Daml Driven Development: VDC Consortium

Guest post by Cecil (CJ) John, Chief Executive Architect of VDC Consortium

How do contract professionals assure auditors or litigators that digital records, signatures, and workflows are authentic and immutable? The answer may be blockchain-based records management, which Gartner lists as 1 of 4 key blockchain business initiatives, potentially impacting all record management processes by facilitating savings on costs and providing opportunities to generate revenue by extending capabilities.

To this end, VDC Consortium offers Formal Media™, a blockchain-enabled digital records management system that has been formally accepted into Microsoft’s commercial catalog. In this guest post, Cecil (CJ) John, Chief Executive Architect of VDC Consortium, explains how he integrated the Daml open-source smart contract development language as a critical component in the technology infrastructure of Formal Media™, and outlines a scenario for how multiple parties to a transaction voluntarily enter into a smart contract using Daml.

A peek at the author’s Daml Driven workspace

 Data regulatory compliance

Formal Media™ is the world’s first blockchain enabled Digital Workplace. Probably. It synchronizes the blockchain smart contract with digital records, workflows, and signatures, providing proof of record, process, and identity for multiple parties to a transaction. Formal Media™ has been formally accepted into Microsoft’s commercial catalog.

Figure 1: Integrating records management with blockchain

There’s been a significant growth of global cross-industry regulations over the past ten years. For government or industry regulatory compliance, or e-discovery, organizations may have to prove to auditors or the courts that there has been no malicious or negligent corruption of digital records, workflows, and logs.

Also, this is the era of smart contracts—transactional elements of a legal agreement executing as code on the blockchain. How do we reconcile the smart contract with the corresponding digital contract records? As the industry moves towards the execution of smart contracts, contract professionals (including lawyers and auditors) may need to be able to read and decipher them, if not learn how to write them.

In an earlier piece I did on Medium, I dove into the intersection of contracts and records management more deeply. What I’d like to do in this post is to focus more on one aspect of the technology that we used to provide our solution.

What is Daml—and why did we use it?

We were first attracted to blockchain technology because it provides a trusted, independent, and cost-efficient mechanism for multiparty transactional records management. Blockchain stores a cryptographic hash of the data, workflow processes, and signatures for each record, rendering it effectively immutable and authentic. However, the public permissionless blockchain conducts transactions pseudonymously—identities of parties can be hard to establish.

Regulatory compliance dictates that parties to a transaction are identifiable, and so we needed to work within the context of a permissioned ledger model. We were attracted to Daml, an open-source smart contract language for modeling rights and obligations in multi-party business processes in any business domain, because it is based on a permissioned ledger model that supported the essential elements of a smart contract that were important to us:

  • Proof of rights and obligations
  • Confidential execution
  • Evidentiary trail
  • Formally verifiable

We see this technology as appealing to auditors and litigators, as it effectively certifies proof of record and process. Daml also makes smart contracts development more open and flexible because there could be many potential physical deployment options (see for example the recent announcements regarding VMware and Hyperledger Sawtooth).

Smart contracts developed in Daml provide high integrity and privacy guarantees. Daml contracts encode the rights of parties as choices that they can exercise, and obligations as agreements. For the purposes of this post, let me zero in on one critical characteristic of contracts that really highlights the value of coding in Daml:

“For the consequences of a contract to be compulsory, entrance must be voluntary.”

It’s only when all parties enter into a valid contract voluntarily that they become obligated to perform to the terms of the agreement and can be compelled to do so by judgment in a court of law. Daml natively models the rights of each party to a contract, automatically managing how those rights change as a contract progresses through its workflow.

Daml is also an intuitive smart contract programming language that supports formal methods for catching design time errors and is accessible enough for lawyers and contract professionals to at least understand, if not write. Let’s look at a quick example of this in action.

Figure 2: a simple (and poorly coded) loan example

Figure 2 provides the Daml code for a simple loan application that intuitively makes sense but contains a fatal design-time flaw—it requires both the lender’s presentation of loan terms and the borrower’s acceptance to be simultaneous. Although the code does protect against unilateral actions by one of the parties, this is not the way things happen in real life!

We can easily and quickly test that Daml will protect against unilateral action during Daml development, using the built-in scenario testing language and in-memory ledger simulation provided as part of the Daml SDK.

Figure 3: A scenario for testing the loan application

Figure 3 represents a testing scenario, and we see that Daml has flagged an issue by highlighting the loanworkflow scenario. Hovering over the error gives the developer instant feedback that the smart contract is not valid due to a missing authorization from the lender (‘Bank’), as shown in Figure 4.

Figure 4: Real-time feedback provided during development

The contract works as intended, but there is a better and more realistic way to code contracts between parties.

The propose-accept design pattern

A very common pattern used in Daml to avoid such errors and ensure that all parties to a transaction have entered into it voluntarily is called the propose-accept pattern, and we use this pattern extensively in Formal Media. Figure 5 shows a full example of a simple workflow that uses this pattern to model how digital records and workflows in an enterprise portal synchronize with a Daml smart contract for multiple parties to a transaction.

Figure 5: Example Daml smart contract template leveraging the propose-accept design pattern

The solution involves two templates: the SPContract template, which defines an agreed-to contract signed by both parties (analogous to the Loan contract shown in my previous example). But in this pattern, we must include another contract, SPContractProposal, whereby the offer of a contract must be made and accepted prior to the SPContract being executed. Figure 6 provides a testing scenario to show how it works.

Figure 6: A scenario for testing the contract application

First, in our solution, a few things would happen outside of these contracts. Let’s say that Alice wants to send a contract to Bob for review and approval. Alice uploads a contract record into the records management repository—essentially a document library—and generates a URL (hyperlink) for the document. Alice then uses an API to generate a unique cryptographic hash for the document. We use Sphereon for these blockchain-based records management tasks. With the document thus prepared, Alice is ready to see if Bob wants to enter into an agreement defined by the document.

In our application, Alice would then use a UI to configure a records management workflow for the document, giving its URL and hash as unique references and specifying Bob as the reviewer. The under-the-covers contractual workflow is reflected in the code sample above by the test scenario lines 40-47. When Alice saves the offer in the UI, SPContractProposal is created on the Daml ledger and Bob would receive an email notification with a link to review the contract record, prompting him to accept or reject the contract proposal.

Lines 49-50 emulate Bob accepting the contract proposal (by exercising a Daml Accept choice). Looking at lines 18-23 of the code we see that the Accept triggers the creation of the actual SPContract. The application then redirects Bob to sign the contract record, and under the covers Daml will archive the original SPContractProposal and create the new, fully executed SPContract record on the ledger with the two parties as signatories.

An inspection of the ledger in the Daml SDK shows exactly what we expect: an archived SPContractProposal record and an active SPContract record.

Figure 7: Ledger contents for a properly executed contract

With both parties having entered voluntarily into the agreement, the smart contract is now synchronized with the contract record, united by a unique reference to the hash and the document URL.

In the Loan example, both parties had to immediately enter the loan agreement without any preparation—not a realistic scenario. In the SPContract example, the offer is first made via the SPContractProposal offer—which can be accepted or rejected. The SPContract is only formed when the offer is accepted. This is a more natural flow for contract formation.


The Formal Media™ solution architecture integrates a blockchain-based records management system to deliver a trusted and auditable mechanism for records management, and Daml-Driven smart contracts to deliver a permissioned blockchain infrastructure for progressing agreements against those documents. Documents and contracts are indelibly linked so that knowledge of who authorized what actions on the documents is preserved.

The propose-accept pattern, so critical to ensuring that agreements are entered into voluntarily, is quite easily implemented using Daml!

Join the community and download the Daml SDK at daml.com

About the author

Cecil (CJ) John is an architect, technologist, and innovator and has worked with some of the largest companies in the world including the IMF, US Federal Government and some of the top 5 consulting companies. He is the Chief Executive Architect of VDC Consortium, LLC, a Microsoft Silver Partner, and Goldman Sachs 10KSB alumni member. If you like what you have read, you can follow CJ on Medium for more great content. You can also sign up for his newsletter or contact him by emailLinkedin or Twitter.