This document outlines the conceptual architecture for the Tula Card, a tool designed for displaced communities. Our approach is a direct response to extensive research that revealed a deep need for a system that can function in the world's most challenging environments.
To achieve this, our architecture is built on four core principles:
Resilient offline operation: The system must be fully functional offline. It uses a local community mesh network for peer to peer transactions that are settled asynchronously when a connection is eventually found.
User sovereignty: The user has absolute control and physical custody of their identity. Proofs and credentials are stored on their secure TulaCard, not in the cloud, and can only be shared with their explicit physical consent.
Social trust as a technical primitive: The system integrates the user's real world community relationships directly into its design. This is used for critical functions like identity recovery and to enable secure, grassroots governance like signing petitions.
An open ecosystem: The entire platform is built on open standards. This ensures any aid organization can participate, breaking down the data silos that currently hinder support and creating a single, interoperable network for service delivery.
Together, these principles form the blueprint for a system that is not only technically resilient but also fundamentally user centric, secure, and dignified.

Conceptual architecture

Our architecture is a layered system that combines secure hardware, lightweight mobile applications, and a multi layered network protocol. This design ensures functionality in fully offline environments while allowing for eventual settlement on a global ledger.

The core components

The ecosystem consists of four main components.
1.
The TulaCard (the secure anchor): This is the physical card given to every user. It is the foundation of the user's identity and the root of all security.
Technology: An open source Keycard contactless smart card.
Function: It securely stores the user's private keys in its main Wallet Applet and their verifiable credentials (like a "Proof of Funds") in the secondary Cash Applet. All cryptographic signatures happen on the card itself; the private keys never leave the secure hardware. It is the user's physical vault for identity and proofs.
2.
The proxy app (the user's window): This is the lightweight Android application that users can optionally install on their phones.
Technology: A purpose built Android application using the Keycard Shell SDK to communicate with the TulaCard.
Function: It allows users with phones to interact with their card to check balances, view credentials, and conduct P2P transactions. It also maintains the user's local transaction log and participates in the community mesh network.
3.
The admin terminal (the trusted gateway): This is a dedicated, secure device used by authorized NGO staff and community leaders.
Technology: A hardened device (like a dedicated phone or tablet) running a special "admin version" of the Proxy App, utilizing the Keycard for all secure operations.
Function: This is the only component with the authority to perform high trust actions: issuing new TulaCards, provisioning an identity with its SLIP39 social recovery network, loading official credentials (like aid entitlements), and acting as a primary hub for the community mesh network.
4.
The community sync hub (the local data sharing point): This is not a separate device, but a mode within the Proxy App and Admin Terminal.
Technology: Bluetooth Low Energy (BLE).
Function: It allows nearby devices to connect securely and exchange their transaction logs (the "gossip" protocol). This creates a shared, offline community ledger that protects merchants from fraud and allows card only users to perform a "community balance check."

High level interaction diagram

The following diagram illustrates the flow of information and trust within the Tula system, from a single offline transaction to its final settlement on a global ledger.
Diagram breakdown:
The architecture operates in two distinct environments: the offline community and the online world.
1.
The offline community (the base layer): This is where all daily activity occurs. The trusted NGO admin terminal issues a TulaCard to a user. Users conduct P2P transactions by tapping their card on a merchant's phone running the Proxy App. These devices then form a community mesh network over BLE, synchronizing transaction logs with each other via a local community sync hub to prevent fraud without needing internet.
2.
The online world (the settlement layer): Occasionally, a trusted device like an admin terminal connects to the internet. It pushes a batch of all the signed, verified, offline transactions to a blockchain smart contract. This is the final, authoritative settlement that updates the global ledger.