donto × Palantir Gotham
donto and Gotham are solving the same problem — holding contested, multi-source, provenance-critical knowledge about the real world without destroying history — and they independently arrived at strikingly similar bones: per-datum source tethering, append-only revisioning, reversible entity merges, typed relationships, human-adjudicated conflict.
The deep difference is when each system resolves ambiguity. Gotham resolves typing at ingest (a curated ontology) and identity at assertion (a winner-based merge), and its UI presents one current truth. donto defers typing, alignment, and identity to query time and holds contradictions as first-class ranked state. Gotham’s genuinely superior dimensions are security — provenance that carries mandatory access control into every derived artifact — and Nexus Peering. Both already sit on donto’s roadmap as the Trust Kernel and federation; Gotham is fifteen years of field evidence that they are worth building.
Researched 2026-07-02 from Palantir documentation and APIs, the 2010 platform whitepaper, patents, the UK G-Cloud 14 service definition, and press coverage — 15 sources, cited inline.
Two systems, one problem
The defense/intelligence platform: a curated Dynamic Ontology (objects, properties, relationships) over an append-only Revisioning Database, per-datum provenance and classification, federated search, link analysis, geospatial command-and-control, multi-instance replication. Deployed across the Five Eyes and NATO; in live battlefield use in Ukraine.[2][12]
Built when typed knowledge was scarce: humans and parsers produce it, the platform integrates, secures, and presents it as a common operating picture.
The contradiction-preserving claim substrate: bitemporal, paraconsistent, evidence-first. Built for generative abundance — an LLM emits unbounded typed claims for fractions of a cent, so the scarce step flipped from generating knowledge to holding it. Typing, alignment, and identity defer to query time; reality re-ranks by standing instead of deletion.
The product is the trail: what was claimed, on what evidence, against what disagreement, with what standing — inspectable and time-travelable.
Gotham’s founding thesis — “the human mind is the most effective way to identify patterns in information while computers are the most effective way to manage enormous amounts of data”[1] — is donto’s I5 stated as strategy. The two systems disagree about almost nothing philosophically. They disagree about where the ambiguity lives.
The common bones
Structural features both systems independently converged on. Gotham built each of these by 2010; every one maps onto a donto invariant or first-class object.
Evidence-tethered data
“Each Property and Relationship can be sourced back to original document sources” (2010). Current docs: access restrictions apply “at the level of the individual attributes that describe an object”; Dossier snippets keep dynamic links to their source.[1]
Invariant I1 — no claim without evidence or an explicit hypothesis flag. Every claim resolves fact → evidence_link → span → revision → content-addressed blob.
delta · Granularity: Gotham anchors to documents/records via analyst tagging; donto anchors every claim to a character span via the always-on citer — systematically, including LLM output.
Append-only revisioning
The Revisioning Database: every object is “a stack of cards,” each card one attribute change with who, when, security level, and source. Deletions are themselves revision cards.[1]
Invariant I3 — no destructive overwrite. Retract/supersede close transaction time; the full prior belief state reconstructs with AS_OF. Same instinct, same Postgres substrate, built ~2008 there and ~2025 here.
delta · Gotham has the transaction-time half only. donto adds valid time — “what did we believe at T1 about time T2” is a query, not a timeline visualization.
Reversible identity
Object resolution merges records from different systems while “their independent histories are preserved … in case objects ever need to be un-resolved later,” with a clean unresolve API.[3]
Invariant I8 — identity is a hypothesis, not a foreign key. Entities are never merged; “same referent” is a scored, reversible edge resolved per-lens (strict / likely / exploratory) at query time.
delta · Gotham picks a winnerObjectPrimaryKey and attaches new writes to it — identity is an asserted, reversible merge. donto holds it as a ranked hypothesis and never picks a winner at write time.
Human-machine symbiosis
Founding thesis: “the human mind is the most effective way to identify patterns in information while computers are the most effective way to manage enormous amounts of data.” Nexus-peering conflicts queue for human review; Video AI detections require analyst confirm/dismiss.[1]
Invariant I5 — machine confidence is not maturity. Auto-promotion caps at E2; E3+ requires human review; proof obligations route exactly the judgment calls humans must make.
Analyst conjecture space
“Analysts are presented with a virtual private space in which to explore their conjectures which they can then ‘publish’ to the broader enterprise when they are ready.”[1]
Context scopes — hypothesis, user_workspace, review_lens — are the same idea generalized: private claim-space is first-class, queryable, and publishable by context promotion.
Standing queries + alerting
Persistent searches “run constantly against the enterprise data store” (2010); today: search feeds, object watch feeds, geofence alerts, subscription channels in Inbox.[2]
Detectors, the contradiction frontier, and obligation queues — standing epistemic queries over the claim stream.
Full audit trail
“All user and administrator interactions with the system and the use of information to which they have access are recorded in audit logs … configured to be tamper-evident.”[2]
donto_audit + append-only event log covering writes, policy decisions, restricted reads, exports, release builds, review decisions.
Postgres underneath
RevDB runs on “Postgres or Oracle … as its primary customer data store,” with rebuildable secondary indexes in Elasticsearch/Postgres.[2]
One donto-pg instance: 42M claims, FTS + trigram + pgvector as rebuildable secondary structure over the same primary store. Convergent architecture.
The fork
Every real divergence between the two systems reduces to one variable: the point in the pipeline where an open question — what type is this, which entity is this, which value is true, when — gets answered.
| dimension | gotham resolves… | donto resolves… |
|---|---|---|
| Typing / vocabulary | At ingest — admin-curated Dynamic Ontology; parsers map sources into approved types | At query — extractors freely mint predicates (~1M held); alignment closure folds them per-query |
| Entity identity | At assertion — winner-based reversible merge (object resolution) | At query — scored identity hypotheses resolved under a chosen lens; no merges ever |
| Contradiction | Socially — revision history + parallel analyst sandboxes; the UI shows one current value | Never forced — incompatible claims are co-true legal state, linked by typed argument edges, ranked by standing |
| Time | Transaction time only — per-attribute revision cards; world-time is data properties on timelines | Bitemporal — transaction time and valid time as query axes; AS_OF reconstruction of prior belief |
| Schema alignment | At integration — forward-deployed engineers write parsers per source | At read — typed, scoped, safety-flagged alignment edges applied by the query evaluator |
| Presented truth | One current operational picture (the COP/CIP is the product) | The trail — every claim with its evidence, disagreement, and standing (the trail is the product) |
Neither choice is free. Resolving early buys Gotham a clean operational picture and a security model that can be accredited — at the price of collapsed uncertainty and integration labor per source. Resolving late buys donto the ability to hold an unbounded contradictory firehose — at the price of query-time complexity and a standing model it must get right. The bet donto makes is that in the LLM era the firehose is non-negotiable, so late resolution is the only design that survives abundance.
What Gotham does better
Mandatory access controls “propagate with data through provenance and lineage capabilities.” A dossier auto-classifies to the highest security level of its contents with optional redact-down; chat redacts per viewer; portion markings validate against CBAC rules per property. donto’s Trust Kernel (policy capsules, attestations, most-restrictive inheritance under I6) is the same design — present but unenforced. Gotham’s has carried TS/SCI workloads for 15+ years.[4]
Full per-record history travels between instances, one- or two-way, partial or full, across different classification schemes (patented), tolerant of disconnected/low-bandwidth conditions, with auto-merge plus human conflict queues. donto federation is an M9 research spike. If donto federates, this is the proven reference design — and donto’s append-only claim model would federate more cleanly, since contradictory replicas need no resolving at all.[7]
CBAC + RBAC + ABAC layered to per-property granularity, per-revision classification, discovery-vs-access permission split, IL2→IL6/TS-SCI accreditation, CNSSI 1253 / ICD 503 / NIST 800-53. donto has policy tables; Gotham has certifications.[8]
Graph (link analysis with Search Around multi-hop), Gaia (geospatial C2 with ATAK integration), Video (FMV with AR overlays), Object Explorer (drill-down over millions of records), Dossier/Slides/Chat (classification-aware collaboration), Target Workbench. donto has admin dashboards and a nebula.[2]
In production since 2008 across the Five Eyes, NATO, and active war zones. Every one of donto’s shared instincts — source tethering, append-only history, reversible merges — is field-validated there at institutional scale.[12]
What donto has that Gotham lacks
Gotham has no first-class contradiction object and no competing-hypotheses tooling: conflicts live in revision history and parallel sandboxes, and the UI shows a winner. donto holds incompatible claims as co-true state under I4, links them with typed argument edges (rebuts/undercuts/supports), and ranks them by standing ⟨maturity, corroboration, contradiction-pressure, recency⟩.
RevDB gives transaction-time history; there is no documented valid-time query axis. donto answers “what did we believe on June 1st about events of 1889” as a native query.
Gotham tethers a datum to its source document. donto anchors every claim to the exact character span, through an always-on post-hoc citation stage that separates stated from interpreted — a structural hallucination filter Gotham has no analogue for.
Gotham’s ontology is the pre-abundance design: typing is the scarce, governed step, done by admins and forward-deployed engineers at ingest. donto is built for the LLM era — ~1M freely-minted predicates, emit-free at write time, aligned at read time. Gotham could not hold donto’s firehose without a re-architecture.
The documented failure mode of Gotham deployments — algorithm-derived relationships “treated as fact and presented without caveat” (LAPD training material) — is precisely what I5 (machine confidence is not maturity) and the maturity ladder are designed to prevent.[10]
Gotham is proprietary, bespoke per customer, and lock-in-prone in practice — the NYPD reportedly could not get its own analyses back in a usable format on exit. donto is a self-hostable substrate with SDKs generated from an OpenAPI contract, running whole on one 8-core box.[12]
Feature matrix
Gotham scored against the same twelve-feature rubric as the full field comparison. Each verdict carries its justification.
| feature | donto | gotham | justification |
|---|---|---|---|
| F1Bitemporal state | ✓ | ◐ | RevDB “stack of cards” gives full per-attribute transaction-time history; no valid-time axis — world-time is just data properties visualized on timelines |
| F2Contradiction-preserving | ✓ | ◐ | conflicting values coexist as revision cards and parallel analyst sandboxes, but the UI presents a winner — no co-true ranked state |
| F3Typed argument edges | ✓ | — | no argument model; replication conflicts go to a human adjudication queue |
| F4Evidence anchoring | ✓ | ◐ | every property and relationship tethers to its source document — record/document granularity, not spans, and no unanchorable flagging |
| F5Non-destructive revision | ✓ | ◐ | append-only revision cards (actor + time + security + source per change), but a hard-delete purge capability exists |
| F6Schema-late vocabulary | ✓ | — | the Dynamic Ontology is admin-curated and typed at ingest; “dynamic” means editable post-deployment, not emergent |
| F7Query-time alignment | ✓ | — | alignment is integration-time parser work by forward-deployed engineers |
| F8Identity-as-hypothesis | ✓ | ◐ | object resolution is reversible with preserved sub-histories, but picks a “winner” record for writes — asserted merge, not scored hypothesis |
| F9Claim standing | ✓ | — | no maturity/corroboration ranking; documented critique: algorithm-derived links read as fact in the UI |
| F10Hybrid retrieval + memory API | ✓ | ◐ | federated search across every integrated source + Search Around multi-hop graph queries; not a memory API, no MCP |
| F11Verified LLM extraction | ✓ | — | AI detections get human confirm/dismiss (Video app); no citation-verification stage |
| F12Process provenance | ✓ | ✓ | per-revision actor/source/classification, and provenance carries mandatory access control into derivatives — exceeds donto here |
F12 is the one row Gotham outright wins: its process provenance is not just recorded but access-control-bearing. donto’s row carries the usual footnotes — F3’s argument density is still low and F9 is standing v1.
The record in practice
Gotham’s documented failure modes are not security failures — they are epistemic ones, and each is an argument for the layer donto builds.
LAPD training documents show system-derived relationships presented as fact, without caveat or confidence — the operational cost of having no standing model. Sarah Brayne’s fieldwork documents the resulting “where there’s smoke, there’s fire” self-fulfilling suspicion loops.[10]
The leaked NCRIC manual shows a single plate or name fanning out to arrests, field interviews, plate-reader photo trails, and family networks in seconds. Per-datum ACLs govern who sees it; nothing governs what standing it has.[9]
Marketing promises open export; the NYPD’s attempt to leave with its own analyses in a standardized format reportedly failed. A substrate you cannot leave with your own beliefs is a provenance system with one missing edge — the one pointing out.[12]
What donto should steal
Gotham’s per-attribute revision cards are the best UI metaphor ever shipped for append-only history. donto’s bitemporal scrubber should render exactly this: each claim a card carrying who/when/source/policy, shuffle-able along any axis.
Any donto release, report, or export should compute to the most-restrictive policy of its inputs with explicit redact-down — I6 is already the rule; Gotham shows what enforcing it at the artifact layer looks like.
Gotham’s multi-hop “find links around this selection” is the single most-used analyst gesture. DontoQL wants it as a first-class clause over argument, identity, and evidence edges — not just entity links.
When federation arrives, Nexus Peering’s pattern — auto-merge what you can, queue the rest for humans, never lose either side — is the shape. donto’s advantage: contradictory replicas are already legal state, so the queue holds only identity and policy conflicts.
Gotham distinguishes knowing a datum exists from reading it. donto’s policy capsules model actions richly but not this split; it matters for restricted genealogy and cultural-heritage material.
Synthesis
Gotham is what you build when integration and security are the hard problems and typed knowledge is scarce: curate the ontology, resolve identity at ingest, show analysts one current truth, and make provenance carry classification everywhere. donto is what you build when generation is abundant and the hard problem is holding an unbounded contradictory firehose: defer everything to query time, keep every incompatible claim, and let standing — evidence, corroboration, contradiction-pressure, recency — do the ranking. donto already has the epistemics Gotham lacks; Gotham has the two things donto hasn’t built, and both already exist in donto’s PRD as the Trust Kernel and federation. Read that way, Gotham is not a competitor so much as a fifteen-year field validation of donto’s roadmap — minus the one idea Gotham never had: that the disagreement itself is the data.
Sources
- Palantir platform whitepaper (2010, via the HBGary email archive)
The canonical early description: Dynamic Ontology, Revisioning Database, 'stack of cards', analyst conjecture spaces, Palantir Forward.
https://wikileaks.org/hbgary-emails/fileid/4771/1679 - Palantir Gotham — UK G-Cloud 14 Service Definition Document (2024)
The most complete current public description: apps (Browser, Graph, Gaia, Video, Dossier, Slides, Chat, Inbox, Object Explorer), security accreditations, Postgres/Oracle backend, hard-delete capability.
https://assets.applytosupply.digitalmarketplace.service.gov.uk/g-cloud-14/documents/92736/801146272055049-service-definition-document-2024-11-26-1253.pdf - Gotham API — object resolution basics
Winner-based reversible merge with preserved sub-histories; unresolve re-partitions cleanly.
https://www.palantir.com/docs/gotham/api/revdb-resources/resolution/resolution-basics - Gotham docs — security overview
Mandatory controls propagate with data through provenance and lineage; discretionary, attribute-based, and marking layers.
https://www.palantir.com/docs/gotham/security/overview - Gotham API overview
RevDB resources, federated search, Target Workbench, observations/tracks, OAuth2.
https://www.palantir.com/docs/gotham/api/general/overview/introduction - US9589014B2 — Creating data in a data store using a dynamic ontologyhttps://patents.google.com/patent/US9589014B2/en
- US20150261847 — Sharing information between nexuses with different classification schemeshttps://patents.google.com/patent/US20150261847
- Palantir for Secure Collaboration (brochure)
Nexus Peering in DIL conditions; CBAC+RBAC+ABAC; auto-classification with redact-down.
https://www.palantir.com/assets/xrfr7uokpv1b/4JWbqPQ8d6vYcNijOVqD0D/2857507783a328b6ddb6aef1ffc5fac4/Palantir_for_Secure_Collaboration__1_.pdf - Vice — Palantir's top-secret user manual for cops (2019)
Leaked NCRIC Gotham manual: entities/events/documents, person-search fan-out, ALPR radius search.
https://www.vice.com/en/article/revealed-this-is-palantirs-top-secret-user-manual-for-cops/ - BuzzFeed News — LAPD Palantir training documents
Algorithm-derived relationships 'treated as fact and presented without caveat.'
https://www.buzzfeednews.com/article/carolinehaskins1/training-documents-palantir-lapd - Golding Research — Inside Palantir Gotham
Every link, merge, annotation recorded with source metadata; manual entity resolution as a gap; cost/lock-in analysis.
https://goldingresearch.substack.com/p/inside-palantir-gotham - Wikipedia — Palantir Technologies
History, Ukraine use, AIP, MetaConstellation, Maven, NYPD exit dispute, predictive-policing controversies.
https://en.wikipedia.org/wiki/Palantir_Technologies - Foundry docs — enable Gotham integration (Type Mapping)https://www.palantir.com/docs/foundry/object-link-types/enable-gotham-integration
- Palantir — Synchronizing Distributed Data (Nexus Peering talk)https://www.youtube.com/watch?v=IX55r1WhUWM
- Gotham Python SDK — ObjectComponentSecurity model
Per-property/media/link security mutation; portion markings validated against CBAC rules.
https://github.com/palantir/gotham-platform-python/blob/develop/docs/v1/Gotham/models/ObjectComponentSecurity.md
Method: two parallel research passes on 2026-07-02 — donto’s inventory compiled from the canon, the substrate PRD, and the abundance report; Gotham researched across the sources above. Where a Gotham capability could not be verified it is scored down, not up. Palantir’s more sensitive workflows (targeting, fires, SIGINT) are explicitly excluded from its public documentation and therefore from this comparison.