Core Concepts
Xase enables legally valid AI data usage through runtime governance, cryptographic proof, and automated billing.
Architecture
AI Lab/ XASE SDK XASE Core Auditor
Data Holder │ │ │
│ │ │ │
├─── data ───► access() ────► Policy Engine │
│ │ │ (runtime governance) │
│ │ │ │
│ │ ▼ │
│ │ │ Session Management │
│ │ │ (tracking + proof) │
│ │ │ │
│ │ ▼ │
│ │ │ Evidence Bundle ────►│
│ │ │ (cryptographic proof) │
│ │ │ │
│ │ ◄──── verify.sh ◄────────┘Xase provides three core components that work together to enable governed data access:
- — Policy Engine: Runtime enforcement of access policies
- — Evidence System: Cryptographic proof of compliant data usage
- — Billing System: Automatic usage metering and settlement
Policy Engine
The Policy Engine determines whether AI can access data in real-time—at the exact moment of use.
{
"id": "policy_medical_research",
"name": "Medical Research Access",
"rules": [
{
"allowed_models": ["research-v1", "research-v2"],
"allowed_purposes": ["training", "validation"],
"max_duration": "30d",
"jurisdictions": ["EU", "UK"],
"require_approval": true
}
],
"rejection_behavior": "block_access"
}The Policy Engine evaluates each access request against defined rules, ensuring:
- — Only authorized models can access specific datasets
- — Purpose limitations are enforced
- — Time restrictions are respected
- — Regulatory requirements are satisfied
Access Sessions
Access Sessions enable AI systems to use real data with strict governance and evidence generation.
{
"session_id": "sess_7f6e5d4c",
"dataset_id": "medical-records-2025",
"status": "ACTIVE",
"created_at": "2026-01-15T14:30:00Z",
"expires_at": "2026-02-14T14:30:00Z",
"purpose": "model-training",
"model_id": "research-v2",
"requester": {
"id": "user_123abc",
"email": "researcher@ai-lab.com"
},
"policy_id": "policy_medical_research",
"usage_stats": {
"records_accessed": 12547,
"operations_performed": 89
}
}Each session provides a governed interface to data:
- — Policy-approved access to specific datasets
- — Purpose-bound operations that track all usage
- — Time-limited duration with automatic expiration
- — Revocable access at any time by data holders
Evidence Bundles
Evidence Bundles are cryptographically-signed packages providing court-ready proof of compliant data usage.
evidence_bundle_a1b2c3d4.zip
├── manifest.json # Bundle metadata and integrity hashes
├── session.json # Access session details
├── policy.json # Policy that was applied
├── authorization.json # Authorization details and signatures
├── usage_logs.json # Access and operation logs
├── signatures/
│ ├── bundle.sig # Signature of the entire bundle
│ ├── certificate.pem # Xase signing certificate
│ └── timestamp_token.tst # Qualified timestamp (eIDAS)
└── verify.sh # Offline verification scriptPro tip: Auditors and regulators can verify bundles in air-gapped environments without depending on Xase.
Billing & settlement
Automatic usage tracking and billing ensures transparent and accurate financial transactions.
{
"session_id": "sess_7f6e5d4c",
"time_metrics": {
"session_duration_hours": 6.25,
"active_time_minutes": 217.4
},
"volume_metrics": {
"records_accessed": 15273,
"total_data_gb": 2.47
},
"operation_metrics": {
"read_operations": 157,
"filter_operations": 23,
"transform_operations": 45,
"total_operations": 225
}
}The billing system provides:
- — Automatic metering of all data usage
- — Transparent pricing with usage breakdowns
- — Automatic settlement between parties
- — Usage controls with spending limits and alerts
Security & compliance
Security
- — SHA-256 hashing, RSA-SHA256 signatures
- — KMS-managed encryption keys
- — Write-once-read-many (WORM) storage
- — End-to-end encryption for all data
Compliance
- — EU AI Act (Articles 11 & 14)
- — LGPD (Brazilian data protection)
- — SOC 2 (Trust Services Criteria)
- — ISO 27001 (Information security)