P34 � AIEP � Evidence Lifecycle Without Retention
Status: Active � OS PUB (Apache 2.0)
Revision: Reinstated from abandoned status � zero-retention model confirmed architecturally distinct from P14
Related Specs: P14 (Evidence Lifecycle with retention � parallel track), P119 (Multimodal Document Ingestion), P124 (Source Confidence Tiering)
PIEA Build Relevance: Required for piea-multimodal-ingestion package and Tier 4 user-upload pathway. Governs GDPR Article 17 compliance posture.
Publication Date: 2026-03-08 Licence: Apache License 2.0 Author / Organisation: Phatfella Ltd Related Filings: GB2519711.2 (Core Protocol) Related Specs (current): P14 P119 P124
Field of the Invention
[0001] The invention relates to evidence lifecycle systems. More particularly, the invention relates to deterministic evidence handling without persistent retention for admissible determination � preserving verifiability while guaranteeing non-retention of evidence payloads.
Background
[0002] Persistent evidence retention introduces privacy and compliance risks. Regulations including GDPR Article 5(1)(e) (storage limitation), Article 17 (right to erasure), and UK GDPR equivalent provisions require that personal data not be retained beyond the purpose for which it was processed. An evidence system that stores raw artefact payloads indefinitely may violate these obligations even if the processing itself was lawful.
[0003] The critical insight is that what matters for verifiability is not the payload � it is the proof that the payload was processed. A cryptographic hash of a payload, combined with the admissibility determination made from it, constitutes a verifiable record of what was processed without retaining the payload itself.
[0004] No existing evidence system provides deterministic non-retention guarantees (provably not retained, not merely policy-deleted) while maintaining full admissibility verifiability.
[0005] An AIEP substrate implementing P14 retains artefact payloads in the append-only Evidence Ledger permanently. For sources where retention is appropriate � authoritative open data, legislation, company records � P14’s retention model is correct. For sources where retention is not appropriate � user-uploaded personal documents, transiently processed web content � P34’s zero-retention model provides the architecturally correct alternative. The two specifications are parallel tracks, not alternatives.
Summary of the Invention
[0006] The invention provides a deterministic evidence lifecycle system in which evidence payloads are processed transiently. The payload is present in working memory during processing only. Upon completion of admissibility evaluation, the payload is deterministically discarded. Cryptographic proofs of the processing outcomes � content hash, admissibility determination, NegativeProofRecord if applicable � are retained. Verification of the processing outcome remains possible against these proofs without the original payload.
[0007] The system provides a TransientProcessingCertificate carrying: the ContentHash of the processed payload; the processing outcome; the schema version under which processing was conducted; and a ProcessingHash = H(content_hash ? processing_outcome ? schema_version ? processing_timestamp). The TransientProcessingCertificate is the permanent record. The payload is gone.
[0008] Absence of required proofs � where a claim depends on processing that cannot be verified by a TransientProcessingCertificate � results in deterministic denial of execution.
Detailed Description
[0009] Evidence payloads arrive at the processing substrate. They are held in working memory only. No write operation commits the payload to persistent storage during or after processing.
[0010] The ContentHash of the payload is computed immediately upon receipt, before processing begins. This hash is the permanent identifier of the payload. If the payload is ever re-submitted, its ContentHash will be identical and the prior TransientProcessingCertificate will be discoverable.
[0011] Admissibility evaluation is performed in working memory against the payload. The evaluation produces an outcome and any derivative records (partial extractions, structured output). Derivative records carry the source ContentHash but not the source payload.
[0012] Upon evaluation completion, the payload is deterministically discarded. A secure wipe operation (overwrite with governed pattern) is applied to the memory region. A WipeCompletionRecord is committed carrying the ContentHash of the wiped payload and the wipe completion timestamp.
[0013] The TransientProcessingCertificate is committed to the Evidence Ledger. It contains no payload content � only the ContentHash, processing outcome, and ProcessingHash. A verifier with the original payload can recompute the ContentHash and verify it against the certificate. A verifier without the original payload can verify that processing occurred and what the outcome was, but cannot recover the payload.
[0014] This design is compliant with GDPR Article 17 right to erasure: the payload has been processed (lawful basis) and then not retained (storage limitation). The TransientProcessingCertificate does not constitute retention of the personal data � it is a proof record that the data existed and was processed, not the data itself.
[0015] For regulatory admissibility contexts requiring the original payload: the system can optionally retain a cryptographically secured escrow copy under separate governance if explicitly required by the applicable regulatory framework. The escrow pathway is a governed exception, not the default.
[0016] Integration with piea-multimodal-ingestion (P119): When Piea processes a Tier 4 user-uploaded document, P34 governs the processing lifecycle. The binary ContentHash is computed over raw input bytes on receipt. Structured extraction proceeds in working memory. The extracted artefact (schema-defined structured output) is committed. The raw bytes are deterministically wiped. The TransientProcessingCertificate binds the extraction to the original document hash. The user can verify that Piea processed their specific document. Piea retains no copy of the document.
Claims
-
A computer-implemented deterministic evidence lifecycle system without persistent retention, wherein evidence payloads are processed transiently in working memory, cryptographic proofs of admissibility outcomes are retained as TransientProcessingCertificates, payloads are deterministically discarded after processing, and absence of required proofs results in deterministic denial of execution.
-
The system of claim 1 wherein a ContentHash is computed immediately upon payload receipt and serves as the permanent identifier of the payload independent of the payload being retained.
-
The system of claim 1 wherein a WipeCompletionRecord is committed upon deterministic payload discard, carrying the ContentHash of the discarded payload.
-
The system of claim 1 wherein a TransientProcessingCertificate carries the ContentHash, processing outcome, schema version, and ProcessingHash, and constitutes the permanent admissibility record without retaining payload content.
-
The system of claim 1 wherein a verifier with the original payload can recompute the ContentHash and verify it against the TransientProcessingCertificate, establishing that the system processed the specific payload and produced the stated outcome.
-
The system of claim 1 wherein an optional governed escrow pathway exists for regulatory frameworks explicitly requiring original payload retention, as a governed exception to the default zero-retention posture.
-
The system of claim 1 wherein, on integration with a multimodal document ingestion pipeline (P119), raw document bytes are hashed immediately on receipt, structured extraction proceeds in working memory, extracted artefacts are committed with the source ContentHash, and the raw bytes are deterministically wiped � such that no copy of the original document is retained by the processing substrate.
-
A computing system implementing the method of claim 1.
Abstract
A deterministic evidence lifecycle system without persistent retention is disclosed. Evidence payloads are processed transiently in working memory. The ContentHash is computed on receipt. Admissibility evaluation proceeds in working memory. Upon completion, the payload is deterministically discarded under a secure wipe operation with a WipeCompletionRecord committed. A TransientProcessingCertificate � carrying the ContentHash, processing outcome, and ProcessingHash � is retained as the permanent admissibility record. Verification of the processing outcome is possible against the certificate. Absence of a required certificate results in deterministic denial of execution. The design is compliant with GDPR Article 17 storage limitation obligations. On integration with piea-multimodal-ingestion (P119), governs Tier 4 user-upload processing: hash on receipt, extract in memory, wipe raw bytes, retain only the structured extraction bound to the source ContentHash.
Drawings
Figure 1 � Transient Processing Pipeline (Zero-Retention)
+---------------------------+
| Evidence Payload |
| (in working memory only) |
+------------+--------------+
|
v
+------------+--------------+
| ContentHash Computed | sha256(canonical(payload))
| on receipt | permanent identifier
+------------+--------------+
|
v
+------------+--------------+
| Admissibility Evaluation | in working memory;
| + Structured Extraction | no persistent write of payload
+------------+--------------+
|
v
+------------+--------------+
| Deterministic Payload | secure wipe (governed pattern);
| Discard + WipeRecord | WipeCompletionRecord committed
+------------+--------------+
|
v
+------------+--------------+
| TransientProcessingCert | ContentHash + outcome +
| committed to Evidence | ProcessingHash stored;
| Ledger (append-only) | payload: GONE
+---------------------------+
Figure 2 � TransientProcessingCertificate Structure
TransientProcessingCertificate {
content_hash: sha256(canonical(payload)) <- permanent id
processing_outcome: ADMITTED | REJECTED
schema_version: "2.0.0"
processing_hash: sha256(
content_hash
|| processing_outcome
|| schema_version
|| processing_timestamp
)
processing_timestamp: ISO-8601
}
WipeCompletionRecord {
content_hash: (same as above)
wipe_completed_at: ISO-8601
wipe_method: "governed-overwrite"
}
NOTE: Neither record contains any payload content.
Figure 3 � Verification Without Payload Retention
Verifier WITH original payload: +---------------------------+ | recompute ContentHash | sha256(canonical(payload)) | compare to cert | match ? processing confirmed +---------------------------+ Verifier WITHOUT original payload: +---------------------------+ | inspect ProcessingHash | outcome and schema version | outcome confirmed | payload NOT recoverable +---------------------------+ Both paths: cert.processing_hash verifiable deterministically. Payload cannot be recovered from cert in either case.
Figure 4 � Fail-Closed Gate: Missing Certificate
Downstream operation requires evidence from source X:
|
v
+---------------------------------+
| Lookup TransientProcessingCert |
| by content_hash of source X |
+--------------+------------------+
|
+---------+----------+
| |
v v
CERT FOUND CERT ABSENT
outcome: ADMITTED |
proceed DENY EXECUTION (fail-closed)
emit MissingCertificateRecord
P34 � AIEP � Evidence Lifecycle Without Retention Phatfella Ltd � piea.ai � OS PUB � Apache 2.0 Architecturally parallel to P14 (retention track). P34 = zero-retention track for personal data and Tier 4 user uploads.