SAPP — Evidence Infrastructure for Regulated Operations

Cryptographic proof of what happened, who authorised it, and who is liable. At 30,000 settlements per second. For any regulated operation — not just AI.

The Problem

Every regulated operation — a bank transfer, an AI recommendation, a SIM swap, an insurance claim, a card payment — needs proof of what happened. Not logs. Proof. Tamper-evident, cryptographically verifiable, externally anchored, with clear provenance and deterministic liability.

Today, banks handle disputes by digging through application logs. Customer care agents spend hours reconstructing events. Regulators demand audit trails that are mutable at rest. The EU AI Act mandates evidence chains that nobody can produce yet.

Current Approaches

  • Application logs — mutable, not tamper-evident, not admissible as proof
  • Database audit tables — a DBA can alter them, no cryptographic integrity
  • Blockchain — expensive, slow (100s TPS), regulatory scepticism in EU
  • Google Trillium — US-operated, EU sovereignty problem, no evidence scoring
  • Manual dispute handling — slow, expensive, inconsistent

SAPP

  • Merkle proof chain — tamper-evident, cryptographically verifiable
  • 30,000 RPS — 2,000x faster than blockchain
  • EU sovereign — deploy on-premise or any EU cloud
  • Evidence scoring — 10+ categories with weighted confidence
  • Liability engine — deterministic allocation at transaction time

How SAPP Works

SAPP is a domain-neutral, cryptographically anchored evidence engine that produces three-level Merkle proofs for any regulated operation.

1

Submit Evidence

Your system calls POST /settlements with signed assertions about what happened. SAPP anchors assertions, not documents — you keep your own artifacts.

2

Score & Compute

SAPP scores evidence quality across 10+ categories (auth, intent, delegation, card receipt, jurisdiction, etc.) and computes liability allocation from pre-agreed commercial terms.

3

Anchor in Merkle Tree

Evidence is hashed into a three-level Merkle proof chain: evidence root, partition root, global root-of-roots. RFC 6962 compliant — the format courts understand.

4

Publish to EU Qualified Archive

Every 15 minutes, the global root-of-roots is published to an EU Qualified Trust Service Provider. Legal standing under eIDAS 2.0 — verifiable by regulators without SAPP access.

Performance That Makes Blockchain Irrelevant

30,000 RPS SAPP (quad deployment)
vs
~15 TPS Blockchain (Ethereum L1)

2,000x faster. No gas fees. No consensus overhead.

12ms P50 SAPP latency
vs
12–15 sec Blockchain block time

1,000x faster response. Real-time settlement.

30,000 RPS SAPP partitioned
vs
~1,000 TPS Google Trillium (est.)

30x faster. EU sovereign. Evidence scoring included.

Deployment Postures

Standard

7,500 RPS

Single cell. Pilot or single vertical.

HA Pair

15,000 RPS

Two cells. Enterprise, single region.

Quad

30,000 RPS

Four cells. Multi-region, multi-vertical.

Federated

56,000+ RPS

Eight+ cells. National infrastructure.

Assertions, Not Artifacts

SAPP anchors signed assertions about documents — not the documents themselves. Your system stores its own PDFs, receipts, recordings. SAPP sees hashes of signed assertions.

SAPP Does

  • Anchor signed assertion hashes in Merkle tree
  • Prove the assertion existed at time T
  • Score evidence quality from assertion prefixes
  • Compute liability from evidence confidence
  • Publish proof chain to EU Qualified Archive

Your System Does

  • Store underlying documents (PDFs, receipts, images)
  • Sign assertions about those documents
  • Retain artifacts for dispute production if needed
  • Manage document retention and GDPR lifecycle
  • Re-hash documents to verify against SAPP proof

Non-Repudiation

If a caller signs an assertion containing a document hash but later presents a different document — the mismatch is cryptographically provable. The caller's own signature proves they made the original assertion. They cannot hide behind a substitute document. This is discoverable in court proceedings and regulatory audits.

Not Just for AI — Any Regulated Operation

SAPP is domain-neutral by design. AI evidence is one use case. The engine serves any operation that needs proof.

Bank Customer Disputes

Customer care agent queries SAPP — instant evidence retrieval with scored confidence, liability allocation, and reason codes. Disputes resolve in seconds, not days.

Consumer Transaction Verification

Banks offer customers verifiable proof that their transfers are immutably anchored. Three-level proof chain verifiable against EU trust endpoint. A trust differentiator.

Card Payment Chargebacks

Liability determined at transaction time, not at dispute time. SCA evidence, consumer authentication, and intent — all scored and anchored. Machine-readable reason codes feed card network dispute APIs.

EU AI Act Compliance

Every AI operation produces a signed Merkle leaf. Article 12 logging, Article 14 human oversight trails, Article 17 quality management — mapped at the article level.

Regulator Audit

On-demand integrity verification without accessing individual transactions. Privacy-preserving cryptographic audit — consumer DIDs never exposed to regulators.

Cross-Border Transfers

Bilateral evidence with QTSP anchor for correspondent banking. SWIFT, SEPA, FPS — provable operational records across jurisdictions.

Five SDKs — Minutes to First Settlement

Every SDK handles OAuth2 token management, JCS canonicalisation, cryptographic signing, and retry logic. Time to first settlement: under 30 minutes.

Go

DOP server, Go microservices, backend agents

Ed25519, P-256

Python

LangChain, CrewAI, AutoGen, ML pipelines

Ed25519

Swift

iOS payment apps, healthcare, insurance

Secure Enclave (ES256)

Kotlin

Android telco apps, mobile payments

StrongBox (ES256)

TypeScript

Web portals, Node.js services, dashboards

WebAuthn / Ed25519

Hardware-Backed Signing on Mobile

iOS Secure Enclave and Android StrongBox produce non-exportable keys with biometric gating. The evidence signature proves: this specific device, a biometrically-authenticated user, with a key that has never been extracted. Highest assurance under eIDAS 2.0.

Regulatory Alignment

EU AI Act

Art. 12 automatic logging, Art. 14 human oversight, Art. 17 quality management, Art. 19 record-keeping, Art. 43 conformity assessment — mapped at the article level.

eIDAS 2.0

QTSP checkpoint publishing, qualified timestamps, independent verification. Legal standing in EU courts without dependency on SAPP infrastructure.

PSD2 / DORA

Payment evidence retention, SCA proof, liability rules, operational resilience. Evidence quality drives liability allocation from pre-agreed commercial terms.

NIS2 / GDPR

Append-only evidence, signed checkpoints. SAPP never holds personal data — assertion hashes are not personal data. Consumer DIDs excluded from regulator proofs.

Who Buys SAPP Standalone

SAPP operates independently. No dependency on DOP, aARP, RTGF, or the Ontology Server. Integration is a single API call.

Retail Banks

Transfer evidence, dispute resolution, consumer trust

Card Acquirers / Issuers

Chargeback liability automation, SCA evidence

Payment Processors

Settlement evidence, liability computation

Banks Deploying AI

EU AI Act Art. 12, 14 compliance evidence

Insurers

Claims and underwriting decision trails

Healthcare

Diagnostic reasoning chains, consent evidence

Telcos

SIM swap evidence, fraud detection, MNP

EU Qualified Archives

New revenue stream — operational evidence as a service

Proof, Not Promises

SAPP delivers cryptographic evidence at enterprise scale. 30,000 settlements per second. EU Qualified Archive anchor. Five SDKs. Liability engine. Not just for AI — for any regulated operation that needs proof of what happened.

Explore SAPP for Your Operations