Evidence Chain
The evidence chain is ARQERA's cryptographic audit trail. Every governance evaluation, action execution, and approval decision is recorded as an evidence artifact linked to the previous one via SHA-256 hashes. This creates a tamper-proof, append-only log that auditors and compliance frameworks can verify.
Structure
Each evidence artifact contains:
| Field | Description |
|---|---|
id | Unique artifact identifier |
artifact_type | Category (e.g., governance_eval, action_executed) |
payload | Full data of the event |
hash | SHA-256 hash of this artifact's payload |
previous_hash | Hash of the preceding artifact |
created_at | ISO 8601 timestamp |
The chain looks like this:
Genesis → Artifact 1 → Artifact 2 → ... → Artifact N
hash: h1 hash: h2 hash: hN
prev: 0 prev: h1 prev: hN-1
Tamper Detection
If any artifact is modified, its hash changes. Since the next artifact references the original hash via previous_hash, the chain breaks:
Original: A(hash=abc) → B(prev=abc, hash=def) → C(prev=def)
✓ valid
Tampered: A(hash=xyz) → B(prev=abc, hash=def) → C(prev=def)
↑ ↑
modified prev doesn't match A's new hash
✗ chain broken
The Evidence Verify endpoint checks every link in the chain and reports whether it is intact.
Artifact Types
| Type | Event | What's Recorded |
|---|---|---|
governance_eval | Governance evaluation | Full verdict, per-law results, action, context, timing |
action_executed | Ara action executed | Action ID, status, execution metadata |
action_approved | Human approved an escalation | Approver ID, action ID, approval timestamp |
action_rejected | Human rejected an escalation | Rejector ID, action ID, rejection reason |
compliance_check | Compliance framework check | Framework, requirement, pass/fail |
trust_update | Trust score changed | Actor ID, old score, new score, reason |
Why This Matters
Compliance
The EU AI Act (Article 12) requires automatic logging of events throughout a high-risk AI system's lifetime. The evidence chain satisfies this requirement with cryptographic integrity guarantees that go beyond simple logging.
Auditability
External auditors can independently verify the evidence chain:
- Request an evidence export via the API
- Verify each artifact's hash matches its payload
- Verify each
previous_hashmatches the preceding artifact'shash - Confirm no gaps exist in the chain
Trust
The hash chain means that ARQERA cannot modify historical records without detection. This provides a trust guarantee that goes beyond "we promise we logged it" — the math proves it.
Verification
Via API
curl -s "https://api.arqera.io/api/v1/evidence/verify" \
-H "X-API-Key: $ARQERA_API_KEY"
{
"valid": true,
"total_artifacts": 1247,
"verified_count": 1247,
"chain_head_hash": "sha256:a3f7b2c1d4e5f6a7b8c9d0e1f2a3b4c5",
"verified_at": "2026-02-22T10:35:00Z"
}
Via Dashboard
Navigate to Governance > Evidence in the ARQERA dashboard. The chain integrity status is displayed at the top of the page.
Retention
Evidence retention depends on your subscription tier:
| Tier | Retention | Storage |
|---|---|---|
| Free | 30 days | 1 GB |
| Team | 365 days | 10 GB |
| Business | 3 years | 100 GB |
| Enterprise | Unlimited | Unlimited |
When artifacts age past your retention window, they are removed from the active chain. Export evidence before retention expiry if you need to keep it longer.
Next Steps
- Evidence API — retrieve, search, verify, and export evidence
- Evidence & Audit Trails guide — practical usage guide
- EU AI Act Compliance — how evidence maps to regulatory requirements