Skip to main content

Evidence & Audit Trails

Every governance evaluation in ARQERA produces an evidence artifact — a cryptographically-linked record that forms a tamper-proof audit trail. This evidence chain is the foundation for compliance with the EU AI Act, SOC 2, ISO 42001, and internal governance requirements.

How the Evidence Chain Works

Each evidence artifact contains:

  1. Payload — the full governance evaluation result (action, verdict, per-law results)
  2. Hash — a SHA-256 hash of the payload
  3. Previous hash — the hash of the preceding artifact in the chain
  4. Timestamp — when the artifact was created
Artifact N-1 Artifact N Artifact N+1
┌──────────────┐ ┌──────────────┐ ┌──────────────┐
│ payload │ │ payload │ │ payload │
│ hash: abc123 │ ──► │ prev: abc123 │ ──► │ prev: def456 │
│ │ │ hash: def456 │ │ hash: ghi789 │
└──────────────┘ └──────────────┘ └──────────────┘

If any artifact is modified or deleted, the hash chain breaks — making tampering detectable.

Automatic Evidence Generation

Evidence artifacts are generated automatically by the ARQERA API. You do not need to call a separate endpoint. Every call to the Governance Evaluate endpoint produces an evidence artifact.

What Gets Recorded

EventArtifact TypeWhat's Stored
Governance evaluationgovernance_evalFull verdict, per-law results, action, context, duration
Action executedaction_executedAction ID, status, execution result
Action approvedaction_approvedApprover, action ID, approval timestamp
Action rejectedaction_rejectedRejector, action ID, rejection reason
Compliance checkcompliance_checkFramework, requirement, pass/fail result
Trust score changetrust_updateActor, old score, new score, reason

Verifying Chain Integrity

Use the Evidence Verify endpoint to confirm the chain is intact:

curl -s "https://api.arqera.io/api/v1/evidence/verify" \
-H "X-API-Key: $ARQERA_API_KEY" | python3 -m json.tool
{
"valid": true,
"total_artifacts": 1247,
"verified_count": 1247,
"chain_head_hash": "sha256:a3f7b2c1d4e5f6a7b8c9d0e1f2a3b4c5",
"verified_at": "2026-02-22T10:35:00Z"
}

If valid is false, the chain has been compromised. Contact support immediately.

Searching Evidence

Find specific artifacts by type, action, verdict, or date range:

import requests

results = requests.post(
"https://api.arqera.io/api/v1/evidence/search",
headers={"X-API-Key": os.environ["ARQERA_API_KEY"]},
json={
"artifact_type": "governance_eval",
"verdict": "block",
"from_date": "2026-01-01T00:00:00Z",
"to_date": "2026-02-28T23:59:59Z",
},
).json()

for item in results["items"]:
print(f"{item['action']}: {item['verdict']} at {item['created_at']}")

Exporting for Auditors

Export evidence in PDF, JSON, or CSV format for external auditors:

export = requests.post(
"https://api.arqera.io/api/v1/evidence/export",
headers={"X-API-Key": os.environ["ARQERA_API_KEY"]},
json={
"format": "pdf",
"from_date": "2026-01-01T00:00:00Z",
"to_date": "2026-06-30T23:59:59Z",
"artifact_types": ["governance_eval", "action_executed"],
"include_chain_verification": True,
},
).json()

print(f"Download: {export['download_url']}")
print(f"Artifacts: {export['artifact_count']}")
print(f"Chain valid: {export['chain_verification']['valid']}")

Retention Policies

Evidence retention depends on your subscription tier:

TierRetentionStorage
Free30 days1 GB
Team365 days10 GB
Business3 years100 GB
EnterpriseUnlimitedUnlimited

For compliance frameworks requiring longer retention (e.g., EU AI Act mandates record-keeping throughout the system lifecycle), consider the Business or Enterprise tier.

Best Practices

  1. Verify the chain regularly — run GET /evidence/verify daily or as part of your CI pipeline
  2. Export before retention expiry — download evidence before it ages out of your tier's retention window
  3. Use artifact types — include artifact_type in your governance context for more granular evidence categorization
  4. Include descriptions — the description field in governance evaluations makes evidence artifacts more useful for auditors
  5. Monitor evidence storage — check your storage usage via the Usage API to avoid running out of space

Next Steps