Cryptographic Proof Check

Cryptographic Integrity Overview

What gets recorded (high level)

We protect the integrity of events such as:

• Score generated
• Decision reviewed
• Record accessed
• Model version applied (high level)
• Policy or threshold updated (high level)

Public-facing examples are intentionally generic. Detailed schemas, field definitions, and realistic examples are provided to customers in an evidence pack.

Verification method (overview)

Verification checks four things:

1. Deterministic representation
   We canonicalize the event so it serializes the same way every time.
2. Event fingerprint
   We hash the canonical event using SHA-256. This hash is the event's immutable fingerprint.
3. Signature validation
   We sign the event hash using Ed25519 (JWS alg=EdDSA). Anyone can verify the signature using our published public keys.
4. Daily inclusion proof
   Each day, event hashes are added to a Merkle tree and a daily Merkle root is published. Customers can verify that a specific event hash is included in the published root using an inclusion proof.

Result: independent validation of event -> hash -> signature -> Merkle inclusion.

Public verification artifacts

We publish the minimum necessary artifacts for independent verification:

• Public signing keys (JWKS): /trust/crypto-proof/jwks
• Daily Merkle roots: /trust/crypto-proof/roots
• Verifier: /trust/crypto-proof/verify

Customer evidence pack (authenticated / on request)

For security and privacy, detailed schemas and realistic examples are not published publicly. Customers can obtain documentation, redacted examples, and event-specific inclusion proofs through the evidence pack.