay Proof .mxreplay.signed envelopes already bind a real Ed25519 asymmetric signature to the certificate (so a stranger with the embedded public key can confirm the envelope was signed by the matching private key); extending the same Ed25519 layer to Sign Cell / Sign Block ledger records is a future enterprise feature.

  5. 05What's the performance impact?

    Smart Format and Verify Workbook are bulk-interop operations designed for practical workbook-scale use; heavier PF models naturally do more work than small IB / FP&A models. Bind Source and Sign Cell are lightweight single-cell operations. The Causality ledger stays small even on heavily-bound models.

  6. 06Can I verify a Proof certificate without ModelxcelPro?

    Yes — two paths depending on the artifact. Bare certificates (the SHA-256 self-hash layer) can be verified by any tool that computes SHA-256 (Node’s built-in crypto, OpenSSL, Python hashlib) — recompute the hash over the canonicalized payload and compare. For Replay Proof .mxreplay.signedenvelopes, ModelxcelPro ships a zero-dependency Node verifier at tools/verify-replay/verify-replay.js that uses Node’s stdlib crypto to validate the Ed25519 signature against the embedded public key — no npm install, no ModelxcelPro install, just Node 20+. Verification proves the envelope was signed by the private key matching the embedded public key; whether that public key belongs to a trusted reviewer is an organizational trust question this layer intentionally doesn’t solve.

  7. 07How does this survive copy/paste from another sheet?

    Pasted formulas arrive without prior signatures. Pasted values arrive without source bindings. Both show up as unbound in Why This Number until the reviewer re-binds (for inputs) or re-signs (for formulas). Drift is the visible state, not a hidden one.

  8. 08What if the underlying input source URL goes away?

    The original SHA-256 hash is preserved. New verifications fail with a clear "source unreachable" verdict, but historical signatures remain valid. We recommend pinning to canonical sources (regulator pages, SharePoint paths, internal data catalogs) rather than arbitrary web URLs.

  9. 09Is the algorithm publicly specified?

    Yes. The wire format and ledger schema are documented at docs.modelxcel.com/security/spec (live with M5). Until then, the source files are ModelxcelPro.Core/Services/Causality/* in the desktop add-in repo.

  10. 10Does this work alongside other Excel add-ins?

    Yes. ModelxcelPro is a separate ribbon tab that doesn\'t touch other add-ins\' shortcuts or ribbon groups. Smart Format, Sign Cell, and Proof actions stay in ModelxcelPro workflows.