Certification
Your auditor asks for proof. Now what?
DSA Certification generates independent, cryptographically signed privacy certificates that verify your AI pipeline kept identity separated from inference. Hand your auditor a signed certificate, not a trust-me.
The Evidence Gap
Auditors, regulators, and enterprise customers increasingly demand proof that your AI systems actually enforce the privacy controls you claim. Policy documents and architecture diagrams aren't enough — they want verifiable, technical evidence. Most organisations can't produce this.
The gap between claiming compliance and proving it is where risk lives. A privacy certificate that is cryptographically signed, independently timestamped, and maps to specific regulatory articles closes this gap.
How Certification Works
| Step | What Happens | Where |
|---|---|---|
| 1. Claim Collection | The Gateway emits an Ed25519-signed, request-level Veil claim and fails closed if that evidence cannot be recorded. Bridge, Sanitizer, Sandbox B, and Audit emit additional signed claims on a best-effort basis; certificates are marked FULL or PARTIAL depending on which claims arrived. | Gateway (fail-closed) + pipeline services (best-effort) |
| 2. Witness Verification | The Veil Witness verifies 5 consistency checks: signatures, completeness, temporal ordering, data visibility, and isolation probe results. | Veil Witness |
| 3. External Attestation | Certificates are co-signed by an RFC 3161 Timestamp Authority and optionally published to Sigstore Rekor transparency log. | External TSA + Rekor |
| 4. Certificate Delivery | Three certificate views available via API: DPO summary, technical proof, and regulatory mapping — each tailored to its audience. | Gateway API |
Three Views. One Truth.
DPO Summary
Plain-language attestation for data protection officers. Maps to GDPR Article 25 and 32. Shows what was separated, what the AI saw, and what it didn't.
Technical Proof
Full cryptographic chain for security teams. Ed25519 signatures, hash chains, TSA timestamps. Every claim verifiable independently.
Regulatory Mapping
Article-by-article compliance mapping. GDPR Art. 25/32 and EU AI Act Art. 10/14. Each certificate maps isolation evidence to specific regulatory provisions. These are architectural and evidence mappings, not held certifications — broader sector-specific attestations (DORA, MDR, eIDAS) are follow-on work and are not claimed today.