Cryptographic Proofs and Verification

AISentinel issues cryptographic evidence for data lifecycle events so you can prove compliance to auditors and regulators. This guide explains deletion proofs, tamper-evident ledgers, and verification workflows.

Proof Types

Proof	Description	Primary Use Cases
Deletion Proof	Merkle-proof-backed receipt confirming artifacts were destroyed.	GDPR right-to-be-forgotten, CCPA deletion requests
Retention Proof	Signed attestations that artifacts are preserved with immutability controls.	SOC 2 evidence, legal holds
Tamper-Evident Log Proof	SHA-256 hash chain anchored to public transparency logs.	Demonstrating log integrity for regulators

How Proofs Are Generated

Event Capture: When an artifact (policy decision, audit log, dataset snapshot) is deleted or retained, AISentinel records the event in an append-only ledger.
Hashing: Each entry includes sha256(content) and prev_hash to form a hash chain.
Signing: The chain head is signed with AISentinel’s hardware-protected signing key.
Anchoring: Daily snapshots anchor to a public blockchain (Ethereum testnet) for additional immutability assurances.
Delivery: Proof packages are available via API, portal download, or webhook callback.

Requesting Proofs via API

curl -X POST "https://api.aisentinel.ai/v1/proofs/deletion" \
  -H "Authorization: Bearer $AISENTINEL_ADMIN_KEY" \
  -H "X-AISentinel-Tenant: $AISENTINEL_TENANT_ID" \
  -H "Content-Type: application/json" \
  -d '{
    "datasetId": "pii-snap-2024-02",
    "reason": "GDPR erasure",
    "notifyWebhook": "https://hooks.acme.io/aisentinel-proofs"
  }'

The response includes a proofId and status pending. Use GET /v1/proofs/{proofId} to download the final ZIP archive containing:

proof.json – metadata and signatures
merkle_path.json – path from leaf to root
signature.pem – detached CMS signature

Verifying Proofs

AISentinel publishes verification libraries in the Python SDK and JavaScript SDK. Verification consists of:

Signature Validation: Confirm signature.pem matches AISentinel’s public certificate.
Merkle Path Check: Recompute hashes along the merkle_path to match the provided root.
Anchor Confirmation: Optionally verify blockchain anchor transaction hash.

Example Python snippet:

from aisentinel.proofs import ProofVerifier

verifier = ProofVerifier()
proof = verifier.load_zip("deletion-proof.zip")

if verifier.verify(proof):
    print("Proof valid", proof.anchor.tx_id)
else:
    raise RuntimeError("Proof invalid: tampering detected")

Compliance Reporting

SOC 2: Attach deletion and retention proofs to control evidence (CC8, CC9).
HIPAA: Demonstrate PHI disposal events with signed proofs to satisfy §164.310(d)(2)(i).
GDPR: Provide proof packages to data subjects or regulators as part of DSAR responses.

Tamper-Evident Storage

Proof archives should be stored in WORM-compliant buckets (Amazon S3 Object Lock, Azure Immutable Blob Storage).
Enable bucket versioning and MFA delete to prevent accidental removal.
Use Configuration Management to enforce immutability policies across tenants.

Automation and Webhooks

Configure webhook integrations for proof.ready events using patterns in Webhook Integrations.
Use the Remediation Automation playbook to automatically sanitize datasets and request deletion proofs in the same workflow.
Research teams can include proof verification as part of review pipelines—see Research Automation.

Troubleshooting

404 proof_not_found: Ensure the proof ID is valid and the tenant matches.
Signature Mismatch: Fetch the latest AISentinel public certificate from GET /v1/proofs/certificates.
Delayed Proofs: Large datasets may take several minutes; monitor job status through Auditing & Compliance.

Cryptographic proofs provide defensible evidence that complements AISentinel’s governance controls. Incorporate them into your compliance playbooks alongside BYOK and Key Rotation.