Independently verifiable evidence

LumenFlow seals each evidence anchor and has it independently timestamped by a trusted third-party authority using the RFC 3161 standard — so an auditor can confirm the evidence existed, unaltered, at a point in time without having to trust LumenFlow.

The problem with self-signed logs#

Most audit logs are signed by the same vendor that produced them. That is enough to catch accidental corruption, but it does not answer the question a regulator or an enterprise auditor actually asks: how do I know this record was not written — or back-dated — after the fact? If the vendor holds the only key, the vendor could in principle re-issue the proof. The trust still rests entirely on the vendor.

What LumenFlow does differently#

LumenFlow keeps a tamper-evident evidence chain: every governed action emits a receipt, and receipts are folded into an append-only chain with a single cryptographic root (a Merkle anchor) per workspace. Two independent signatures protect each anchor:

  1. An operator seal — LumenFlow's own signature over the anchor, proving it came from your workspace and has not changed since it was sealed.
  2. An independent external witness — the anchor's root is submitted to a trusted, publicly-recognised timestamping authority, which returns a signed timestamp token using the RFC 3161 internet standard. The authority currently in use is DigiCert, an established public certificate authority.

The witness token is stored alongside the anchor and can be re-verified offline, by anyone, against the authority's published certificates — no access to LumenFlow required.

Why the external witness matters#

Because the timestamp is signed by an independent third party, it proves the evidence root existed at a specific moment in time and has not been altered since. Nobody — not even LumenFlow — can back-date, re-issue, or silently rewrite a witnessed anchor. The proof stands on the witness's signature, not on trusting us. That is the difference between "we say this happened" and "an independent authority confirms this existed by then."

What it proves — and what it does not#

The witness proves existence at a point in time and integrity since. It does not, by itself, certify that the underlying work was correct or complete — that remains the job of the evidence chain itself (the append-only receipt history and its verifier). The witness defeats back-dating and after-the-fact tampering, which is exactly what auditors and regulators care about; it is not a quality judgement on the work, and it is not a substitute for a formal conformity assessment.

How it fits compliance#

The external witness strengthens the record-keeping obligations under the EU AI Act Article 12: it turns each evidence bundle from a self-attested log into an independently anchored record. See EU AI Act Article 12 readiness for the full obligation-to-primitive mapping.

info The witness is additive. If the timestamping authority is ever unreachable, anchors are still sealed and recorded — they are simply marked as awaiting their independent timestamp rather than being blocked. An anchor is only ever shown as "independently verified" once a valid third-party token has been checked.