The substrate
contradiction-preserving · evidence-first

donto × Palantir Gotham

donto and Gotham are solving the same problem — holding contested, multi-source, provenance-critical knowledge about the real world without destroying history — and they independently arrived at strikingly similar bones: per-datum source tethering, append-only revisioning, reversible entity merges, typed relationships, human-adjudicated conflict.

The deep difference is when each system resolves ambiguity. Gotham resolves typing at ingest (a curated ontology) and identity at assertion (a winner-based merge), and its UI presents one current truth. donto defers typing, alignment, and identity to query time and holds contradictions as first-class ranked state. Gotham’s genuinely superior dimensions are security — provenance that carries mandatory access control into every derived artifact — and Nexus Peering. Both already sit on donto’s roadmap as the Trust Kernel and federation; Gotham is fifteen years of field evidence that they are worth building.

Researched 2026-07-02 from Palantir documentation and APIs, the 2010 platform whitepaper, patents, the UK G-Cloud 14 service definition, and press coverage — 15 sources, cited inline.

01

Two systems, one problem

the framing
palantir gotham · 2008

The defense/intelligence platform: a curated Dynamic Ontology (objects, properties, relationships) over an append-only Revisioning Database, per-datum provenance and classification, federated search, link analysis, geospatial command-and-control, multi-instance replication. Deployed across the Five Eyes and NATO; in live battlefield use in Ukraine.[2][12]

Built when typed knowledge was scarce: humans and parsers produce it, the platform integrates, secures, and presents it as a common operating picture.

donto · 2025

The contradiction-preserving claim substrate: bitemporal, paraconsistent, evidence-first. Built for generative abundance — an LLM emits unbounded typed claims for fractions of a cent, so the scarce step flipped from generating knowledge to holding it. Typing, alignment, and identity defer to query time; reality re-ranks by standing instead of deletion.

The product is the trail: what was claimed, on what evidence, against what disagreement, with what standing — inspectable and time-travelable.

Gotham’s founding thesis — “the human mind is the most effective way to identify patterns in information while computers are the most effective way to manage enormous amounts of data”[1] — is donto’s I5 stated as strategy. The two systems disagree about almost nothing philosophically. They disagree about where the ambiguity lives.

02

The common bones

8 shared instincts

Structural features both systems independently converged on. Gotham built each of these by 2010; every one maps onto a donto invariant or first-class object.

Evidence-tethered data

gotham

“Each Property and Relationship can be sourced back to original document sources” (2010). Current docs: access restrictions apply “at the level of the individual attributes that describe an object”; Dossier snippets keep dynamic links to their source.[1]

donto

Invariant I1 — no claim without evidence or an explicit hypothesis flag. Every claim resolves fact → evidence_link → span → revision → content-addressed blob.

delta · Granularity: Gotham anchors to documents/records via analyst tagging; donto anchors every claim to a character span via the always-on citer — systematically, including LLM output.

Append-only revisioning

gotham

The Revisioning Database: every object is “a stack of cards,” each card one attribute change with who, when, security level, and source. Deletions are themselves revision cards.[1]

donto

Invariant I3 — no destructive overwrite. Retract/supersede close transaction time; the full prior belief state reconstructs with AS_OF. Same instinct, same Postgres substrate, built ~2008 there and ~2025 here.

delta · Gotham has the transaction-time half only. donto adds valid time — “what did we believe at T1 about time T2” is a query, not a timeline visualization.

Reversible identity

gotham

Object resolution merges records from different systems while “their independent histories are preserved … in case objects ever need to be un-resolved later,” with a clean unresolve API.[3]

donto

Invariant I8 — identity is a hypothesis, not a foreign key. Entities are never merged; “same referent” is a scored, reversible edge resolved per-lens (strict / likely / exploratory) at query time.

delta · Gotham picks a winnerObjectPrimaryKey and attaches new writes to it — identity is an asserted, reversible merge. donto holds it as a ranked hypothesis and never picks a winner at write time.

Human-machine symbiosis

gotham

Founding thesis: “the human mind is the most effective way to identify patterns in information while computers are the most effective way to manage enormous amounts of data.” Nexus-peering conflicts queue for human review; Video AI detections require analyst confirm/dismiss.[1]

donto

Invariant I5 — machine confidence is not maturity. Auto-promotion caps at E2; E3+ requires human review; proof obligations route exactly the judgment calls humans must make.

Analyst conjecture space

gotham

“Analysts are presented with a virtual private space in which to explore their conjectures which they can then ‘publish’ to the broader enterprise when they are ready.”[1]

donto

Context scopes — hypothesis, user_workspace, review_lens — are the same idea generalized: private claim-space is first-class, queryable, and publishable by context promotion.

Standing queries + alerting

gotham

Persistent searches “run constantly against the enterprise data store” (2010); today: search feeds, object watch feeds, geofence alerts, subscription channels in Inbox.[2]

donto

Detectors, the contradiction frontier, and obligation queues — standing epistemic queries over the claim stream.

Full audit trail

gotham

“All user and administrator interactions with the system and the use of information to which they have access are recorded in audit logs … configured to be tamper-evident.”[2]

donto

donto_audit + append-only event log covering writes, policy decisions, restricted reads, exports, release builds, review decisions.

Postgres underneath

gotham

RevDB runs on “Postgres or Oracle … as its primary customer data store,” with rebuildable secondary indexes in Elasticsearch/Postgres.[2]

donto

One donto-pg instance: 42M claims, FTS + trigram + pgvector as rebuildable secondary structure over the same primary store. Convergent architecture.

03

The fork

when ambiguity resolves

Every real divergence between the two systems reduces to one variable: the point in the pipeline where an open question — what type is this, which entity is this, which value is true, when — gets answered.

Where each system resolves ambiguity
dimensiongotham resolves…donto resolves…
Typing / vocabularyAt ingest — admin-curated Dynamic Ontology; parsers map sources into approved typesAt query — extractors freely mint predicates (~1M held); alignment closure folds them per-query
Entity identityAt assertion — winner-based reversible merge (object resolution)At query — scored identity hypotheses resolved under a chosen lens; no merges ever
ContradictionSocially — revision history + parallel analyst sandboxes; the UI shows one current valueNever forced — incompatible claims are co-true legal state, linked by typed argument edges, ranked by standing
TimeTransaction time only — per-attribute revision cards; world-time is data properties on timelinesBitemporal — transaction time and valid time as query axes; AS_OF reconstruction of prior belief
Schema alignmentAt integration — forward-deployed engineers write parsers per sourceAt read — typed, scoped, safety-flagged alignment edges applied by the query evaluator
Presented truthOne current operational picture (the COP/CIP is the product)The trail — every claim with its evidence, disagreement, and standing (the trail is the product)

Neither choice is free. Resolving early buys Gotham a clean operational picture and a security model that can be accredited — at the price of collapsed uncertainty and integration labor per source. Resolving late buys donto the ability to hold an unbounded contradictory firehose — at the price of query-time complexity and a standing model it must get right. The bet donto makes is that in the LLM era the firehose is non-negotiable, so late resolution is the only design that survives abundance.

04

What Gotham does better

the honesty section
Policy-carrying provenance — enforced

Mandatory access controls “propagate with data through provenance and lineage capabilities.” A dossier auto-classifies to the highest security level of its contents with optional redact-down; chat redacts per viewer; portion markings validate against CBAC rules per property. donto’s Trust Kernel (policy capsules, attestations, most-restrictive inheritance under I6) is the same design — present but unenforced. Gotham’s has carried TS/SCI workloads for 15+ years.[4]

Nexus Peering — multi-instance replication that exists

Full per-record history travels between instances, one- or two-way, partial or full, across different classification schemes (patented), tolerant of disconnected/low-bandwidth conditions, with auto-merge plus human conflict queues. donto federation is an M9 research spike. If donto federates, this is the proven reference design — and donto’s append-only claim model would federate more cleanly, since contradictory replicas need no resolving at all.[7]

Accredited security machinery

CBAC + RBAC + ABAC layered to per-property granularity, per-revision classification, discovery-vs-access permission split, IL2→IL6/TS-SCI accreditation, CNSSI 1253 / ICD 503 / NIST 800-53. donto has policy tables; Gotham has certifications.[8]

Operational application surface

Graph (link analysis with Search Around multi-hop), Gaia (geospatial C2 with ATAK integration), Video (FMV with AR overlays), Object Explorer (drill-down over millions of records), Dossier/Slides/Chat (classification-aware collaboration), Target Workbench. donto has admin dashboards and a nebula.[2]

Field maturity

In production since 2008 across the Five Eyes, NATO, and active war zones. Every one of donto’s shared instincts — source tethering, append-only history, reversible merges — is field-validated there at institutional scale.[12]

05

What donto has that Gotham lacks

the differentiators
Paraconsistency + argument structure

Gotham has no first-class contradiction object and no competing-hypotheses tooling: conflicts live in revision history and parallel sandboxes, and the UI shows a winner. donto holds incompatible claims as co-true state under I4, links them with typed argument edges (rebuts/undercuts/supports), and ranks them by standing ⟨maturity, corroboration, contradiction-pressure, recency⟩.

Bitemporal valid time

RevDB gives transaction-time history; there is no documented valid-time query axis. donto answers “what did we believe on June 1st about events of 1889” as a native query.

Span-level evidence + the citer

Gotham tethers a datum to its source document. donto anchors every claim to the exact character span, through an always-on post-hoc citation stage that separates stated from interpreted — a structural hallucination filter Gotham has no analogue for.

Abundance-native vocabulary

Gotham’s ontology is the pre-abundance design: typing is the scarce, governed step, done by admins and forward-deployed engineers at ingest. donto is built for the LLM era — ~1M freely-minted predicates, emit-free at write time, aligned at read time. Gotham could not hold donto’s firehose without a re-architecture.

Machine-confidence discipline

The documented failure mode of Gotham deployments — algorithm-derived relationships “treated as fact and presented without caveat” (LAPD training material) — is precisely what I5 (machine confidence is not maturity) and the maturity ladder are designed to prevent.[10]

Open substrate, no forward-deployed engineers

Gotham is proprietary, bespoke per customer, and lock-in-prone in practice — the NYPD reportedly could not get its own analyses back in a usable format on exit. donto is a self-hostable substrate with SDKs generated from an OpenAPI contract, running whole on one 8-core box.[12]

06

Feature matrix

✓ has it · ◐ partial · — absent

Gotham scored against the same twelve-feature rubric as the full field comparison. Each verdict carries its justification.

Palantir Gotham — feature-by-feature verdicts
featuredontogothamjustification
F1Bitemporal stateRevDB “stack of cards” gives full per-attribute transaction-time history; no valid-time axis — world-time is just data properties visualized on timelines
F2Contradiction-preservingconflicting values coexist as revision cards and parallel analyst sandboxes, but the UI presents a winner — no co-true ranked state
F3Typed argument edgesno argument model; replication conflicts go to a human adjudication queue
F4Evidence anchoringevery property and relationship tethers to its source document — record/document granularity, not spans, and no unanchorable flagging
F5Non-destructive revisionappend-only revision cards (actor + time + security + source per change), but a hard-delete purge capability exists
F6Schema-late vocabularythe Dynamic Ontology is admin-curated and typed at ingest; “dynamic” means editable post-deployment, not emergent
F7Query-time alignmentalignment is integration-time parser work by forward-deployed engineers
F8Identity-as-hypothesisobject resolution is reversible with preserved sub-histories, but picks a “winner” record for writes — asserted merge, not scored hypothesis
F9Claim standingno maturity/corroboration ranking; documented critique: algorithm-derived links read as fact in the UI
F10Hybrid retrieval + memory APIfederated search across every integrated source + Search Around multi-hop graph queries; not a memory API, no MCP
F11Verified LLM extractionAI detections get human confirm/dismiss (Video app); no citation-verification stage
F12Process provenanceper-revision actor/source/classification, and provenance carries mandatory access control into derivatives — exceeds donto here

F12 is the one row Gotham outright wins: its process provenance is not just recorded but access-control-bearing. donto’s row carries the usual footnotes — F3’s argument density is still low and F9 is standing v1.

07

The record in practice

what 15 years in the field shows

Gotham’s documented failure modes are not security failures — they are epistemic ones, and each is an argument for the layer donto builds.

Uncertainty collapsed in the UI

LAPD training documents show system-derived relationships presented as fact, without caveat or confidence — the operational cost of having no standing model. Sarah Brayne’s fieldwork documents the resulting “where there’s smoke, there’s fire” self-fulfilling suspicion loops.[10]

The dragnet by construction

The leaked NCRIC manual shows a single plate or name fanning out to arrests, field interviews, plate-reader photo trails, and family networks in seconds. Per-datum ACLs govern who sees it; nothing governs what standing it has.[9]

Exit asymmetry

Marketing promises open export; the NYPD’s attempt to leave with its own analyses in a standardized format reportedly failed. A substrate you cannot leave with your own beliefs is a provenance system with one missing edge — the one pointing out.[12]

08

What donto should steal

5 imports
The “stack of cards” framing

Gotham’s per-attribute revision cards are the best UI metaphor ever shipped for append-only history. donto’s bitemporal scrubber should render exactly this: each claim a card carrying who/when/source/policy, shuffle-able along any axis.

Auto-classify derived artifacts

Any donto release, report, or export should compute to the most-restrictive policy of its inputs with explicit redact-down — I6 is already the rule; Gotham shows what enforcing it at the artifact layer looks like.

Search Around as a DontoQL verb

Gotham’s multi-hop “find links around this selection” is the single most-used analyst gesture. DontoQL wants it as a first-class clause over argument, identity, and evidence edges — not just entity links.

Conflict queues for federation

When federation arrives, Nexus Peering’s pattern — auto-merge what you can, queue the rest for humans, never lose either side — is the shape. donto’s advantage: contradictory replicas are already legal state, so the queue holds only identity and policy conflicts.

Discovery-vs-access permission split

Gotham distinguishes knowing a datum exists from reading it. donto’s policy capsules model actions richly but not this split; it matters for restricted genealogy and cultural-heritage material.

09

Synthesis

one paragraph

Gotham is what you build when integration and security are the hard problems and typed knowledge is scarce: curate the ontology, resolve identity at ingest, show analysts one current truth, and make provenance carry classification everywhere. donto is what you build when generation is abundant and the hard problem is holding an unbounded contradictory firehose: defer everything to query time, keep every incompatible claim, and let standing — evidence, corroboration, contradiction-pressure, recency — do the ranking. donto already has the epistemics Gotham lacks; Gotham has the two things donto hasn’t built, and both already exist in donto’s PRD as the Trust Kernel and federation. Read that way, Gotham is not a competitor so much as a fifteen-year field validation of donto’s roadmap — minus the one idea Gotham never had: that the disagreement itself is the data.

10

Sources

15 cited
  1. Palantir platform whitepaper (2010, via the HBGary email archive)

    The canonical early description: Dynamic Ontology, Revisioning Database, 'stack of cards', analyst conjecture spaces, Palantir Forward.

    https://wikileaks.org/hbgary-emails/fileid/4771/1679
  2. Palantir Gotham — UK G-Cloud 14 Service Definition Document (2024)

    The most complete current public description: apps (Browser, Graph, Gaia, Video, Dossier, Slides, Chat, Inbox, Object Explorer), security accreditations, Postgres/Oracle backend, hard-delete capability.

    https://assets.applytosupply.digitalmarketplace.service.gov.uk/g-cloud-14/documents/92736/801146272055049-service-definition-document-2024-11-26-1253.pdf
  3. Gotham API — object resolution basics

    Winner-based reversible merge with preserved sub-histories; unresolve re-partitions cleanly.

    https://www.palantir.com/docs/gotham/api/revdb-resources/resolution/resolution-basics
  4. Gotham docs — security overview

    Mandatory controls propagate with data through provenance and lineage; discretionary, attribute-based, and marking layers.

    https://www.palantir.com/docs/gotham/security/overview
  5. Gotham API overview

    RevDB resources, federated search, Target Workbench, observations/tracks, OAuth2.

    https://www.palantir.com/docs/gotham/api/general/overview/introduction
  6. US9589014B2 — Creating data in a data store using a dynamic ontology
    https://patents.google.com/patent/US9589014B2/en
  7. US20150261847 — Sharing information between nexuses with different classification schemes
    https://patents.google.com/patent/US20150261847
  8. Palantir for Secure Collaboration (brochure)

    Nexus Peering in DIL conditions; CBAC+RBAC+ABAC; auto-classification with redact-down.

    https://www.palantir.com/assets/xrfr7uokpv1b/4JWbqPQ8d6vYcNijOVqD0D/2857507783a328b6ddb6aef1ffc5fac4/Palantir_for_Secure_Collaboration__1_.pdf
  9. Vice — Palantir's top-secret user manual for cops (2019)

    Leaked NCRIC Gotham manual: entities/events/documents, person-search fan-out, ALPR radius search.

    https://www.vice.com/en/article/revealed-this-is-palantirs-top-secret-user-manual-for-cops/
  10. BuzzFeed News — LAPD Palantir training documents

    Algorithm-derived relationships 'treated as fact and presented without caveat.'

    https://www.buzzfeednews.com/article/carolinehaskins1/training-documents-palantir-lapd
  11. Golding Research — Inside Palantir Gotham

    Every link, merge, annotation recorded with source metadata; manual entity resolution as a gap; cost/lock-in analysis.

    https://goldingresearch.substack.com/p/inside-palantir-gotham
  12. Wikipedia — Palantir Technologies

    History, Ukraine use, AIP, MetaConstellation, Maven, NYPD exit dispute, predictive-policing controversies.

    https://en.wikipedia.org/wiki/Palantir_Technologies
  13. Foundry docs — enable Gotham integration (Type Mapping)
    https://www.palantir.com/docs/foundry/object-link-types/enable-gotham-integration
  14. Palantir — Synchronizing Distributed Data (Nexus Peering talk)
    https://www.youtube.com/watch?v=IX55r1WhUWM
  15. Gotham Python SDK — ObjectComponentSecurity model

    Per-property/media/link security mutation; portion markings validated against CBAC rules.

    https://github.com/palantir/gotham-platform-python/blob/develop/docs/v1/Gotham/models/ObjectComponentSecurity.md

Method: two parallel research passes on 2026-07-02 — donto’s inventory compiled from the canon, the substrate PRD, and the abundance report; Gotham researched across the sources above. Where a Gotham capability could not be verified it is scored down, not up. Palantir’s more sensitive workflows (targeting, fires, SIGINT) are explicitly excluded from its public documentation and therefore from this comparison.