Proof Sheet
What EVE proves — and how you verify it yourself.
Last updated: June 2026 · For enterprise buyers, auditors, and risk teams
EVE produces signed, tamper-evident evidence for every governed decision. The claims below are independently verifiable without contacting EVE, without trusting our infrastructure, and without any special tooling beyond standard cryptographic utilities.
1. What every governed decision produces
Each call to the EVE CoreGuard decision engine generates five artifacts automatically. Together they form an auditable evidence package that survives the original system and can be verified years after the fact.
Artifact 1
Deterministic Verdict
A machine-readable disposition —
ALLOWED, BLOCKED, or MODIFIED — produced deterministically by the policy engine before any model output is acted upon. The same inputs against the same policy version always produce the same verdict.Artifact 2
Signed Decision Certificate
An Ed25519-signed certificate binding the verdict to the exact policy version (e.g.
lending_v1), the tenant identifier, a content hash of the full decision record, and the timestamp. Verifiable using only EVE's published public key — no API call required.Artifact 3
Hash-Chained Audit Record
Each decision is appended to a tenant-bound, append-only audit chain where every record includes the SHA-256 hash of its predecessor. Removing or altering any record breaks every subsequent link, making tampering detectable without a trusted server.
Artifact 4
Configurable Retention
Audit records are retained for a configurable period, up to 7 years, to meet long-horizon regulatory obligations in banking, insurance, healthcare, and government. Retention period is stated in the customer’s agreement and enforced at the storage layer.
Artifact 5
Signed Deletion Receipt
When data is erased — whether by retention expiry or a GDPR erasure request — EVE issues an HMAC-SHA256 signed, hash-chained deletion receipt across all five memory layers. The receipt proves the erasure happened, when, and what was removed.
All five artifacts are tenant-isolated. No artifact from one organization is co-mingled with another tenant’s chain. The technical mechanism is described on the Architecture & Data Flow page.
2. Six independent checks
Each check below can be performed by any examiner who holds a copy of a decision record and EVE’s published public key. None of them require a live connection to EVE’s infrastructure. All six are also exercisable interactively at /agent-proof and /verify.
| Check | Independent | How to run it |
|---|---|---|
| Audit chain integrity | Offline | Read the prev_hash field of any record. Compute SHA-256 of the prior record’s canonical JSON. They must match. A single mismatch in a chain of millions exposes every record after it as potentially altered. |
| Certificate signature | Offline | Fetch EVE’s Ed25519 public key from /.well-known/eve-pubkey or the printed copy in your contract. Verify the signature field of the Decision Certificate against the canonical payload using any standard Ed25519 library (PyNaCl, libsodium, OpenSSL 3.x, etc.). |
| Policy binding | Offline | Confirm that the policy_id field inside the signed payload matches the policy version in effect at the time of the decision (e.g. lending_v1). The certificate is cryptographically bound to this value; a different policy version produces a different hash and invalidates the signature. |
| Report attestation | Offline | Verify the report_hmac field included in the full audit record against the record content using the tenant-scoped HMAC key stored in your deployment. A matching MAC confirms the report body was not modified after EVE wrote it. |
| Decision determinism | Replayable | Submit the original proposed_action, context, and policy_set fields to a fresh EVE CoreGuard instance running the same policy version. The returned verdict must match the decision.status in the stored record. Determinism is a design invariant, not a claim — any deviation is a verifiable defect. |
| Offline verification | No EVE required | The entire verification workflow — chain walk, signature check, policy binding confirmation, and MAC validation — can be executed from a printed or exported copy of the record with no network access to EVE. See the interactive demonstration at /agent-proof. |
3. Verify it now
Two tools are available publicly today. No account is required to use either.
EVE Verification Portal →
Paste any Decision Certificate or audit record. The portal walks through all applicable checks and returns a machine-readable result.
Agent Proof — Offline Verify →
Interactive demonstration of certificate verification entirely in the browser. Includes a console demo loader and a downloadable verification script.
Architecture & Data Flow →
Where data enters, how each artifact is produced, what leaves the control plane, and what is retained.
Security Overview →
Encryption, key management, access control, audit logging, infrastructure hardening, and penetration-test posture.
4. What a Decision Certificate contains
The table below describes every field in a Decision Certificate. Buyers reviewing certificates received from a counterparty or retrieved from an audit export can cross-reference here.
| Field | Type | Meaning |
|---|---|---|
decision_id | UUID | Unique identifier for this decision event. Immutable after issuance. |
tenant_id | String | The organization that owns this record. Cross-tenant access is structurally prevented. |
policy_id | String | The versioned policy under which the verdict was computed (e.g. lending_v1). Part of the signed payload. |
verdict | Enum | ALLOWED / BLOCKED / MODIFIED. Signed and immutable. |
risk_level | Enum | LOW / MEDIUM / HIGH as assessed by the policy engine for this specific action. |
timestamp | ISO 8601 UTC | Wall-clock time at which the verdict was produced, included in the signed payload. |
content_hash | SHA-256 | Hash of the full canonical decision record (JCS-serialized). Changing any field in the record changes this hash. |
signature | Ed25519 (prod) / HMAC-SHA256 (dev) | Cryptographic signature over the canonical payload. Verifiable with the published public key. |
prev_hash | SHA-256 | Hash of the preceding record in the tenant’s audit chain. Links every record to its predecessor. |
violations | Array | Policy rules that were triggered, if any. Empty for ALLOWED decisions with no flagged conditions. |
What we do NOT claim
- SOC 2 Type II is in progress, not complete. Controls are aligned and the audit process has begun; the attestation report does not yet exist. We will not represent it as issued until it is. If your procurement gate requires a completed SOC 2 Type II today, we will tell you the expected timeline honestly rather than overstate readiness.
- ISO/IEC 27001 is planned, not initiated. It is on our compliance roadmap. We are not currently certified and have not begun the certification process.
- Evidence proves what was decided — not any particular regulatory outcome. A signed Decision Certificate demonstrates that a governed decision was made, when, under which policy, and with what verdict. It does not constitute legal compliance for your specific regulatory program. Use it as evidence in your compliance framework, not as a substitute for legal analysis.
- Named customer references are shared only with consent under NDA. Design partners exist; their identities are confidential by default. We do not publish customer names without explicit written permission. If you need a peer reference, we will facilitate an introduction where we have consent to do so.
- Deletion receipts evidence erasure — they do not prevent data from existing on backup media outside EVE’s control. The DPA and your deployment agreement govern backup scope and retention. For air-gapped or on-premises deployments, customer-managed backup retention is the customer’s responsibility.
5. Evidence properties at a glance
Signature algorithm (prod)
Ed25519
Chain link hash
SHA-256 (JCS canonical)
Deletion receipt signing
HMAC-SHA256, hash-chained
Maximum audit retention
7 years (configurable)
Tenant isolation mechanism
Per-tenant chain & key
Offline verifiable
Yes — no EVE involvement
Decision determinism
Replayable by design
Public key endpoint
Get the full diligence packet or speak with a human
The Procurement & Vendor Diligence Packet contains the pre-answered security questionnaire, sub-processor list, compliance mappings, and contract documents. For a live walkthrough of the evidence chain or to begin a formal diligence process, email [email protected].