Infrastructure · Audit

The tamper-evident audit recorder

Every AI agent observation Pulse records is sealed into a hash-chained, tamper-evident log — a flight recorder for agent activity on your site. You can export it and verify it yourself, without trusting us.

How the seal works

We don’t sign every hit inline (that would slow your site and risk gaps). Instead, once a day a sealing job takes the new events and computes a SHA-256 hash over them, then chains that hash to the previous day’s seal:

checkpoint_hash = SHA256( previous_checkpoint_hash
                       | SHA256(all events in this period)
                       | last_event_id
                       | event_count )

Because each seal embeds the one before it, the whole history is a single chain. Edit, insert, or delete any sealed event and the recomputed hash no longer matches — the break is detectable at the exact day it occurred. This is the same pattern used by Certificate Transparency logs and blockchains: periodic signed roots, not per-row signatures.

What is recorded — and what is not

Each record contains only: the crawler’s user-agent, the path it requested, your domain, the detection source, and a timestamp.

It does not contain visitor names, emails, accounts, cookies, or any personal data. The recorder is about agents, not people — privacy-minimal by construction, which is also its compliance advantage.

Export and independently verify

Download the full signed log from your dashboard, or pull it directly:

https://aater.ai/api/audit/export?clientId=YOUR_CLIENT_ID&download=1

The export includes every seal (checkpoints), the events, and a chain.verified result we recompute live from your raw data at request time. Anyone can re-run the same SHA-256 chain over the events and confirm it independently — the verification doesn’t depend on trusting aater.

Verification confirms the integrity of events already sealed. Sealing runs once daily, so events from the current day are pending their first seal.

EU data residency

For EU customers, the recorder can run against an EU-region database so agent-activity records never leave the EU. This is a deployment configuration — contact us to enable an EU-resident workspace.

What this is evidence for

A tamper-evident record of AI access is leverage in the relationship between you (the rightsholder) and AI crawlers:

  • Opt-out enforcement. If you reserve your content from text-and-data mining (EU Copyright Directive, Art. 4) by machine-readable means, a sealed record that a crawler accessed it anyway is evidence — and AI model providers are required to respect those reservations.
  • Licensing leverage. Proof of access is the receipt that underwrites content-licensing and pay-per-crawl negotiations.
  • Disputes & governance. An independent, exportable trail for unauthorized-scraping disputes and your own internal records.

A note on the EU AI Act: operational logging duties (e.g. Article 12) fall on AI-system providers and deployers — not on the website being crawled. aater’s logging infrastructure can serve that provider/deployer side; for you as a site owner, the value here is the access evidence above. This is infrastructure, not legal advice or a certification — confirm your obligations with qualified counsel.

Need an EU-resident workspace or a compliance walkthrough?

Email founder@aater.ai