XaseXASE

Evidence Bundles

Evidence Bundles are cryptographically-signed packages containing all proof needed to verify AI data access was authorized, governed, and properly executed.

What are evidence bundles

An Evidence Bundle is a tamper-proof package of all proof related to data access, automatically generated for every session.

Each bundle contains:

  • Access details — Who accessed what, when, why
  • Policy proof — What rules were applied and evaluated
  • Authorization chain — Who approved the access
  • Usage logs — What operations were performed
  • Cryptographic signatures — Tamper-proof verification

Evidence Bundles are designed to be court-ready and auditor-accepted.

Bundle contents

evidence_bundle_a1b2c3.zip
├── manifest.json            # Bundle metadata and integrity hashes
├── session.json             # Access session details
├── policy.json              # Policy that was applied
├── authorization.json       # Authorization details and signatures
├── usage_logs.json          # Access and operation logs
├── signatures/
│   ├── bundle.sig           # Signature of the entire bundle
│   ├── certificate.pem      # Xase signing certificate
│   └── timestamp_token.tst  # Qualified timestamp (eIDAS)
└── verify.sh                # Offline verification script

Bundle Manifest

The manifest contains metadata and integrity hashes:

{
  "bundle_id": "bundle_a1b2c3d4",
  "created_at": "2026-01-15T14:32:00Z",
  "version": "1.0",
  "session_id": "sess_7f6e5d4c",
  "contents": [
    {
      "file": "session.json",
      "hash": "sha256:8a02a0ab12fe4c8b3487bb9f2aef57b82d90b7ec4e0b04ef9d731e8m7f7dfd1a"
    },
    {
      "file": "policy.json",
      "hash": "sha256:7f8e9d2b34a5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1"
    },
    // ...more file hashes
  ],
  "merkle_root": "sha256:1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b"
}

Session Details

Complete details of the access session:

{
  "session_id": "sess_7f6e5d4c",
  "created_at": "2026-01-15T14:30:00Z",
  "expires_at": "2026-02-14T14:30:00Z",
  "status": "COMPLETED",
  "dataset": {
    "id": "dataset_medical_records_2025",
    "name": "Medical Records 2025",
    "owner": "Metropolitan Hospital"
  },
  "purpose": "model-training",
  "requester": {
    "id": "user_a1b2c3",
    "name": "AI Research Team",
    "email": "ai-team@research.org",
    "organization": "Medical AI Research"
  },
  "model": {
    "id": "model_diagnostic_v2",
    "version": "2.1.3",
    "hash": "sha256:f1e2d3c4b5a6978d9e0f1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d"
  },
  "usage_summary": {
    "started_at": "2026-01-15T14:32:00Z",
    "ended_at": "2026-01-15T18:47:32Z",
    "records_accessed": 15273,
    "operations_performed": 127
  }
}

Policy and Authorization

Detailed policy and authorization chain:

{
  "policy_id": "policy_medical_research",
  "version": "1.2",
  "created_at": "2025-12-01T09:15:00Z",
  "rules": [
    {
      "allowed_models": ["model_diagnostic_v1", "model_diagnostic_v2"],
      "allowed_purposes": ["model-training", "validation"],
      "max_duration": "30d",
      "jurisdictions": ["EU", "UK"],
      "require_approval": true
    }
  ],
  "authorization": {
    "authorized_by": "admin@hospital.org",
    "authorized_at": "2026-01-15T14:28:45Z",
    "authorization_id": "auth_b2c3d4",
    "ip_address": "203.0.113.42",
    "auth_method": "2FA",
    "auth_signature": "RSA-SHA256:..."
  }
}

Working with bundles

Generating Evidence

Evidence is automatically generated for every session:

import xase

client = xase.Client(api_key="sk_...")

# Access session (this automatically creates evidence)
session = client.access(
    dataset="medical-records-2024",
    purpose="model-training",
    duration="30d"
)

# Use the session...
for batch in session.stream():
    model.train(batch)

# Get evidence bundle when done
evidence = session.get_evidence()
print(evidence.url)  # "https://xase.ai/evidence/bundle_a8f2c..."

# Download for offline verification
evidence.download("./session_evidence.zip")

Verifying Evidence

Evidence bundles can be verified offline by auditors:

# Extract the bundle
unzip evidence_bundle.zip
cd evidence_bundle

# Run verification script
./verify.sh

# Expected output:
# ✓ Bundle signature verified (RSA-SHA256)
# ✓ Certificate chain valid
# ✓ Timestamp token valid (TSA: SwissSign AG)
# ✓ File integrity verified (all hashes match)
# ✓ Session details intact
# ✓ Policy evaluation verified
# ✓ Authorization valid
# 
# RESULT: Evidence bundle AUTHENTIC

API Access to Evidence

Retrieve and manage evidence programmatically:

# List all evidence bundles
bundles = client.evidence.list(
    dataset="medical-records-2024",
    date_from="2026-01-01",
    date_to="2026-01-31"
)

for bundle in bundles:
    print(f"Bundle {bundle.id}, Session: {bundle.session_id}")
    print(f"Created: {bundle.created_at}")
    print(f"Status: {bundle.status}")
    
# Get specific bundle
bundle = client.evidence.get("bundle_a1b2c3d4")

# Download bundle
bundle.download("./evidence.zip")

# Verify bundle
verification = client.evidence.verify("bundle_a1b2c3d4")
print(f"Verification status: {verification.status}")

Legal considerations

Court Admissibility

Evidence bundles are designed to be admissible in court with cryptographic proof of integrity.

Qualified Timestamps

eIDAS-qualified timestamps are included for full legal validity in EU jurisdictions.

Chain of Custody

Complete chain of custody from data owner through to AI system with identity verification.

Regulatory Alignment

Designed to satisfy EU AI Act, GDPR, and other regulatory requirements.

Next steps

Audit TrailTrack all activity with the evidence system
VerificationLearn advanced verification methods
© 2025 Xasefounders@xase.ai