Evidence & Audit Trails
Every governance evaluation in ARQERA produces an evidence artifact — a cryptographically-linked record that forms a tamper-proof audit trail. This evidence chain is the foundation for compliance with the EU AI Act, SOC 2, ISO 42001, and internal governance requirements.
How the Evidence Chain Works
Each evidence artifact contains:
- Payload — the full governance evaluation result (action, verdict, per-law results)
- Hash — a SHA-256 hash of the payload
- Previous hash — the hash of the preceding artifact in the chain
- Timestamp — when the artifact was created
Artifact N-1 Artifact N Artifact N+1
┌──────────────┐ ┌──────────────┐ ┌──────────────┐
│ payload │ │ payload │ │ payload │
│ hash: abc123 │ ──► │ prev: abc123 │ ──► │ prev: def456 │
│ │ │ hash: def456 │ │ hash: ghi789 │
└──────────────┘ └──────────────┘ └──────────────┘
If any artifact is modified or deleted, the hash chain breaks — making tampering detectable.
Automatic Evidence Generation
Evidence artifacts are generated automatically by the ARQERA API. You do not need to call a separate endpoint. Every call to the Governance Evaluate endpoint produces an evidence artifact.
What Gets Recorded
| Event | Artifact Type | What's Stored |
|---|---|---|
| Governance evaluation | governance_eval | Full verdict, per-law results, action, context, duration |
| Action executed | action_executed | Action ID, status, execution result |
| Action approved | action_approved | Approver, action ID, approval timestamp |
| Action rejected | action_rejected | Rejector, action ID, rejection reason |
| Compliance check | compliance_check | Framework, requirement, pass/fail result |
| Trust score change | trust_update | Actor, old score, new score, reason |
Verifying Chain Integrity
Use the Evidence Verify endpoint to confirm the chain is intact:
curl -s "https://api.arqera.io/api/v1/evidence/verify" \
-H "X-API-Key: $ARQERA_API_KEY" | python3 -m json.tool
{
"valid": true,
"total_artifacts": 1247,
"verified_count": 1247,
"chain_head_hash": "sha256:a3f7b2c1d4e5f6a7b8c9d0e1f2a3b4c5",
"verified_at": "2026-02-22T10:35:00Z"
}
If valid is false, the chain has been compromised. Contact support immediately.
Searching Evidence
Find specific artifacts by type, action, verdict, or date range:
import requests
results = requests.post(
"https://api.arqera.io/api/v1/evidence/search",
headers={"X-API-Key": os.environ["ARQERA_API_KEY"]},
json={
"artifact_type": "governance_eval",
"verdict": "block",
"from_date": "2026-01-01T00:00:00Z",
"to_date": "2026-02-28T23:59:59Z",
},
).json()
for item in results["items"]:
print(f"{item['action']}: {item['verdict']} at {item['created_at']}")
Exporting for Auditors
Export evidence in PDF, JSON, or CSV format for external auditors:
export = requests.post(
"https://api.arqera.io/api/v1/evidence/export",
headers={"X-API-Key": os.environ["ARQERA_API_KEY"]},
json={
"format": "pdf",
"from_date": "2026-01-01T00:00:00Z",
"to_date": "2026-06-30T23:59:59Z",
"artifact_types": ["governance_eval", "action_executed"],
"include_chain_verification": True,
},
).json()
print(f"Download: {export['download_url']}")
print(f"Artifacts: {export['artifact_count']}")
print(f"Chain valid: {export['chain_verification']['valid']}")
Retention Policies
Evidence retention depends on your subscription tier:
| Tier | Retention | Storage |
|---|---|---|
| Free | 30 days | 1 GB |
| Team | 365 days | 10 GB |
| Business | 3 years | 100 GB |
| Enterprise | Unlimited | Unlimited |
For compliance frameworks requiring longer retention (e.g., EU AI Act mandates record-keeping throughout the system lifecycle), consider the Business or Enterprise tier.
Best Practices
- Verify the chain regularly — run
GET /evidence/verifydaily or as part of your CI pipeline - Export before retention expiry — download evidence before it ages out of your tier's retention window
- Use artifact types — include
artifact_typein your governance context for more granular evidence categorization - Include descriptions — the
descriptionfield in governance evaluations makes evidence artifacts more useful for auditors - Monitor evidence storage — check your storage usage via the Usage API to avoid running out of space
Next Steps
- Evidence API Reference — full endpoint documentation
- EU AI Act Compliance — how evidence maps to EU AI Act requirements
- Evidence Chain concept — deep dive into the cryptographic chain