ANCHORED BREACH RECEIPTS

Anchored Breach Receipts

Records the personal-data breach lifecycle — detection, assessment, DPA notification, subject notification, containment, and closure. Anchors the 72-hour Art. 33 reporting clock against an independently verifiable timestamp.

ABR · Shipped8 wire typesApache-2.0 · CC0 spec
← All familiesVerify a receipt →

WIRE TYPES

ar.breach.v1 (breach.detected)

Records the moment a breach was detected. Carries a MANDATORY TSA timestamp — the 72-hour Art. 33 reporting clock starts here and is anchored to an independent time authority.

ar.breach.v1 (breach.assessed)

Records the risk assessment outcome — severity classification, categories of data affected, approximate number of data subjects, and likely consequences.

ar.breach.v1 (breach.dpa_notified)

Records that the supervisory authority was notified. References the DPA identifier and notification method.

ar.breach.v1 (breach.dpa_delayed)

Records a justified delay in DPA notification — the reason, legal basis, and expected notification date.

ar.breach.v1 (breach.subject_notified)

Records that affected data subjects were notified of the breach. Subject field carries the pseudonymous commit.

ar.breach.v1 (breach.subject_notification_exempted)

Records a justified exemption from subject notification — encrypted data, disproportionate effort, or public communication alternative per Art. 34(3).

ar.breach.v1 (breach.contained)

Records that containment measures have been applied. The breach chain remains open until closure.

ar.breach.v1 (breach.closed)

Records the formal closure of the breach lifecycle. Terminal event — the chain is complete.

WHAT IT PROVES

  • A breach was detected before a specific UTC time (MANDATORY TSA on detection event).
  • The 72-hour DPA notification deadline was met or a justified delay was recorded.
  • Data subjects were notified or a valid exemption was documented.
  • The complete breach lifecycle — from detection through containment to closure (chain walk).

WHAT IT DOESN'T PROVE

  • The breach assessment was thorough or accurate.
  • All affected data subjects were identified.
  • Containment measures were effective.
  • The root cause was properly remediated.

COMPOSES WITH

ABR receipts reference other family members via body-level composition pointers — verifier-coordinated, not signature-mandated.

ARRAnchored Retention Receipts

Breach receipts may reference ARR events documenting the retention status of affected data.

ATRAnchored Transfer Receipts

Cross-border breach notification may reference ATR receipts for the transfer mechanisms involved.

AERAnchored Evaluation Receipts

Post-breach evaluation of AI system involvement may reference AER conformity receipts.

ANRAnchored Notice Receipts

Subject notification events may reference ANR receipts for the breach notice delivered.

AARAnchored Attestation Receipts

DPA submissions requiring qualified e-signatures may reference AAR receipts for the QTSP issuance.

Verify any
ABR receipt.

verify.dekimu.com ↗

Paste any claim ID to verify a receipt, check its anchor, and inspect the issuer signature.

REFERENCES

GDPR Art. 33 — Notification to the supervisory authority (EUR-Lex)
GDPR Art. 34 — Communication to the data subject (EUR-Lex)
NIS2 Directive Art. 23 — Incident reporting (EUR-Lex)
DORA Art. 19 — ICT-related incident reporting (EUR-Lex)

Anchored Breach Receipts are cryptographic provenance and privacy-lifecycle protocols. verify.dekimu.com is a reference implementation, not a qualified trust service under Regulation (EU) No 910/2014 (eIDAS) or successor.