Skip to content

WHAT EDSSA IS · IN PLAIN WORDS · NO ACRONYMS

Chain of custody, for data.

A cryptographic seal on every hand-off, in a tamper-evident log anyone can verify — without trusting anyone in the chain.

EdSSA is one cryptographic primitive applied to two extremes of the same problem: data crossing trust boundaries when nobody downstream can verify what happened upstream. This page is the bridge — written for a reader who has heard the term GDPR but not the term SDLS.

Tier-4 Merkle-anchored audit chain · royalty-free protocol · operator-independent verification

The everyday problem

You hire a vendor. They use other vendors. You can’t see the chain.

A city hires a service provider to handle citizen records. The contract says “you and your sub-contractors will handle data per regulation.” In practice, that provider uses a cloud platform that uses a managed-database service that uses an analytics pipeline that ships data through three regions. None of those parties can credibly prove what they did with the data.

The city’s only recourse today is annual paper questionnaires, indemnity clauses, and audit reports that audit the prime vendor, not the chain. When the regulator asks the city to demonstrate compliance, the city has documents — written by the vendor about the vendor — and no operational evidence at all.

This is the situation every regulated buyer is now in. Hospitals with their lab and telehealth partners. Banks with their payment-processing partners and their sub-processors. Cities with their gov-tech contractors. Insurance companies, energy operators, transport authorities — anyone whose data leaves their building has the same problem and the same lack of tools to solve it.

The chain-of-custody analogy

Borrowed from a courtroom.

In a criminal investigation, physical evidence is handled by many people on its way to a courtroom — the officer who collects it, the courier who transports it, the lab that processes it, the clerk who stores it, the prosecutor who presents it.

Every person who touches it signs the log. The log is tamper-evident: if a page is altered or removed, the chain breaks visibly. Years later, in court, anyone can verify that nothing was substituted, nothing was lost, and everyone who handled the evidence is on record.

Nobody has to trust the police, the lab, the courier, or the storage clerk. The chain itself is the evidence of integrity. The integrity is a property of the chain, not of any single party in it.

EdSSA gives data the same chain of custody.

How that works in practice

A cryptographic seal on every hand-off.

Each party in the data chain runs a small piece of software at their boundary — the moment data enters their systems, transitions to a new processing step, or leaves for the next link. The software produces a signature describing what just happened. The signature commits to the event without exposing the data itself.

The signatures chain together. The chain anchors into a tamper-evident log with a seven-year minimum lifetime. The log is not held by any single party in the chain — it is replicated to the data owner, to public transparency logs, and (in regulated industries) to the regulator directly. The chain can be verified by anyone with the public verification key.

When the regulator asks the city “prove your sub-processor chain handled this data correctly,” the city does not call any vendor in the chain. The city verifies the chain in their own browser. The answer is a cryptographic claim, not a paper promise.

Four facets of one primitive

The same chain of custody, four buyer surfaces.

The same primitive serves four seemingly unrelated problems. The principle is identical in all of them: data crosses trust boundaries, and the people downstream need evidence that isn’t owned by any one party in the chain.

Satellites

The extreme case.

Multi-tenant constellations, multi-decade missions, physically inaccessible hardware. Verification logs stay inside each operator’s trust boundary.EdSSA Orbit produces operator-independent records that survive crypto migrations.

Read the satellites page →

Data supply chains

The common case.

Sub-processor chains under GDPR Art. 28, DORA Art. 30, and NIS2 supply-chain security. The chain of custody for data that crosses processor boundaries. Regulator-grade, controller-verifiable.

Read the data supply chain page →

Public sector

The sovereign case.

Citizen-data handling by public-body contractors under NIS2 public-administration scope and member-state audit obligations. Royalty-free, standards-track, adoptable by sovereign procurement.

Read the public sector page →

Agentic AI

The AI Act case.

Every tool call by an agent is a processor event. Every human override is a processor event. AI Act Art. 14 human oversight and Art. 12 record-keeping, with the chain serving both.

Read the agentic AI page →

What this is not

A short list, to keep the claim honest.

Not a way to stop misbehaviour.

EdSSA proves what each party signed; it does not enforce anything. A bad actor in the chain leaves a verifiable record of being bad, not a prevention of badness.

Not a replacement for a contract or a DPA.

The contract defines what should happen. The chain of custody is evidence of what did happen. Both are needed; neither substitutes for the other.

Not an answer to every regulation.

EdSSA addresses the evidence sub-problem in GDPR, NIS2, DORA, AI Act, HIPAA, SOC 2, and others. Many other sub-problems — staff training, data minimisation, breach-notification timelines — are out of scope.

Not a vendor-locked compliance platform.

The protocol is drafted as an open Internet-Draft, royalty-free for conforming implementations. Anyone can implement it. Anyone can audit it. Anyone can verify the chain with software they wrote themselves.

Want the technical version?

The four solutions pages above go deep on each buyer surface. The standards-track page explains the protocol’s open-source and standards-body posture. Or set up a call — we’ll walk through the operational envelope that matches yours.

Talk to us →